Sunday, March 8, 2020

Local Privilege Escalation in Metasploit Framework Application (Windows)

Version: Metasploit Framework - Rapid7 (Windows)  4.17.0
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Metasploit Framework - Rapid7 (Windows) Local Privilege Escalation through CWE-426(Untrusted Search Path)

When Metasploit Framework install in windows, that installation created 4 services.
Metasploit windows services are automatically run by default (I mean services start/stop by reboot).




Services are running  automatic.






Then, I checked the processes of that 4 services at procmon .  One of those 4 services which is (metasploitProSvc)  is called/loaded taskkill.exe which doesn't exist from other folder with SYSTEM access  when service is stop (or reboot PC). 





......



then, i check the folder permission of taskkill.exe which doesn't exist.



So, authenticated users can access that folder. It mean, all the user (user/guest or admin) who can use metasploit framework in windows pc can exploit this bug.  

Then, I created the payload file as taskkill.exe into the folder "C:\metasploit\postgresql\bin"





payload has been executed.  B00M !!! we g0t system shell .

They acknowledged and appreciated.



logic bugs are fun.
happy hunting.

you can look up here if you're interested in hunting logical bugs.
https://github.com/sailay1996/awesome_windows_logical_bugs

4 comments:

  1. We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.

    ReplyDelete
  2. We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. I can’t imagine focusing long enough to research; much less write this kind of article. You’ve outdone yourself with this material. This is great content. http://www.mamafamille.ca/

    ReplyDelete

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...