Skip to content

Releases: antonioCoco/RunasCs

RunasCs version 1.5

20 May 01:19
@antonioCoco antonioCoco
v1.5
a1e47b5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
RunasCs version 1.5 Latest
Latest

Added

  • Added flag --remote-impersonation that will spawn the new process with the main thread impersonating the requested user logon. This can facilitate some IL escape scenarios, e.g. elevation from std user -> service user.
  • Added a new check for identifying if the user logon is limited and suggesting potential higher privileged logon types assigned to the user.
  • Added a new check when the requested user logon return ERROR_LOGON_TYPE_NOT_GRANTED. Now checking if other logon types are available to the user and print a message if any are found.

Changed

  • Improved UAC checks for the token got from the user authentication. Now checking both TokenElevation and TokenElevationType.
  • Improved behavior when creating the user profile. Now detecting if the profile directories have been already created.
  • Improved Error handling by printing the corresponding error message instead of the error code number.
  • All duplicated tokens have been downgraded from the unnecessary Delegation level to Impersonation.
  • Huge refactor of the core function "RunAs", now divided in multiple sub-functions to improve readability (RunasRemoteImpersonation, RunasCreateProcessWithLogonW, RunasCreateProcessWithTokenW, RunasCreateProcessAsUserW).

Bugfixes

  • Fixed a bug in the user profile creation.
  • Fixed a bug when flushing the Console for printing output messages properly.
  • Fixed a bug when enabling all privileges in the new token.
  • Fixed a bug when checking UAC limitation on Unlock logon types.
  • Fixed a bug when calling RevertToSelf and the thread was already impersonating.
  • Fixed a bug by enabling SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege when the calling process has them disabled.
  • Fixed a bug when unloading the user profile.
Assets 3
Loading

RunasCs version 1.4

18 Sep 14:50
@antonioCoco antonioCoco
v1.4
fa68553
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
RunasCs version 1.4

Added

  • Added flag --bypass-uac that allows to spawn a process as an Administrator (if password is known) with full privileges even from a Medium IL process.

Changed

  • Changed default logon type from Network (3) to NetworkCleartext (8). This provides both advantages of avoiding UAC filtering local tokens and still allowing authentication over the network with the identity.
  • Refactored code for the class AccessToken in charge of managing all the business logic about access tokens.
  • Refactored ugly code for enabling all privileges in the access token retrieved by LogonUser().

Bugfixes

  • Removed check for the unnecessary privilege "SeIncreaseQuotaPrivilege" when using CreateProcessAsUser().
  • Fixed a bug when setting ACL for Station\Desktop and using logon type 9.
  • Fixed a double close handle bug.
  • Fixed console output flushing when printing messages.
  • Fixed a bug handling an exception raised in particular conditions in CreateEnvironmentBlock().

Credits to @winlogon0 for the UAC bypass implementation in C#.

Assets 3
Loading

RunasCs version 1.3

30 Aug 18:55
@antonioCoco antonioCoco
1.3
5e8c074
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
RunasCs version 1.3

Added

  • The spawned process will have an environment block associated containing the required environment variables;
  • Added -r flag to redirect stdout, stdin, stderr to a remote host;
  • Added --create-profile flag to force the user profile creation.

Changed

  • Simple commandline parser with optional arguments added to the exe;
  • Switch from a static method to object invocation;
  • Now the logon type 9 is an abstraction that works for every process function providing a feature like the /netonly flag present in runas.exe.

Bugfixes

  • Now the domain name "." is recognized;
  • Switch to exception based error handling. When using the ps1 version the previous error handling using System.Environment.Exit() was causing the powershell process to exit;
  • Fixed a bug that caused RunasCs to hang also after the timeout. This was due to the pipe created in blocking mode. Now the pipe is set to PIPE_NOWAIT;
  • Fixed a bug when logon type 9 is requested. The provider LOGON32_PROVIDER_WINNT50 must be used in the LogonUser function;
  • Improved handle cleanup;
  • Fixed a bug for the default behavior of the CreateProcessAsUser. If the new user has not permission to access to the current directory the process won't be created.

Big credits to @qtc-de for the nice improvements.

Assets 3
Loading

RunasCs version 1.2

14 Dec 02:20
@antonioCoco antonioCoco
1.2
e74153d
Compare
Choose a tag to compare
RunasCs version 1.2

Changelog

  • Big Change: Added properly DACL in the running Window Station and Desktop of the calling process;
  • Changed the way the output of the child process is retrieved. Now using a Pipe instead of a file for the stdout and stderr.
Assets 3
Loading

RunasCs version 1.1

09 Aug 18:41
@antonioCoco antonioCoco
v1.1
2d07912
Compare
Choose a tag to compare
RunasCs version 1.1

Changelog

  • Added compatibility for Assembly Reflection in CSharp module
  • Added powershell wrapper for RunasCs named Invoke-RunasCs.ps1 with better argument parsing
Assets 4
Loading

RunasCs version 1.0 released

08 Aug 21:55
@antonioCoco antonioCoco
v1.0
12d559c
Compare
Choose a tag to compare
RunasCs version 1.0 released

RunasCs version 1.0 released

Assets 4
Loading