|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: inode (inode
mediaservice.net)
Date: Thu Feb 14 2008 - 14:42:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
What is RunAsUser?
----------------------------------------------------------
RunAsUser is able to run a command as another user. You need the local
administrator privileges and the user must have a running process on the
system.
How does it work?
----------------------------------------------------------
RunAsUser uses dll injection techniques to gain SYSTEM privileges. With
SYSTEM privileges the dll is able to open the target process, duplicate
the access token and run a program with the user privileges.
What I can do with RunAsUser?
----------------------------------------------------------
RunAsUser can be used in a lot of situations, the most interesting usage
is the privilege escalation that can be done on a Microsoft domain. If
the user has local administrator rights and a domain admin is logged on
the system you can get domain administrator privileges.
Command line arguments
----------------------------------------------------------
-p <pid>
Pid of the target process
-c <command>
Command to be executed with user privileges
-s <session ID> Target session ID
Session where the new process is spawned. To get your current session id
run taskmgr.exe, go to "View" -> "Select columns" and select "Session
ID" and search one of your current processes.
-l <lsass pid> (optional)
RunAsUser looks for the lsass.exe process. If this process fails, try
using this option specifying the lsass pid.
You can download source and binary at:
http://lab.mediaservice.net/code.php#runasuser
inode
--
Agazzini Maurizio Mediaservice.net S.R.L.
0xF574450C - 09C5 E9A5 E481 D70A 708E DC3B 690D 1A36 F574 450C
"C programmers never die. They are just cast into void."
http://mediaservice.net/disclaimer
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]