BOOLEAN SrvIsAdmin( CtxtHandle Handle ) /*++ Routine Description: Returns TRUE if the user represented by Handle is an administrator Arguments: Handle - Represents the user we're interested in Return Value: TRUE if the user is an administrator. FALSE otherwise. --*/ { NTSTATUS status; SECURITY_SUBJECT_CONTEXT SubjectContext; ACCESS_MASK GrantedAccess; GENERIC_MAPPING Mapping = { FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_ALL_ACCESS }; HANDLE NullHandle = NULL; BOOLEAN retval = FALSE; PAGED_CODE(); // // Impersonate the client // status = ImpersonateSecurityContext( &Handle ); if( !NT_SUCCESS( status ) ) return FALSE; SeCaptureSubjectContext( &SubjectContext ); retval = SeAccessCheck( &SrvAdminSecurityDescriptor, &SubjectContext, FALSE, FILE_GENERIC_READ, 0, NULL, &Mapping, UserMode, &GrantedAccess, &status ); SeReleaseSubjectContext( &SubjectContext ); // // Revert back to our original identity // NtSetInformationThread( NtCurrentThread( ), ThreadImpersonationToken, &NullHandle, sizeof(NullHandle) ); return retval; }
void test_imperson(){ SECURITY_STATUS ss; SecPkgContext_Sizes SecPkgContextSizes; SecPkgContext_NegotiationInfo SecPkgNegInfo; ULONG cbMaxSignature; ULONG cbSecurityTrailer; //username bullshit LPTSTR pUserName = NULL; DWORD cbUserName = 0; ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_SIZES, &SecPkgContextSizes); if (!SEC_SUCCESS(ss)) { fprintf(stderr, "QueryContextAttributes failed: 0x%08x\n", ss); exit(1); } //---------------------------------------------------------------- // The following values are used for encryption and signing. cbMaxSignature = SecPkgContextSizes.cbMaxSignature; cbSecurityTrailer = SecPkgContextSizes.cbSecurityTrailer; ss = QueryContextAttributes( &hctxt, SECPKG_ATTR_NEGOTIATION_INFO, &SecPkgNegInfo); if (!SEC_SUCCESS(ss)) { fprintf(stderr, "QueryContextAttributes failed: 0x%08x\n", ss); exit(1); } else { wprintf(L"PackageName: %s\n", (SecPkgNegInfo.PackageInfo->Name)); wprintf(L"PackageName: %s\n", (SecPkgNegInfo.PackageInfo->Comment)); } // Free the allocated buffer. FreeContextBuffer(SecPkgNegInfo.PackageInfo); printf("Now impersonating via thread\n"); ss = ImpersonateSecurityContext(&hctxt); // error check if (!SEC_SUCCESS(ss)) { fprintf(stderr, "Impersonate failed: 0x%08x\n", ss); cleanup(); } else { printf("Impersonation worked. \n"); } DWORD dwErrorCode = 0; if (OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &letToken)) { printf("it WORKED!\n"); } else { dwErrorCode = GetLastError(); wprintf(L"OpenProcessToken failed. GetLastError returned: %d\n", dwErrorCode); } DWORD dwBufferSize = 0; GetTokenInformation( letToken, TokenUser, // Request for a TOKEN_USER structure. NULL, 0, &dwBufferSize ); // username bullshit TCHAR username[UNLEN + 1]; DWORD size = UNLEN + 1; GetUserName((TCHAR*)username, &size); std::cout << "Username: "******"\n" << std::endl; /* SecPkgContext_SessionKey SecPackSess; SecPkgContext_KeyInfo SecPackKey; ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_SESSION_KEY, &SecPackSess); ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_KEY_INFO, &SecPackKey); */ /* printf("OHHH YESSSSS!\n"; printf("OHHH YESSSSS!\n"; printf("Test calc.exe\n"); if (!system("calc.exe")) { printf("test failed\n"); } */ ////////////////////////////////////////////////////////////////////// printf("Check your tokens now bro!\n"); // sleep printf("Sleeping for 5min"); Sleep(300000); //just a test // Revert to self. ss = RevertSecurityContext(&hctxt); if (!SEC_SUCCESS(ss)) { fprintf(stderr, "Revert failed: 0x%08x\n", ss); cleanup(); } else { printf("Reverted to self.\n"); } }