cgranleese-r7
4.0 KiB
Vulnerable Application
This module reads or writes a Windows registry security descriptor remotely.
In READ mode, the FILE option can be set to specify where the security
descriptor should be written to.
The following format is used:
key: <registry key>
security_info: <security information>
sd: <security descriptor as a hex string>
In WRITE mode, the FILE option can be used to specify the information needed
to write the security descriptor to the remote registry. The file must follow
the same format as described above.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/admin/registry_security_descriptor - Do:
run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> - Verify the registry key security descriptor is displayed
- Do:
run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> file=<file path> - Verify the registry key security descriptor is saved to the file
- Do:
run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> action=write sd=<security descriptor as a hex string> - Verify the security descriptor is correctly set on the given registry key
- Do:
run verbose=true rhost=<host> smbuser=<username> smbpass=<password> file=<file path> - Verify the security descriptor taken from the file is correctly set on the given registry key
Options
KEY
Registry key to read or write.
SD
Security Descriptor to write as a hex string.
SECURITY_INFORMATION
Security Information to read or write (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343 (default: OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION).
FILE
File path to store the security descriptor when reading or source file path used to write the security descriptor when writing
Scenarios
Read against Windows Server 2019
msf auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=READ key='HKLM\SECURITY\Policy\PolEKList'
[*] Running module against 192.168.101.124
[+] 192.168.101.124:445 - Raw security descriptor for HKLM\SECURITY\Policy\PolEKList: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
[*] Auxiliary module execution completed
Write against Windows Server 2019
Note that the information security has been set to 4 (DACL_SECURITY_INFORMATION) to avoid an access denied error.
msf auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 key='HKLM\SECURITY\Policy\PolEKList' action=WRITE sd=01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000 security_information=4
[*] Running module against 192.168.101.124
[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
[*] Auxiliary module execution completed
Write against Windows Server 2019 (from file)
msf auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=WRITE file=/tmp/remote_registry_sd_backup.yml
[*] Running module against 192.168.101.124
[*] 192.168.101.124:445 - Getting security descriptor info from file /tmp/remote_registry_sd_backup.yml
key: HKLM\SECURITY\Policy\PolEKList
security information: 4
security descriptor: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
[*] Auxiliary module execution completed