Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Metasploit Framework - Rapid7 (Windows) Local Privilege Escalation through CWE-426(Untrusted Search Path)
When Metasploit Framework install in windows, that installation created 4 services.
Metasploit windows services are automatically run by default (I mean services start/stop by reboot).
Services are running automatic.
Then, I checked the processes of that 4 services at procmon . One of those 4 services which is (metasploitProSvc) is called/loaded taskkill.exe which doesn't exist from other folder with SYSTEM access when service is stop (or reboot PC).
......
then, i check the folder permission of taskkill.exe which doesn't exist.
So, authenticated users can access that folder. It mean, all the user (user/guest or admin) who can use metasploit framework in windows pc can exploit this bug.
Then, I created the payload file as taskkill.exe into the folder "C:\metasploit\postgresql\bin"
payload has been executed. B00M !!! we g0t system shell .
They acknowledged and appreciated.
logic bugs are fun.
happy hunting.
you can look up here if you're interested in hunting logical bugs.
https://github.com/sailay1996/awesome_windows_logical_bugs
We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.
ReplyDeleteWe will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI can’t imagine focusing long enough to research; much less write this kind of article. You’ve outdone yourself with this material. This is great content. http://www.mamafamille.ca/
ReplyDelete