|Desura Install Service privilege escalation
|Page 1 of 1|
|Author:||aluigi [ Fri Aug 15, 2014 7:33 pm ]|
|Post subject:||Desura Install Service privilege escalation|
The following was a quick test I made in the far October 2012 and it's still working.
"Desura is a digital distribution platform developed by Linden Research":
Basically it's a competitor of Steam that, I remember, was mainly focused on indie games and then has been bought by Linden, the guys behind Second Life.
Anyway it's just a local privilege escaltion to become SYSTEM by using an option of the installer service, not so important but interesting to show.
Compile a dll with the name cryptsp.dll, the following is a quick example of dll for testing if you are able to write in a folder that requires Administrator privileges:
Create an empty folder called bin and put the dll there.
Kill/close the Desura client if it's running.
Let's say your current folder is z:\poc and the dll is located in z:\poc\bin\cryptsp.dll
Now start the service (any user can do that, just like with Steam) using the -wdir option:
sc start "Desura Install Service" -wdir z:\poc
Source code of Desura Service:
https://github.com/desura/Desurium/blob ... ceMain.cpp
If you want to read about something similar for Steam:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf
|Page 1 of 1||All times are UTC|
|Powered by phpBB® Forum Software © phpBB Limited