bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/windows/local/47684.md
Offensive Security 72cddaee51 DB: 2019-11-20 
13 changes to exploits/shellcodes

ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
Centova Cast 3.2.12 - Denial of Service (PoC)
scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation
DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'
Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free
Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution
Apache Httpd mod_proxy - Error Page Cross-Site Scripting
Apache Httpd mod_rewrite - Open Redirects
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
2019-11-20 05:01:41 +00:00

1.5 KiB
Raw Blame History

## EDB Note Download:

COMahawk

Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322

Video Demo

https://vimeo.com/373051209

Usage

Compile or Download from Release (https://github.com/apt69/COMahawk/releases)

  1. Run COMahawk.exe
  2. ???
  3. Hopefully profit

or

  1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
  2. ???
  3. Hopefully profit

Concerns

MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.

However, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.

Also, since you are executing from a service - you most likely cannot spawn any Window hence all command will be "GUI-less". Maybe different session? Idk, it is too late and I am tired haha.

Credits:

https://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop

https://twitter.com/TomahawkApt69 for being the mental support and motivation

and most of all:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/

for discovering and publishing the write up. 100% of the credit goes here.