News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Limited credentials

Started by Magnum, January 19, 2013, 11:04:49 AM

Previous topic - Next topic

Magnum

MSDN programmers can't understand what it is I am looking for.

I am trying to figure what psexec.exe is doing when it starts a program with restricted credentials from an Admin account.

I loaded psexec in Olly.

and Set New Arguments to -high -d -e -l  "C:\Program Files\Mozilla Firefox\firefox.exe

I drew a blank.

Did I make it clear so folks can understand ?

Andy

There is a program that can do it, so I think it's doable.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

MREAL macros - when you need floating point arithmetic while assembling!

sinsi

Tá fuinneoga a haon déag níos fearr :biggrin:

Magnum

qWord,

You are right, I think I will need at least these three.

IDA was a big help.

This project is gonna take a while.  :t

CreateProcessAsUser
ImpersonateLoggedOnUser function
LsaEnumerateAccountRights function
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

I think maybe I can use CreateRestrictedToken and make my own version of psexec to restrict the token when FF is started ??

I searched here and at the old forum and found no code that demonstrates it's use.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

japheth

Quote from: qWord on January 19, 2013, 12:04:11 PM
You may try your luck with  CreateProcessAsUser.

CreateProcessAsUser seems designed a bit complicated - there's an example somewhere at MS and it looks horrible.

CreateProcessWithLogonW is a lot simpler:


    .386
    .model flat, stdcall
    option casemap:none

    .nolist
    .nocref
_WIN32_WINNT equ 501h
    include \wininc\include\windows.inc
    include \wininc\include\tchar.inc
    .list
    .cref

    includelib <kernel32.lib>
    includelib <advapi32.lib>
    includelib <user32.lib>
    includelib <shell32.lib>

CStr macro text:vararg
local xxx
    .const
xxx db text,0
    .code
    exitm <offset xxx>
endm

_T macro text:vararg
local xxx
    .const
xxx dw L(text),0
    .code
    exitm <offset xxx>
endm

    .code

StartInteractiveClientProcess PROC lpszUsername:LPWSTR, lpszDomain:LPWSTR, lpszPassword:LPWSTR, lpCommandLine:LPWSTR

    local bResult:BOOL
    local pi:PROCESS_INFORMATION
    local _si:STARTUPINFOW
    local buffer[512]:byte

    invoke RtlZeroMemory, addr _si, sizeof _si
    mov _si.cb, sizeof _si
    invoke CreateProcessWithLogonW, lpszUsername, lpszDomain, lpszPassword, LOGON_WITH_PROFILE,
                                                  NULL, lpCommandLine, NORMAL_PRIORITY_CLASS or CREATE_NEW_CONSOLE,
                                                  NULL, NULL, addr _si, addr pi
    mov bResult, eax
    .if eax
        invoke CloseHandle, pi.hProcess
        invoke CloseHandle, pi.hThread
    .else
        invoke GetLastError
        invoke wsprintf, addr buffer, CStr('CreateProcessWithLogonW("%S") failed [%u]'), lpCommandLine, eax
        invoke MessageBox, NULL, addr buffer, NULL, MB_OK
    .endif
    mov eax, bResult
    ret

StartInteractiveClientProcess ENDP

main PROC argc:dword, argv:ptr ptr byte

;--- get password for user "japheth"
mov ecx,argc
.if ( ecx < 2 )
mov eax, NULL
.else
mov eax,argv
mov eax,[eax+4]
.endif
    invoke StartInteractiveClientProcess, _T("japheth"), _T("."), eax, _T("d:\firefox\firefox.exe")
    ret
main ENDP

start proc

local argc:dword

invoke GetCommandLineW
mov ecx, eax
invoke CommandLineToArgvW, ecx, addr argc
invoke main, argc, eax
    invoke ExitProcess, eax
start endp

END start


This is a sample found somewhere at MS and translated to assembly from C.

It requires an interactive user account with restricted access rights ( "japheth" in the sample above ) - this is not the same as - for example - the option "Run as Limited User" in Process Explorer. But it is simple and works.




Magnum

Thanks, I will look it over.

I know I shouldn't but I often run as an admin.

Internet is done under restrictions such as using psexec.

I got tired to doing so many Runas commands.

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Tedd

Not an answer to your original question, but still relevant:

1. Open "Computer Management" (right-click on My Computer -> Manage);
2. Select: System Tools -> Local Users and Groups -> Groups;
3. Double-click on "Power Users";
4. Click the "Add" button;
5. Type your username, OK;
6. You can now do (almost) everything you want without running as administrator.
Potato2

Magnum

I am on the power user group but also on admin group.

Do I take myself off the admin list ?

Then only log off if I want to do an admin things ?

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

just be sure you know how to bring up an admin account if you have to change it back   :P

Magnum

Who do think created the admin acct.  :t
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

Quote from: japheth on January 22, 2013, 03:07:30 PM
Quote from: qWord on January 19, 2013, 12:04:11 PM
You may try your luck with  CreateProcessAsUser.

CreateProcessAsUser seems designed a bit complicated - there's an example somewhere at MS and it looks horrible.

CreateProcessWithLogonW is a lot simpler:

This is a sample found somewhere at MS and translated to assembly from C.

It requires an interactive user account with restricted access rights ( "japheth" in the sample above ) - this is not the same as - for example - the option "Run as Limited User" in Process Explorer. But it is simple and works.

C:\masm32\SOURCE\string.inc(4) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(23) : error A2006: undefined symbol : defined
C:\masm32\SOURCE\string.inc(27) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(78) : error A2008: syntax error : @DefProto

I downloaded your includes and libraries.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

japheth

Quote from: Magnum on January 23, 2013, 02:25:19 PM
C:\masm32\SOURCE\string.inc(4) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(23) : error A2006: undefined symbol : defined
C:\masm32\SOURCE\string.inc(27) : error A2006: undefined symbol : _MSC_VER
C:\masm32\SOURCE\string.inc(78) : error A2008: syntax error : @DefProto

I downloaded your includes and libraries.

Cool! In case this is kind of a bug report: this forum not the right place for WinInc bug reports.

But, since I'm such a nice guy, I attached a Masm32 version

Magnum

Sorry, I thought I had done something wrong.

Thanks.
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org