Metasploit mailing list archives
Problem with getprivs/Railgun call from SYSTEM
From: faberk () comcast net
Date: Mon, 25 Apr 2011 17:51:30 +0000 (UTC)
I am working on a meterpreter script that takes a username, password, and command as input and runs in the context of that user (loading their profile). I'm using it to access and decrypt the browser for users that are not currently logged in, I'm sure someone would be curious as to why. Anyways I use a railgun call to CreateProcessWithLogonW to generate the process....this works fine as a local admin, but not as system. From Microsoft here is why: You cannot call CreateProcessWithLogonW from a process that is running under the LocalSystem account, because the function uses the logon SID in the caller token, and the token for the LocalSystem account does not contain this SID. As an alternative, use the CreateProcessAsUser and LogonUser functions. When I try to do a call to LogonUser and CreateProcessAsUser I get: ERROR_PRIVILEGE_NOT_HELD (1314) from CPUA(). Researching it i have found I need the SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME privs enabled. The system account has both of those assigned by default, but not enabled. I have used the getprivs command and it enables SE_INCREASE_QUOTA_NAME but not SE_ASSIGNPRIMARYTOKEN_NAME. I looked through the source and it does try to enable it, just not sure why it was never enabled. The even weirder piece of this is that the CPUA() function is supposed to enable these temporarily when it runs if the privs are present. This makes me think that somehow the SYSTEM account in vista does not have the priv assigned by default.....Any ideas? This one has me stumped.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Problem with getprivs/Railgun call from SYSTEM faberk (Apr 25)