-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No cmd spawned on Win 10 Enterprise 1809 #9
Comments
Having the same experience with this. |
On a testmachine i had the same problem. I editted the ctf-exploit-common-win10.ctf If it doesnt work try tinkering with that value for your build, for my 1803 offset 480 worked perfectly. set r0 1903 set r0 1809 set r0 1803 set r0 1709 set r0 1703 |
Thanks for the bug report, can you paste the output you see? Also, can you find the version of I did test it on 1809, but it might be a different patchlevel I didn't check... |
I am also testing with 1809, and I tried different values with no success. What is your recommendation to identify what is the correct value to use here? |
If you tell me the version of MSCTF.DLL you have, I can check. |
@taviso, version is 10.0.17763.529 |
I just took a look at that version, the correct offset is 496 - which should be automatically matched to 1809. (To find the offset, I just subtract the pointer to Can you show the full output from the exploit, it must be some other problem. |
Microsoft Defender just caught it as: |
An interactive ctf exploration tool by @taviso. Exploit complete. ctf> |
Hmmm... it looks okay, can you try using The only thing I can think of is there are some group policy settings that change how the loginui one works. |
+1 - MS Security just started flagging/deleting |
Yes in both cases a cmd is not spawned. Its a default install. Don't think it has anything special. |
I'm on Windows 10 Enterprise 1709. Doesn't work. I think it is caused by the Extended Support of the Enterprise Versions. My MSCTF.DLL is on version 10.0.16299.696. I didn't understand how to calc the offset. |
I'm experimenting with this in a corporate environment, but I can't seem to get a cmd shell spawned. Apologies if I'm missing something trivial.
Host is a Win10 VM Enterprise 1809 running in VMWare. Latest updates are from the 6th July.
Testing with the ctf-consent-system.ctf, ctf-exploit-common-win10.ctf and ctf-logonui-system.ctf fails to result in a shell being spawned, yet the output shows Exploit complete. Checking process explorer, there are no new cmd.exe processes running in other sessions/hidden.
Is this expected to work or am I missing something? What's the best way to go about debugging this?
The text was updated successfully, but these errors were encountered: