Author Topic: Limited credentials  (Read 7621 times)

Magnum

  • Member
  • *****
  • Posts: 2367
Limited credentials
« on: January 19, 2013, 11:04:49 AM »
MSDN programmers can't understand what it is I am looking for.

I am trying to figure what psexec.exe is doing when it starts a program with restricted credentials from an Admin account.

I loaded psexec in Olly.

and Set New Arguments to -high -d -e -l  "C:\Program Files\Mozilla Firefox\firefox.exe

I drew a blank.

Did I make it clear so folks can understand ?

Andy

There is a program that can do it, so I think it's doable.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

  • Member
  • *****
  • Posts: 1475
  • The base type of a type is the type itself
    • SmplMath macros
Re: Limited credentials
« Reply #1 on: January 19, 2013, 12:04:11 PM »
You may try your luck with  CreateProcessAsUser.
MREAL macros - when you need floating point arithmetic while assembling!

sinsi

  • Guest
Re: Limited credentials
« Reply #2 on: January 19, 2013, 12:45:35 PM »
There is Drop Your Rights (XP application only), maybe you can get some ideas from it.

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #3 on: January 19, 2013, 01:14:53 PM »
qWord,

You are right, I think I will need at least these three.

IDA was a big help.

This project is gonna take a while.  :t

CreateProcessAsUser
ImpersonateLoggedOnUser function
 LsaEnumerateAccountRights function
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #4 on: January 22, 2013, 12:05:54 PM »
I think maybe I can use CreateRestrictedToken and make my own version of psexec to restrict the token when FF is started ??

I searched here and at the old forum and found no code that demonstrates it's use.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

japheth

  • Guest
Re: Limited credentials
« Reply #5 on: January 22, 2013, 03:07:30 PM »
You may try your luck with  CreateProcessAsUser.

CreateProcessAsUser seems designed a bit complicated - there's an example somewhere at MS and it looks horrible.

CreateProcessWithLogonW is a lot simpler:

Code: [Select]
    .386
    .model flat, stdcall
    option casemap:none

    .nolist
    .nocref
_WIN32_WINNT equ 501h
    include \wininc\include\windows.inc
    include \wininc\include\tchar.inc
    .list
    .cref

    includelib <kernel32.lib>
    includelib <advapi32.lib>
    includelib <user32.lib>
    includelib <shell32.lib>

CStr macro text:vararg
local xxx
    .const
xxx db text,0
    .code
    exitm <offset xxx>
endm

_T macro text:vararg
local xxx
    .const
xxx dw L(text),0
    .code
    exitm <offset xxx>
endm

    .code

StartInteractiveClientProcess PROC lpszUsername:LPWSTR, lpszDomain:LPWSTR, lpszPassword:LPWSTR, lpCommandLine:LPWSTR

    local bResult:BOOL
    local pi:PROCESS_INFORMATION
    local _si:STARTUPINFOW
    local buffer[512]:byte

    invoke RtlZeroMemory, addr _si, sizeof _si
    mov _si.cb, sizeof _si
    invoke CreateProcessWithLogonW, lpszUsername, lpszDomain, lpszPassword, LOGON_WITH_PROFILE,
                                                  NULL, lpCommandLine, NORMAL_PRIORITY_CLASS or CREATE_NEW_CONSOLE,
                                                  NULL, NULL, addr _si, addr pi
    mov bResult, eax
    .if eax
        invoke CloseHandle, pi.hProcess
        invoke CloseHandle, pi.hThread
    .else
        invoke GetLastError
        invoke wsprintf, addr buffer, CStr('CreateProcessWithLogonW("%S") failed [%u]'), lpCommandLine, eax
        invoke MessageBox, NULL, addr buffer, NULL, MB_OK
    .endif
    mov eax, bResult
    ret

StartInteractiveClientProcess ENDP

main PROC argc:dword, argv:ptr ptr byte

;--- get password for user "japheth"
mov ecx,argc
.if ( ecx < 2 )
mov eax, NULL
.else
mov eax,argv
mov eax,[eax+4]
.endif
    invoke StartInteractiveClientProcess, _T("japheth"), _T("."), eax, _T("d:\firefox\firefox.exe")
    ret
main ENDP

start proc

local argc:dword

invoke GetCommandLineW
mov ecx, eax
invoke CommandLineToArgvW, ecx, addr argc
invoke main, argc, eax
    invoke ExitProcess, eax
start endp

END start

This is a sample found somewhere at MS and translated to assembly from C.

It requires an interactive user account with restricted access rights ( "japheth" in the sample above ) - this is not the same as - for example - the option "Run as Limited User" in Process Explorer. But it is simple and works.




Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #6 on: January 22, 2013, 03:35:49 PM »
Thanks, I will look it over.
 
I know I shouldn't but I often run as an admin.

Internet is done under restrictions such as using psexec.

I got tired to doing so many Runas commands.

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Tedd

  • Member
  • ***
  • Posts: 377
  • Procrastinor Extraordinaire
Re: Limited credentials
« Reply #7 on: January 23, 2013, 06:26:43 AM »
Not an answer to your original question, but still relevant:

1. Open "Computer Management" (right-click on My Computer -> Manage);
2. Select: System Tools -> Local Users and Groups -> Groups;
3. Double-click on "Power Users";
4. Click the "Add" button;
5. Type your username, OK;
6. You can now do (almost) everything you want without running as administrator.
Potato2

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #8 on: January 23, 2013, 07:10:05 AM »
I am on the power user group but also on admin group.

Do I take myself off the admin list ?

Then only log off if I want to do an admin things ?

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Limited credentials
« Reply #9 on: January 23, 2013, 10:06:02 AM »
just be sure you know how to bring up an admin account if you have to change it back   :P

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #10 on: January 23, 2013, 11:03:44 AM »
Who do think created the admin acct.  :t
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #11 on: January 23, 2013, 02:25:19 PM »
You may try your luck with  CreateProcessAsUser.

CreateProcessAsUser seems designed a bit complicated - there's an example somewhere at MS and it looks horrible.

CreateProcessWithLogonW is a lot simpler:

This is a sample found somewhere at MS and translated to assembly from C.

It requires an interactive user account with restricted access rights ( "japheth" in the sample above ) - this is not the same as - for example - the option "Run as Limited User" in Process Explorer. But it is simple and works.

C:\masm32\SOURCE\string.inc(4) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(23) : error A2006: undefined symbol : defined
C:\masm32\SOURCE\string.inc(27) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(78) : error A2008: syntax error : @DefProto

I downloaded your includes and libraries.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

japheth

  • Guest
Re: Limited credentials
« Reply #12 on: January 23, 2013, 07:41:19 PM »
C:\masm32\SOURCE\string.inc(4) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(23) : error A2006: undefined symbol : defined
C:\masm32\SOURCE\string.inc(27) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(78) : error A2008: syntax error : @DefProto

I downloaded your includes and libraries.

Cool! In case this is kind of a bug report: this forum not the right place for WinInc bug reports.

But, since I'm such a nice guy, I attached a Masm32 version

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Limited credentials
« Reply #13 on: January 24, 2013, 01:09:18 AM »
Sorry, I thought I had done something wrong.

Thanks.
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org