What is RunAsUser? ---------------------------------------------------------- RunAsUser is able to run a command as another user. You need the local administrator privileges and the user must have a running process on the system.
How does it work? ---------------------------------------------------------- RunAsUser uses dll injection techniques to gain SYSTEM privileges. With SYSTEM privileges the dll is able to open the target process, duplicate the access token and run a program with the user privileges. What I can do with RunAsUser? ---------------------------------------------------------- RunAsUser can be used in a lot of situations, the most interesting usage is the privilege escalation that can be done on a Microsoft domain. If the user has local administrator rights and a domain admin is logged on the system you can get domain administrator privileges. Command line arguments ---------------------------------------------------------- -p <pid> Pid of the target process -c <command> Command to be executed with user privileges -s <session ID> Target session ID Session where the new process is spawned. To get your current session id run taskmgr.exe, go to "View" -> "Select columns" and select "Session ID" and search one of your current processes. -l <lsass pid> (optional) RunAsUser looks for the lsass.exe process. If this process fails, try using this option specifying the lsass pid. You can download source and binary at: http://lab.mediaservice.net/code.php#runasuser inode -- Agazzini Maurizio @ Mediaservice.net S.R.L. 0xF574450C - 09C5 E9A5 E481 D70A 708E DC3B 690D 1A36 F574 450C "C programmers never die. They are just cast into void." http://mediaservice.net/disclaimer _______________________________________________ darklab mailing list [email protected] http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
