-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rough attempt at CVE-2020-1337 #14414
Conversation
Non-functional
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
So this still is kind of hanging out while I get a better idea on why a specific-length comment is required inside the powershell script. |
length comment is required for the exploit to work.
Rather than do troubleshooting on the comment, I've replaced the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this module @bwatters-r7 ! I successfully got a SYSTEM session on a unpatched genuine Windows 10 (build 10240). I left a few comments for you to review.
documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md
Outdated
Show resolved
Hide resolved
return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363 | ||
|
||
return Exploit::CheckCode::Safe | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if this method should also check if it is actually a Windows before checking the build number?
end | ||
|
||
def validate_active_host | ||
begin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker, but you can skip begin ... end
block when wrapping the entire method in a rescue clause:
def validate_active_host
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue Rex::Post::Meterpreter::RequestError => e
elog('Could not connect to session', error: e)
raise Msf::Exploit::Failed, 'Could not connect to session'
end
documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md
Show resolved
Hide resolved
Removed unused method from ps script Cleaned up some code in the module Added removal instructions to the documentation
Thanks so much @cdelafuente-r7! I tried to make all the changes suggested and more. |
Thanks @bwatters-r7 for the updates. Everything looks good now. I tested against Windows 10 (build 10240) and got a SYSTEM session after reboot. I also verified the cleanup procedure works using the established session. Note that I couldn't find a target where the previous exploit (CVE-2020-1048) didn't work and, therefore, couldn't check if this exploit bypassed the first patch. I'll go ahead and land it. Output
|
Release NotesNew module |
Non-FunctionalI'm out for a few days and will get back to this when I can. I figured it is mostly done, so I'll chuck it up here as a placeholder if nothing else.The module works now. It still needs docs.I'm unsure about why, but this module failed when executing the powershell script unless I maintained a ~200 comment in it. My guess is that when that comment is gone, the powershell command method splits the script up differently in a way that breaks it.
At this point, I've just chucked in a random string of 197 characters because that makes it work(TM). If there's a way around that, I'm all for it.By moving to
execute_string
overpsh_exec
, there is no longer a need to the mystery comment.Verification Steps
exploit/windows/local/cve_2020_1048
failsuse exploit/windows/local/cve_2020_1337_printerdemon
set payload [payload]
set [r|l]port n
set session [n]
set verbose true
(optional)set DisablePayloadHandler False
set wfsdelay 600
run
Sample Run