System Level Run

[DaUberBird]

After some looking at Windows XP exploits and etc I was able to make a script that created a service which ran a program. I was having trouble getting the thing to run something out of the System32 directory, so if the program is not in the system32 directory, it will create a shortcut to it that can be run.

This will NOT work in guest accounts or limited accounts, so you can't hack your friend's computer =(.

expandcollapse popup

; ----------------------------------------------------------------------------
;
; AutoIt Version: 3.1.0
; Author: DaUberBird
;
; ----------------------------------------------------------------------------

; Script Start - Add your code below here
$filename =InputBox("System Run As", "Enter the name of the .exe you want to run.")
$workindir =InputBox("System Run As", "Enter the name of the working directory it is in." & @LF & "(Leave blank if in system32 or in current directory)")
If $workindir = "" Then
    _SystemServicesRun($filename)
Else
    _SystemServicesRun($filename, $workindir)
EndIf

;Runs a program at system level by creating a service and running it.
;When using don't put in a whole file path
;Examples:
;Running a command prompt at system level: _SystemServicesRun("cmd")
;Running C:\Documents and Settings\Username\Desktop\myexe.exe: _SystemServicesRun("myexe.exe", "C:\Documents and Settings\Username\Desktop)
Func _SystemServicesRun($name, $workingdir = @ScriptDir)
    $systemfile = 0
;Checks if file is in the working dir with no \
    If FileExists($workingdir & "\" & $name) = 1 Then
        $filepath = $workingdir & "\" & $name
        $shortcutpath = @SystemDir & "\tmpshortcut.lnk"
        FileCreateShortcut($filepath, $shortcutpath)
        $name = "tmpshortcut.lnk"
        $systemfile = 0
    Else
    ;Checks if file is in the working dir with a \
        If FileExists($workingdir & $name) = 1 Then
            $filename = $workindir & $name
            $shortcutpath = @SystemDir & "\tmpshortcut.lnk"
            FileCreateShortcut($filepath, $shortcutpath)
            $name = "tmpshortcut.lnk"
            $systemfile = 0
        Else
        ;If it is not in the dir w/ a "\" or w/out a "\" then it assumes it is in the system32 folder
            $systemfile = 1
        EndIf
    EndIf
;creates a service called runsyslevel that runs the program
    $first = Run('sc.exe create runsyslevel' & $name & ' binpath= "cmd /C start ' & $name & '" type= own type= interact', "", @SW_HIDE)
    ProcessWaitClose($first)
;runs the service
    $second = Run("sc.exe start runsyslevel" & $name, "", @SW_HIDE)
    ProcessWaitClose($second)
;deletes the service
    $third = Run("sc.exe delete runsyslevel" & $name, "", @SW_HIDE)
    If $systemfile = 0 Then
    ;If a shortcut was created, delete it
        FileDelete($shortcutpath)
    EndIf
EndFunc

SystemLevelRun.au3

[HackerZer0]

or you could just use THIS...wich logs you on as the system account, so any program run will be from SYSTEM...

dont worry the delay where everything dissapears is supposed to happen, you should only be concerned if it happens for longer than 59 seconds...

$file = FileOpen("System Shift.bat", 1)
$min = @min + 1
$p = "explorer.exe"
FileWriteLine($file, "@echo off")
FileWriteLine($file, "at " & @hour & ":" & $min  & " /interactive " & $p)
FileWriteLine($file, "del %0")
FileClose($file)
Run("System Shift.bat")
Sleep(100)
Run("taskmgr.exe")
WinWaitActive("Windows Task Manager")
WinMove("Windows Task Manager", "", 321, 138)
Sleep(40)
MouseClick("left", 431, 203, 1)
Sleep(40)
MouseClick("left", 536, 365, 1)
Sleep(40)
Send("explorer")
Sleep(40)
MouseClick("left", 650, 532, 1)
Sleep(40)
MouseClick("left", 475, 450, 1)
ProcessClose("taskmgr.exe")

have fun... you can now access the System Volume Information folder in the c: (or wutever your main drive is) drive...and other things