The
1??™s are at 0x1, 0x8, 0x20, 0x80, 0x20000, and 0x100000.
??? 0x1 = FILE_LIST_DIRECTORY (Grants the right to list the contents of the
directory.)
??? 0x8 = FILE_READ_EA (Grants the right to read extended attributes.)
??? 0x20 = FILE_TRAVERSE (The directory can be traversed.)
??? 0x80 = FILE_READ_ATTRIBUTES (Grants the right to read file attributes.)
??? 0x20000 = READ_CONTROL (Grants the right to read information in the
security descriptor, not including the information in the SACL.)
??? 0x100000 = SYNCHRONIZE (Grants the right to use the object for
synchronization.)
See, that wasn??™t so hard. Now we know exactly what access rights are granted to the
BUILTIN\Users group. This correlates with the GUI view that the Windows XP Explorer
provides as you can see in Figure 16-6.
After looking through the rest of the ACEs, we??™ll show you how to use tools that are
quicker than deciphering 32-bit access masks by hand and faster than clicking through
four Explorer windows to get the rights granted by each ACE. But now, given the access
PART IV
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
395
Figure 16-5 Access mask
rights bitmask and MSDN, you can decipher the unfiltered access rights described by an
allow ACE and that??™s pretty cool.
Pages:
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712