Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Tool - RunAsUser v0.5 released

From: inode <inode () mediaservice net>
Date: Thu, 14 Feb 2008 21:42:10 +0100
What is RunAsUser?
----------------------------------------------------------
RunAsUser is able to run a command as another user. You need the local administrator privileges and the user must have a running process on the system. 

How does it work?
----------------------------------------------------------
RunAsUser uses dll injection techniques to gain SYSTEM privileges. With SYSTEM privileges the dll is able to open the target process, duplicate the access token and run a program with the user privileges. 

What I can do with RunAsUser?
----------------------------------------------------------
RunAsUser can be used in a lot of situations, the most interesting usage is the privilege escalation that can be done on a Microsoft domain. If the user has local administrator rights and a domain admin is logged on the system you can get domain administrator privileges. 

Command line arguments
----------------------------------------------------------
-p <pid>
Pid of the target process
-c <command>
Command to be executed with user privileges
-s <session ID> Target session ID
Session where the new process is spawned. To get your current session id run taskmgr.exe, go to "View" -> "Select columns" and select "Session ID" and search one of your current processes. 
-l <lsass pid> (optional)
RunAsUser looks for the lsass.exe process. If this process fails, try using this option specifying the lsass pid. 


You can download source and binary at:
http://lab.mediaservice.net/code.php#runasuser

inode

--
Agazzini Maurizio                    @ Mediaservice.net S.R.L.
0xF574450C - 09C5 E9A5 E481 D70A 708E DC3B 690D 1A36 F574 450C

"C programmers never die. They are just cast into void."

http://mediaservice.net/disclaimer

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: