BOOLEAN
SrvIsAdmin(
CtxtHandle Handle
)
/*++
Routine Description:
Returns TRUE if the user represented by Handle is an
administrator
Arguments:
Handle - Represents the user we're interested in
Return Value:
TRUE if the user is an administrator. FALSE otherwise.
--*/
{
NTSTATUS status;
SECURITY_SUBJECT_CONTEXT SubjectContext;
ACCESS_MASK GrantedAccess;
GENERIC_MAPPING Mapping = { FILE_GENERIC_READ,
FILE_GENERIC_WRITE,
FILE_GENERIC_EXECUTE,
FILE_ALL_ACCESS
};
HANDLE NullHandle = NULL;
BOOLEAN retval = FALSE;
PAGED_CODE();
//
// Impersonate the client
//
status = ImpersonateSecurityContext( &Handle );
if( !NT_SUCCESS( status ) )
return FALSE;
SeCaptureSubjectContext( &SubjectContext );
retval = SeAccessCheck( &SrvAdminSecurityDescriptor,
&SubjectContext,
FALSE,
FILE_GENERIC_READ,
0,
NULL,
&Mapping,
UserMode,
&GrantedAccess,
&status );
SeReleaseSubjectContext( &SubjectContext );
//
// Revert back to our original identity
//
NtSetInformationThread( NtCurrentThread( ),
ThreadImpersonationToken,
&NullHandle,
sizeof(NullHandle)
);
return retval;
}
void test_imperson(){
SECURITY_STATUS ss;
SecPkgContext_Sizes SecPkgContextSizes;
SecPkgContext_NegotiationInfo SecPkgNegInfo;
ULONG cbMaxSignature;
ULONG cbSecurityTrailer;
//username bullshit
LPTSTR pUserName = NULL;
DWORD cbUserName = 0;
ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_SIZES, &SecPkgContextSizes);
if (!SEC_SUCCESS(ss))
{
fprintf(stderr, "QueryContextAttributes failed: 0x%08x\n", ss);
exit(1);
}
//----------------------------------------------------------------
// The following values are used for encryption and signing.
cbMaxSignature = SecPkgContextSizes.cbMaxSignature;
cbSecurityTrailer = SecPkgContextSizes.cbSecurityTrailer;
ss = QueryContextAttributes(
&hctxt,
SECPKG_ATTR_NEGOTIATION_INFO,
&SecPkgNegInfo);
if (!SEC_SUCCESS(ss))
{
fprintf(stderr, "QueryContextAttributes failed: 0x%08x\n", ss);
exit(1);
}
else
{
wprintf(L"PackageName: %s\n", (SecPkgNegInfo.PackageInfo->Name));
wprintf(L"PackageName: %s\n", (SecPkgNegInfo.PackageInfo->Comment));
}
// Free the allocated buffer.
FreeContextBuffer(SecPkgNegInfo.PackageInfo);
printf("Now impersonating via thread\n");
ss = ImpersonateSecurityContext(&hctxt);
// error check
if (!SEC_SUCCESS(ss))
{
fprintf(stderr, "Impersonate failed: 0x%08x\n", ss);
cleanup();
}
else
{
printf("Impersonation worked. \n");
}
DWORD dwErrorCode = 0;
if (OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &letToken))
{
printf("it WORKED!\n");
}
else
{
dwErrorCode = GetLastError();
wprintf(L"OpenProcessToken failed. GetLastError returned: %d\n", dwErrorCode);
}
DWORD dwBufferSize = 0;
GetTokenInformation(
letToken,
TokenUser, // Request for a TOKEN_USER structure.
NULL,
0,
&dwBufferSize
);
// username bullshit
TCHAR username[UNLEN + 1];
DWORD size = UNLEN + 1;
GetUserName((TCHAR*)username, &size);
std::cout << "Username: "******"\n" << std::endl;
/*
SecPkgContext_SessionKey SecPackSess;
SecPkgContext_KeyInfo SecPackKey;
ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_SESSION_KEY, &SecPackSess);
ss = QueryContextAttributes(&hctxt, SECPKG_ATTR_KEY_INFO, &SecPackKey);
*/
/*
printf("OHHH YESSSSS!\n";
printf("OHHH YESSSSS!\n";
printf("Test calc.exe\n");
if (!system("calc.exe")) {
printf("test failed\n");
}
*/
//////////////////////////////////////////////////////////////////////
printf("Check your tokens now bro!\n"); // sleep
printf("Sleeping for 5min");
Sleep(300000); //just a test
// Revert to self.
ss = RevertSecurityContext(&hctxt);
if (!SEC_SUCCESS(ss))
{
fprintf(stderr, "Revert failed: 0x%08x\n", ss);
cleanup();
}
else
{
printf("Reverted to self.\n");
}
}
