We granted Everyone FILE_READ_
DATA and SYNCHRONIZE access rights earlier, but we did not grant access to the file
attributes or extended attributes. This is a classic case of a common testing tool requesting
too much access. AccessCheck correctly identified that all the access rights requested
were not granted in the DACL so it returned ???access denied.???
Because this is a hacking book, we know that you won??™t be satisfied until you find a
way to get access to this file, so we??™ll close the loop now before finally moving on to real
hacking.
Precision desiredAccess Requests
There are two ways you can get to the contents of the secret.txt file. Neither is a trivial
GUI-only task. First, you could write a small C program that opens the file appropriately
requesting only FILE_READ_DATA and then streams out the file contents to the console.
You??™ll need to have a compiler set up to do this. Cygwin is a relatively quick-to-set-up
compiler and it will build the sample code suitably. The second way to get access to the
secret.txt file contents is to attach the debugger to the process requesting too much
access, set a breakpoint on kernel32!CreateFileW, and modify the desiredAccess field in
memory. The access mask of the desiredAccess will be at esp+0x8 when the
kernel32!CreateFileW breakpoint is hit.
Pages:
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734