forked from NtRaiseHardError/Antimalware-Research
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ab8d319
commit 604d680
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
K7 Security/Local Privilege Escalation/v16.0.0117/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Local Privilege Escalation | ||
|
|
||
| ## CVE-2019-16896 | ||
|
|
||
| ### Vulnerability Type | ||
|
|
||
| Improper Access Control | ||
|
|
||
| ### Impact | ||
|
|
||
| Arbitrary File Write | ||
|
|
||
| ### Summary | ||
|
|
||
| The backup module improperly validates the administrative privileges of the user, allowing an arbitrary file write via a symbolic link attack with file restoration functionality. | ||
|
|
||
| ### Exploitation | ||
|
|
||
| **Prerequisite condition**: An existing backup set already exists | ||
|
|
||
| 1. Create a folder on the desktop and then drop a payload file into the new folder (this example will use `C:\Users\Standard-User\Desktop\bad\payload.exe`), | ||
| 2. Open the K7 GUI in a debugger, | ||
| 3. Place a breakpoint on DLL load of `K7BKCExt.dll`, | ||
| 4. Open the back up window on the GUI, | ||
| 5. Click "Manage Backup", | ||
| 6. On the breakpoint of `K7BKCExt.dll`, place another breakpoint on OpenBackUpMainWindow function of the loaded DLL, | ||
| 7. Continue the debugger until it stops at the OpenBackUpMainWindow breakpoint, | ||
| 8. Place a breakpoint on the offset `0xA901` from `K7BKCExt.dll` base address, | ||
| 9. Continue the debugger until it hits the breakpoint at function `0xA901`, | ||
| 10. Return outside of the function to the `test eax, eax` instruction, | ||
| 11. Modify `eax` from `0` to `1` (bypass administrative check), | ||
| 12. Continue the debugger, | ||
| 13. On the back up window, select "Create new Backup Set", | ||
| 14. Add the file `C:\Users\Standard-User\Desktop\bad\payload.exe` for backup, | ||
| 15. Returning back to the "Manage Backup" window, select to "Run Backup Now" on the newly created backup set, | ||
| 16. Close the K7 GUI to release the `C:\Users\Standard-User\Desktop\bad\payload.exe` file handle, | ||
| 17. Delete `C:\Users\Standard-User\Desktop\bad\payload.exe` from the disk, | ||
| 18. Use the "CreateSymlink.exe" tool on the command line: `CreateSymlink.exe C:\Users\Standard-User\Desktop\bad\payload.exe C:\Windows\System32\payload.exe`, | ||
| 19. Open the debugger and readd the `K7BKCExt.dll` breakpoints mentioned above (on the first instruction of `OpenBackUpMainWindow` and on function `0xA901`), | ||
| 20. On the breakpoint of `OpenBackUpMainWindow`, modify the fifth parameter from `0` to `1`, | ||
| 21. Continue until the breakpoint in function `0xA901`, | ||
| 22. Return outside of the function `0xA901` to the `test eax, eax` instruction, | ||
| 23. Modify the `eax` from `0` to `1`, as done previously, | ||
| 24. Continue the debugger to open the "Restore files" window, | ||
| 25. Select the newly created backup set, | ||
| 26. Select the backed up file `payload.exe`, | ||
| 27. Select "Original Location", | ||
| 28. Restore the file, | ||
| 29. The file should now be written to the `C:\Windows\System32` folder. |