CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/local/comahawk.md
Views: 1904
Introduction
This leverages two vulnerabilities on specific builds of Windows 10 to move from an authenticated user of any level to NT AUTHORITY\LOCAL SERVICE and then from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
The exploit works by creating a new service, so the exploit may take up to minute on test systems, and may take longer in the wild. Adjusting the exploit_timeout value in the datastore.
Usage
Create a session on the target system under the context of an authenticated user.
Begin interacting with the module:
use exploit/windows/local/comahawk
.Set the
PAYLOAD
and configure it correctly.If an existing handler is configured to receive the elevated session, then the module's handler should be disabled:
set DisablePayloadHandler true
.Make sure that the
SESSION
value is set to the existing session identifier.Invoke the module:
run
.