Universal Process Privilage Escalation

By adjusting process token its possible to elevate your current process privileges to enable certain functionality not available otherwise.

Basically steps we follow are :
1) Get current process handle
2) Get current process token
3) Resolve SeDebugPrivilege value
4) Created new Token with the resolved value from step 3
5) Adjust the token of the current process with new privilege
6) Close process handle

Following code demonstrates the principle.

print "[+] Universal Process Escalation by Y"
print "[+] contact : If you know me then give me a shout"

from ctypes import windll
import ctypes
from ctypes import *

class TOKEN_PRIVS(ctypes.Structure):
    _fields_ = (
        ("PrivilegeCount",    ULONG),
        ("Privileges",        ULONG * 3 )
    )

def get_debug_privs():
    # Adjust Current TOKEN
    token = HANDLE()
    print "\t[+] Getting Current Token"
    flags =  40 #  TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
    windll.advapi32.OpenProcessToken(windll.kernel32.GetCurrentProcess(), 0x00000020, ctypes.byref(token))
    print "\t[+] Calculating Local SeDebugPrivilege"
    admin_priv_name = "SeDebugPrivilege" # we want this priv on the process
    pBytesReturned = ctypes.c_ulong() 
    windll.advapi32.LookupPrivilegeValueA(None,admin_priv_name,ctypes.byref(pBytesReturned))
    print "\t[+] Resolved SeDebugPrivilege as %d" % pBytesReturned.value
    print "\t[+] Modifying TOKEN Structure to enable Debug"
    privs = TOKEN_PRIVS()
    privs.PrivilegeCount = 1
    privs.Privileges = (pBytesReturned.value,0, 2) 
    print "\t[+] Adjusting Privileges of the current process"
    windll.advapi32.AdjustTokenPrivileges(token, 0, ctypes.byref(privs),0,0,0)
    print "\t[+] Closing current handle, almost done"
    windll.kernel32.CloseHandle(token)
    print "[+] Done, your process " , windll.kernel32.GetCurrentProcessId(), "has now admin privileges"
    ############ CURRENT TOKEN ADJUSTED ##################
	
get_debug_privs()