Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation

 Share


Recommended Posts

# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
# Date: 11/11/2021
# Exploit Author: it
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
# Version: Version 6.1 Compilation 7601 Service Pack 1
# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version

Description
Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade

Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache

Vulnerability Type: Privilege Escalation

Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1

Language OS: English

The Vulnerability

Clément wrote a very useful permissions-checking tool for Windows that
find various misconfigurations in Windows that could allow a local
attacker to elevate their privileges. On a typical Windows 7 and
Server 2008 R2 machine, the tool found that all local users have write
permissions on two registry keys:

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper

These didn't immediately seem exploitable, but Clément did the legwork
and found the Windows Performance Monitoring mechanism can be made to
read from these keys - and eventually load the DLL provided by the
local attacker. To most everyone's surprise, not as the local user,
but as Local System.

In short, a local non-admin user on the computer just creates a
Performance subkey in one of the above keys, populates it with some
values, and triggers performance monitoring, which leads to a Local
System WmiPrvSE.exe process loading attacker's DLL and executing code
from it.

About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
I detected that in another version of windows it is also vulnerable,
Windows Multipoint 2011, which can affect customers who use extended
license;

I can't say if there are any other vulnerable unpublished versions
besides the ones I've posted here

How to Produce Exploitation

Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
Release x64 and Compile.

Is necessary install microsoft visual c++ redistributable on Windows
MultiPoint 2011 for execute exploit

The exploit Add Subkeys in

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance

Library = Name of your performance DLL

Open = Name of your Open function in your DLL

Collect = Name of your Collect function in your DLL

Close = Name of your Close function in your DLL

and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI

Tools and Exploit:
https://github.com/itm4n/PrivescCheck

Exploit:
https://github.com/itm4n/Perfusion
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...