Skip to content

0x00-0x00/zeroday-powershell

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Usage

Set-ExecutionPolicy Bypass Process
.\exploit.ps1 -TargetFile C:\Windows\Some.dll

This will exploit the Windows operating system allowing you to modify the file Some.dll.

Example

Set-ExecutionPolicy Bypass Process
.\example.ps1

https://youtu.be/rNSpxJd3_BM

Finding Vulnerable DLL files

$aapsid = 'NT AUTHORITY\SYSTEM'

ForEach($file in (Get-ChildItem -File -recurse -Path 'C:\windows' -Filter *.dll -ErrorAction SilentlyContinue)) {
 
   $acl = Get-Acl -path $file.FullName
   ForEach($ace in $acl.Access) {
      If(($ace.FileSystemRights -eq
           [Security.AccessControl.FileSystemRights]::FullControl) -and 
            $ace.IdentityReference.Value -in $aapsid) {
               Write-Output $file.FullName
              
      }
        
   }
   
   }

Further Information

The first PoC was released by @SandboxEscaper on the 27th August 2018, however, is now removed from GitHub.

The exploit.dll and the code for the TriggerXPSPrint.cpp comes from her original PoC. The exploit.dll simply launches notepad. I tried to replicate the XPS print api into C# but using System.Printing or System.Drawing.Printing only calls the print job within the current user context, you need to use the API to get the spooler service to initate the print job.

The actual exploit process is the native hardlink and using the Schedule.Service COM object to execute the method SetSecurityDescriptor. This then overwrites the permissions on the hardlinked file thus also updating the DACL on the targetted file. The example.ps1 is purely an instance of how you could use this exploit to replace a SYSTEM level service dll file. In this case it was the XPS printer, but it could also be an executable stored within C:\Program Files for example.

This was patched by Microsoft on the 11th September 2018. The following link has the relevant KB numbers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440

I since then have modified this to work with PowerShell Empire, you can read the pull request here: EmpireProject/Empire#1230

I have only tested this on Windows 10, in theory it should work on other versions.

About

A PowerShell example of the Windows zero day priv esc

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 92.1%
  • C++ 7.9%