跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation


HACK1949

推荐的帖子

# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
# Date: 11/11/2021
# Exploit Author: it
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
# Version: Version 6.1 Compilation 7601 Service Pack 1
# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version

Description
Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade

Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache

Vulnerability Type: Privilege Escalation

Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1

Language OS: English

The Vulnerability

Clément wrote a very useful permissions-checking tool for Windows that
find various misconfigurations in Windows that could allow a local
attacker to elevate their privileges. On a typical Windows 7 and
Server 2008 R2 machine, the tool found that all local users have write
permissions on two registry keys:

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper

These didn't immediately seem exploitable, but Clément did the legwork
and found the Windows Performance Monitoring mechanism can be made to
read from these keys - and eventually load the DLL provided by the
local attacker. To most everyone's surprise, not as the local user,
but as Local System.

In short, a local non-admin user on the computer just creates a
Performance subkey in one of the above keys, populates it with some
values, and triggers performance monitoring, which leads to a Local
System WmiPrvSE.exe process loading attacker's DLL and executing code
from it.

About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
I detected that in another version of windows it is also vulnerable,
Windows Multipoint 2011, which can affect customers who use extended
license;

I can't say if there are any other vulnerable unpublished versions
besides the ones I've posted here

How to Produce Exploitation

Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
Release x64 and Compile.

Is necessary install microsoft visual c++ redistributable on Windows
MultiPoint 2011 for execute exploit

The exploit Add Subkeys in

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance

Library = Name of your performance DLL

Open = Name of your Open function in your DLL

Collect = Name of your Collect function in your DLL

Close = Name of your Close function in your DLL

and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI

Tools and Exploit:
https://github.com/itm4n/PrivescCheck

Exploit:
https://github.com/itm4n/Perfusion
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...