How can I go beyond the administrator permissions granted by Windows2000! Although admin rights are large, it is not the largest

Source: Internet
Author: User
How can I go beyond the administrator permissions granted by Windows2000! Although admin rights are large, it is not the largest

The security component of NT contains a Local Security Authority protected subsystem. When we log on to the Administrator, the system will grant the Administrator 16 permissions based on the default authorization. The following is a detailed list.
Sechangenotifyprivilege
Sesecurityprivilege
SeBackupPrivilege
Serestoreprivilege
Sesystemtimeprivilege
Seshutdownprivilege
SeRemoteShutdownPrivilege
Setakeownershipprivilege
Sedebugprivilege
Sesystemenvironmentprivilege
Sesystemprofileprivilege
SeProfileSingleProcessPrivilege
Seincreasebasepriorityprivilege
Seloaddriverprivilege
Secreatepagefileprivilege
Seincreasequot1_vilege
Sechangenotifyprivilege is enabled by default. otherwise, you need to adjust the token to open it. with so many permissions, admin is really powerful, and no other user has so many permissions. however, there are still several more powerful permissions not granted to admin. that is, setcbprivilege and secreatetokenprivilege. setcbprivilege indicates that the current user's operations represent system operations, and secreatetokenprivilege can create permissions for any token. it is the supreme privilege. if anyone has these two permissions, the rights in the NT world would be too exaggerated. therefore, NT does not grant these two permissions to any user.
Out of a desire for rights, hacker usually wants to obtain the highest permissions. now, due to the protection of NT, it is impossible to directly obtain these two permissions. you need to take a look.
Because there is no direct API to increase the token privilege, we have to adjust the user permission through the LSA Policy Library. this is because user permissions are extracted from the LSA Policy Library. when the LSA Policy Library adds a privilege, you can open it in the next process. hehe... the Admin group has write permission on the LSA Policy Library.: DDD Admin has no super privilege. lsa extracts user privileges from the policy library... it's a cute set of links.
The following is my program. Open the setcbprivilege privilege of administrator. although I have set the admin check in the program, some super permissions can be obtained by common users through a small amount of rewriting. :) the tips in it can be used by you. of course, this is not done by deleting the Administrator check.
Of course, there are compiled versions for download.
/* ++
Sec. cpp

# Define Unicode
# Include <windows. h>
# Include <iostream. h>
# Include <stdio. h>
# Include <ntsecapi. h>

//
// Global vars
//
Lsa_handle policyhandle;
Psid = 0;
DWORD cbsid = 0;
Lptstr referenceddomainname = 0;
DWORD cbreferenceddomainname = 0;
Sid_name_use peuse;
Punicode_string userrights = 0; // unicodestring pointer to privilege
Ulong COUNT = 0 ;//
Wchar textsid [200];
Handle token = 0;
Ptoken_privileges tokeninformation = 0;
Bool owned = 0;

//
// Quit
//
Void quit (int err ){
If (SID) delete Sid;
If (referenceddomainname) delete referenceddomainname;
If (userrights) delete userrights;
If (tokeninformation) delete tokeninformation;
If (token) closehandle (token );
If (policyhandle) lsaclose (policyhandle );

Wprintf (L "/n/nwritten by Lu Lin. 2000.1.30/nlicence: freeware./N ");

If (ERR ){
Exit (0xc0000000 );
}
Else {
Exit (0 );
}
}

Void printprivilege (luid_and_attributes * luid ){
Wchar dispname [100];
Ulong cb = 100;

If (! Lookupprivilegename (
0,
& (Luid-> luid ),
Dispname,
& CB )){
Wprintf (L "I can't translate some luid to privilege! /N ");
Exit (1 );
}

Wprintf (L "/tprivilege: % s/n", dispname );

If (! _ Wcsicmp (dispname, l "setcbprivilege") owned = 1;

Switch (luid-> attributes ){
Case se_privilege_enabled_by_default:
Wprintf (L "/T/tThis privilege is enabled by default/N ");
Break;
Case se_privilege_enabled:
Wprintf (L "/T/tThis privilege is enabled./N ");
Break;
Case se_privilege_used_for_access:
Wprintf (L "/T/tThis privilege is used for access./N ");
Break;
Case 3:
Wprintf (L "/T/tThis privilege is always on for you./N ");
Break;
Case 0:
Wprintf (L "/T/tThis privilege you owned has not been enabled yet./N ");
}
}

Void Init (){
Wchar username [30];
Ulong CB;
Osversioninfo OSV;

// If nt?
Zeromemory (& OSV, sizeof (OSV ));
OSV. dwosversioninfosize = sizeof (OSV );
Getversionex (& OSV );
If (! OSV. dwplatformid & ver_platform_win32_nt ){
Wprintf (L "this program only runs on NT ");
Quit (1 );
}

//
// Check if this thread is executed inside administrator's context.
//
CB = 30;
GetUserName (username, & CB );
If (_ wcsicmp (username, l "Administrator ")){
Wprintf (L "Logon As administrator first! /N ");
Quit (1 );
}

Wprintf (L "Windows NT % I. % I build % I % s/n ",
OSV. dwmajorversion,
OSV. dwminorversion,
OSV. dwbuildnumber,
OSV. szcsdversion );
}

Bool gettextualsid (
Psid, // binary Sid
Lptstr textualsid, // buffer for textual representation of Sid
DWORD dwbufferlen // required/provided textualsid buffersize
)
{
Psid_identifier_authority PSIA;
DWORD dwsubauthorities;
DWORD dwsidrev = sid_revision;
DWORD dwcounter;
DWORD dwsidsize;

// Validate the binary Sid.

If (! Isvalidsid (psid) return false;

// Get the identifier authority value from the SID.

PSIA = getsididentifierauthority (psid );

// Get the number of subauthorities In the SID.

Dwsubauthorities = * getsidsubauthoritycount (psid );

// Compute the buffer length.
/// S-SID_REVISION-+ identifierauthority-+ subauthorities-+ null

Dwsidsize = (15 + 12 + (12 * dwsubauthorities) + 1) * sizeof (tchar );

// Check input buffer length.
// If too small, indicate the proper size and set last error.

If (dwbufferlen <dwsidsize)
{
Setlasterror (error_insufficient_buffer );
Return false;
}

// Add's 'prefix and revision number to the string.

Dwsidsize = wsprintf (textualsid, text ("s-% lu-"), dwsidrev );

// Add Sid identifier authority to the string.

If (PSIA-> value [0]! = 0) | (PSIA-> value [1]! = 0 ))
{
Dwsidsize + = wsprintf (textualsid + lstrlen (textualsid ),
Text ("0x % 02hx % 02hx % 02hx % 02hx % 02hx % 02hx "),
(Ushort) PSIA-> value [0],
(Ushort) PSIA-> value [1],
(Ushort) PSIA-> value [2],
(Ushort) PSIA-> value [3],
(Ushort) PSIA-> value [4],
(Ushort) PSIA-> value [5]);
}
Else
{
Dwsidsize + = wsprintf (textualsid + lstrlen (textualsid ),
Text ("% lu "),
(Ulong) (PSIA-> value [5]) +
(Ulong) (PSIA-> value [4] <8) +
(Ulong) (PSIA-> value [3] <16) +
(Ulong) (PSIA-> value [2] <24 ));
}

// Add Sid subauthorities to the string.
//
For (dwcounter = 0; dwcounter <dwsubauthorities; dwcounter ++)
{
Dwsidsize + = wsprintf (textualsid + dwsidsize, text ("-% lu "),
* Getsidsubauthority (psid, dwcounter ));
}

Return true;
}

Void main (){
Lsa_object_attributes objectattributes;
Zeromemory (& objectattributes, sizeof (objectattributes ));

Init ();
//
// First open LSA Policy Database
// The call returns a ntstatus. ntstatus 0 means everything is OK.
//
If (lsaopenpolicy (
0,
& Objectattributes,
Generic_execute | generic_read | generic_write,
& Policyhandle
)){
Wprintf (L "Open Policy error! /N ");
}
Else {
SID = new char [500];
Referenceddomainname = new wchar [100];
Cbsid = 500;
Cbreferenceddomainname = 100;

//
// Show Administrator SID
//
If (! Lookupaccountname (
0,
L "Administrator ",
Sid,
& Cbsid,
Referenceddomainname,
& Cbreferenceddomainname,
& Peuse
)){
Wprintf (L "Damn, I can't find out the account looking! /N ");
Quit (1 );
}
If (! Gettextualsid (SID, textsid, 200 )){
Wprintf (L "Damn, get textual Sid error! Maybe a bug in this program./N ");
Quit (1 );
}

Wprintf (L "the SID of administrator is: % s/n", textsid );
Wprintf (L "/ton the server: % s/n", referenceddomainname );

//
// Check current privilege
//
If (! Openprocesstoken (
Getcurrentprocess (),
Token_query,
& Token )){
Wprintf (L "can't open process Token! What's happened? /N ");
Quit (1 );
}

Tokeninformation = (ptoken_privileges) (new char [2000]);

If (! Gettokeninformation (
Token,
Tokenprivileges,
(Void *) tokeninformation,
2000,
& Cbsid // note, returned lenght of token information.
)){
Wprintf (L "can't get token information/N ");
Quit (1 );
}
Else {
Luid_and_attributes * luid;
Luid = (luid_and_attributes *) & tokeninformation-> privileges;

Wprintf (L "/ntotal privilege count: % I/n", tokeninformation-> privilegecount );
For (COUNT = 0; count <tokeninformation-> privilegecount;
Count ++, luid ++ ){
Printprivilege (luid );
}
}

//
// Add setchprivilege to administrator if not owned yet!
//
If (! Owned ){
Userrights = new lsa_unicode_string;
Userrights-> buffer = l "setcbprivilege ";
Userrights-> maximumlength = 28;
Userrights-> length = 28;

If (lsaaddaccountrights (
Policyhandle,
Sid,
Userrights,
1
)){
Wprintf (L "Damn! Add right failed! :(/N ");
Quit (1 );
}
Else wprintf (L "/nadd setcbprivilege successfully! /N ");

Quit (0 );
}
Else {
Wprintf (L "/Nyou own setcbprivilege. I don't add it for you./N ");
}
}
}
Author's blog:Http://blog.csdn.net/star/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.