For a particular project we need to install a service from non-admin mode. For the sake of this we are using various techniques to elevate privilege level. But on the newest SPs these dont work. Finally we have decided to use a WM_TIMER based shater attack.

basically this is all we need :-

.386
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib

.data
ProgPath db "notepad.exe",0

.code
start:
invoke WinExec, addr ProgPath, SW_SHOW
invoke ExitProcess,0
end start

Actually we wont need the call to ExitProcess. All we need to do is to call the ServiceInstaller (instead of notepad.exe).

Obviously simply disassembling it and copy/pasting the machine code wont help I guess. Can anyone tell me how to get the required binary instructions to do a WinExec and pass a path to the program to run.

I know, I know there are raised eyebrows because this is essentially a buffer overflow. But installation of the service is vital to our program and it'd be fatal if non-admin users are not able to use our program.

Any help is appreciated.
Nish
Posted on 2003-01-14 13:14:57 by Nish
For a particular project we need to install a service from non-admin mode. For the sake of this we are using various techniques to elevate privilege level. But on the newest SPs these dont work.

And it shouldn't :). If the security policy says the user can't install a service, it shouldn't allow this and you shouldn't try it. Every method that allows it to install it is a bug and will likely be fixed in the next release. If it's for a private project this might not be a problem and you get what you want but for a commercial application (which you seem to be working on, but correct me if I'm wrong) these kind of hacks are just not done.

Finally we have decided to use a WM_TIMER based shater attack.

You mean the WM_TIMER vulnerability in winNT/2k/XP? There's a patch for that too so still some users will not be able to install it.

I know, I know there are raised eyebrows because this is essentially a buffer overflow. But installation of the service is vital to our program and it'd be fatal if non-admin users are not able to use our program.


Is there really no other way? Can't the admins just install the software and let the non-admins use it? You can run a program as a different user so you will have admin rights but you'll need the admin password then of course.

If you have good reasons for doing this, it's fine, but I strongly discourage it.

Thomas
Posted on 2003-01-14 13:34:18 by Thomas
smells like bad software design, or an app trying to do things it shouldn't.
Don't exploit system vulnerabilities, as they are temporary.

Including a binary in your executable is easy though, use my bin2o or
one of the various bin2inc programs available.
Posted on 2003-01-14 15:38:21 by f0dder

smells like bad software design, or an app trying to do things it shouldn't.
Don't exploit system vulnerabilities, as they are temporary.

Including a binary in your executable is easy though, use my bin2o or
one of the various bin2inc programs available.


The shatter attack is not so easily fixable, I'd recommend looking it up in a search engine, fixing it would require a lot of change to the Windows API and Microsoft does not even consider this an "exploit" because it breaks the 10 Immutable Laws of *****.
Posted on 2003-01-14 16:57:38 by kairon
heh. not easily fixable? http://f0dder.has.it . perhaps I should hack up the
system DLLs to provide the ~100% solution against WM_TIMER after all.

Oh besides, microsoft are working on reducing privilege levels of services with
desktop windows. prolly even separating UI and privileged-code parts.
Posted on 2003-01-14 17:00:43 by f0dder
This posts smells illegal. Where is bazik?
Posted on 2003-01-14 17:05:11 by comrade
out fond^H^H^Heeding the penguins? :)
Posted on 2003-01-14 17:06:16 by f0dder