Requesting Priviledge Token SE_PRIVILEGE_ENABLED

Cyber Security Leave a comment

Hi Friend,

I would like to give a simple tutorial on windows programming to escalate your priviledge token programatically.

In this tutorial is to enable your application to have SE_PRIVILEGE_ENABLED token in order to do alot of more action such as dll injection.

#include<Windows.h>
#include <iostream>
using namespace std;

#define	MAXFILEPATHLEN	5000

bool injectSetDebugPriv() {

	bool bRet = FALSE;
	HANDLE hToken = NULL;
	LUID luid = { 0 };
	bool seDebugAvailable = false;

	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {

		//Enabling the SE_DEBUG
		if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
			return FALSE;
		}
		else {
			DWORD structSize;
			GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &structSize);
			DWORD structSize2;   // should come out of the API with same value as structSize2
			PTOKEN_PRIVILEGES processTokenPrivs;

			processTokenPrivs = (PTOKEN_PRIVILEGES)malloc(structSize);

			if (!GetTokenInformation(hToken, TokenPrivileges, processTokenPrivs, structSize, &structSize2)) {
				cout << "GetTokenInformation()" << endl;
			}

			PLUID_AND_ATTRIBUTES runner;
			for (DWORD x = 0; x < processTokenPrivs->PrivilegeCount; x++) {
				runner = &processTokenPrivs->Privileges[x];
				if ((runner->Luid.LowPart == luid.LowPart) && (runner->Luid.HighPart == luid.HighPart)) {
					cout << "[+] SeDebugPrivilege available for enabling!" << endl;
					seDebugAvailable = true;
					break;
				}

			}
		}
	}

	if (!seDebugAvailable) {

		// if we reached here we could not find the Privilege in the token 
		cout << "[-] SeDebugPrivilege unavailable\nPlease run with Privileges!" << endl;
		return FALSE;
	}
	else {
		TOKEN_PRIVILEGES tokenPriv = { 0 };
		tokenPriv.PrivilegeCount = 1;
		tokenPriv.Privileges[0].Luid = luid;
		tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
		return TRUE;
	}
	return FALSE;

}

void RelaunchSelf(void) {

	SHELLEXECUTEINFO info;
	WCHAR fileName[MAXFILEPATHLEN];
	DWORD pathLen = MAXFILEPATHLEN;

	GetModuleFileName(NULL, fileName, pathLen);

	info.cbSize = sizeof(SHELLEXECUTEINFO);
	info.fMask = SEE_MASK_DEFAULT;
	info.hwnd = NULL;
	info.lpVerb = L"runas";
	info.lpFile = fileName;
	info.lpParameters = NULL;
	info.lpDirectory = NULL;
	info.nShow = SW_SHOWNORMAL;

	ShellExecuteEx(&info);  // Also try the simpler ShellExecute

}

int main()
{

	bool result = injectSetDebugPriv();
	if (!result) {
		RelaunchSelf();
		ExitProcess(-1);
	}
	cout << "Escalation with debug enabled successfully" << endl;
	int i;
	cin >> i;

}

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s