a7e24bac97
5 changes to exploits/shellcodes Xlight FTP 3.9.3.1 - Buffer Overflow (PoC) Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS) WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS) Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)
80 lines
No EOL
2.8 KiB
Text
80 lines
No EOL
2.8 KiB
Text
# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
|
|
# Date: 11/11/2021
|
|
# Exploit Author: it
|
|
# Vendor Homepage: https://www.microsoft.com
|
|
# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
|
|
# Version: Version 6.1 Compilation 7601 Service Pack 1
|
|
# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version
|
|
|
|
Description
|
|
Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade
|
|
|
|
Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache
|
|
|
|
Vulnerability Type: Privilege Escalation
|
|
|
|
Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1
|
|
|
|
Language OS: English
|
|
|
|
The Vulnerability
|
|
|
|
Clément wrote a very useful permissions-checking tool for Windows that
|
|
find various misconfigurations in Windows that could allow a local
|
|
attacker to elevate their privileges. On a typical Windows 7 and
|
|
Server 2008 R2 machine, the tool found that all local users have write
|
|
permissions on two registry keys:
|
|
|
|
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
|
|
|
|
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
|
|
|
|
These didn't immediately seem exploitable, but Clément did the legwork
|
|
and found the Windows Performance Monitoring mechanism can be made to
|
|
read from these keys - and eventually load the DLL provided by the
|
|
local attacker. To most everyone's surprise, not as the local user,
|
|
but as Local System.
|
|
|
|
In short, a local non-admin user on the computer just creates a
|
|
Performance subkey in one of the above keys, populates it with some
|
|
values, and triggers performance monitoring, which leads to a Local
|
|
System WmiPrvSE.exe process loading attacker's DLL and executing code
|
|
from it.
|
|
|
|
About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
|
|
I detected that in another version of windows it is also vulnerable,
|
|
Windows Multipoint 2011, which can affect customers who use extended
|
|
license;
|
|
|
|
I can't say if there are any other vulnerable unpublished versions
|
|
besides the ones I've posted here
|
|
|
|
How to Produce Exploitation
|
|
|
|
Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
|
|
Release x64 and Compile.
|
|
|
|
Is necessary install microsoft visual c++ redistributable on Windows
|
|
MultiPoint 2011 for execute exploit
|
|
|
|
The exploit Add Subkeys in
|
|
|
|
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
|
|
|
|
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance
|
|
|
|
Library = Name of your performance DLL
|
|
|
|
Open = Name of your Open function in your DLL
|
|
|
|
Collect = Name of your Collect function in your DLL
|
|
|
|
Close = Name of your Close function in your DLL
|
|
|
|
and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI
|
|
|
|
Tools and Exploit:
|
|
https://github.com/itm4n/PrivescCheck
|
|
|
|
Exploit:
|
|
https://github.com/itm4n/Perfusion |