- CVE-2020-11081
- CVE-2020-8950
- CVE-2021-1642
Thursday, July 23, 2020
Thursday, May 21, 2020
What is *.local file in windows ?
The LOCAL file type is primarily associated with DLL Redirection by Microsoft Corporation. 'DLL Hell' is a term, know too well for comfort between Microsoft Windows developers. 'DLL Hell' causes grief and despair when two (2) separate and essentially incompatible versions of a DLL file with the same name are installed with one over-writing the other. This can cause the first program whose DLL got over-written to stop functioning. Enter .local that redirects windows where to search for a specific dll. If a file application.exe.local exists, Windows will first look in that application's directory for the DLL file. If .local is a directory / folder, Windows will search in that directory instead of the application directory.
Ref: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection
comming soon: what can we do with that *.local for windows exploitation?
Ref: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection
comming soon: what can we do with that *.local for windows exploitation?
What is NTDLL.DLL ?
Short Description :
A system-wide DLL, implementing the Windows native API. This is the lowest layer of code which is still in user mode. Its most important role is to make the transition to kernel mode for system call invocation. NTDLL also implements the Heap Manager, the Image Loader and some part of the user-mode thread pool. Although the native API is mostly undocumented.
win32 api : http://undocumented.ntinternals.net/
A system-wide DLL, implementing the Windows native API. This is the lowest layer of code which is still in user mode. Its most important role is to make the transition to kernel mode for system call invocation. NTDLL also implements the Heap Manager, the Image Loader and some part of the user-mode thread pool. Although the native API is mostly undocumented.
win32 api : http://undocumented.ntinternals.net/
Sunday, March 8, 2020
Local Privilege Escalation in Metasploit Framework Application (Windows)
Version: Metasploit Framework - Rapid7 (Windows) 4.17.0
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Metasploit Framework - Rapid7 (Windows) Local Privilege Escalation through CWE-426(Untrusted Search Path)
When Metasploit Framework install in windows, that installation created 4 services.
Metasploit windows services are automatically run by default (I mean services start/stop by reboot).
Services are running automatic.
Then, I checked the processes of that 4 services at procmon . One of those 4 services which is (metasploitProSvc) is called/loaded taskkill.exe which doesn't exist from other folder with SYSTEM access when service is stop (or reboot PC).
......
then, i check the folder permission of taskkill.exe which doesn't exist.
So, authenticated users can access that folder. It mean, all the user (user/guest or admin) who can use metasploit framework in windows pc can exploit this bug.
Then, I created the payload file as taskkill.exe into the folder "C:\metasploit\postgresql\bin"
payload has been executed. B00M !!! we g0t system shell .
They acknowledged and appreciated.
logic bugs are fun.
happy hunting.
you can look up here if you're interested in hunting logical bugs.
https://github.com/sailay1996/awesome_windows_logical_bugs
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Metasploit Framework - Rapid7 (Windows) Local Privilege Escalation through CWE-426(Untrusted Search Path)
When Metasploit Framework install in windows, that installation created 4 services.
Metasploit windows services are automatically run by default (I mean services start/stop by reboot).
Services are running automatic.
Then, I checked the processes of that 4 services at procmon . One of those 4 services which is (metasploitProSvc) is called/loaded taskkill.exe which doesn't exist from other folder with SYSTEM access when service is stop (or reboot PC).
......
then, i check the folder permission of taskkill.exe which doesn't exist.
So, authenticated users can access that folder. It mean, all the user (user/guest or admin) who can use metasploit framework in windows pc can exploit this bug.
Then, I created the payload file as taskkill.exe into the folder "C:\metasploit\postgresql\bin"
payload has been executed. B00M !!! we g0t system shell .
They acknowledged and appreciated.
logic bugs are fun.
happy hunting.
you can look up here if you're interested in hunting logical bugs.
https://github.com/sailay1996/awesome_windows_logical_bugs
Friday, February 21, 2020
Local Privilege Escalation In EA's Origin Client
Product name: Origin Client (OriginThinSetup)
Product version : 10.5.63.37653
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Origin Client Service DACL Overwrite Elevation of Privilege
Description :
When origin client application is installed, it created 2 different services which are "origin client service" and "origin web helper service" with different privilege that're "NT AUTHORITY\SYSTEM" and "NT AUTHORITY\Local Service". And also that services could be run by everyone.
Then, I checked the processes of that 2 services at the process monitor (procmon) and I found some interesting thing that is "origin web helper service" create the file "C:\ProgramData\Origin\local.xml" even it doesn't exit in the folder "C:\ProgramData\Origin\" which can be control by Everyone:(F) . And then , "origin client service" set the permission SetSecurityFile(DACL) to "C:\ProgramData\Origin\local.xml" .
So, low privileged users can use this services to set permission (DACL) on High privileged files by creating symbolic link. Then, I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero to create symbolic link.
I created Hardlink on "C:\ProgramData\Origin\local.xml" to point the file "C:\windows\win.ini" which doesn't have access control by low privileged users. Then, I restart the service.
B00M !!! I can fully control on that privileged file "C:\windows\win.ini" .
To get SYSTEM shell with this bug, we can use "from-arbitrary-file-overwrite-to-system" of @decoder_it . I modified it as simple.
FileWrite Weapon: https://github.com/sailay1996/FileWrite2system
To Exploit this bug,
Create hardlink to file "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll", then you can get fully control access on that dll file PrintConfig.dll . After you get fully control , run that powershell script and you will get SYSTEM shell .
B00m !!!! You g0t SYSTEM shell.
And, I created the fully poc code for this bug.
https://github.com/sailay1996/origin_client_LPE
pwnedddd !!!! xD
Thanks for reading
@404death
Product version : 10.5.63.37653
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Origin Client Service DACL Overwrite Elevation of Privilege
Description :
When origin client application is installed, it created 2 different services which are "origin client service" and "origin web helper service" with different privilege that're "NT AUTHORITY\SYSTEM" and "NT AUTHORITY\Local Service". And also that services could be run by everyone.
 |
| Services Access Control |
 |
| create local.xml |
 |
| SetSecurityFile(DACL) |
So, low privileged users can use this services to set permission (DACL) on High privileged files by creating symbolic link. Then, I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero to create symbolic link.
I created Hardlink on "C:\ProgramData\Origin\local.xml" to point the file "C:\windows\win.ini" which doesn't have access control by low privileged users. Then, I restart the service.
 |
| Set permission(DACL) on privileged file. |
To get SYSTEM shell with this bug, we can use "from-arbitrary-file-overwrite-to-system" of @decoder_it . I modified it as simple.
FileWrite Weapon: https://github.com/sailay1996/FileWrite2system
To Exploit this bug,
Create hardlink to file "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll", then you can get fully control access on that dll file PrintConfig.dll . After you get fully control , run that powershell script and you will get SYSTEM shell .
 |
| nt authority\system |
B00m !!!! You g0t SYSTEM shell.
And, I created the fully poc code for this bug.
https://github.com/sailay1996/origin_client_LPE
 |
| SYSTEM |
pwnedddd !!!! xD
Thanks for reading
@404death
Monday, February 17, 2020
Local Privilege Escalation In Techsmith's Snagit
Product name : Snagit 2020
Product Version : 20.1.0.4965
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Snagit Local Privilege Escalation through repairing msi installer package
Description :
After the Techsmith's Snagit Application is installed on Windows, an msi file is added to the “c:\windows\installer”(hidden by default) directory. Some of the .msi files in there will auto-elevate when you run them. They do not prompt, even on non-admin which have been discovered by @sandboxescaper . And also the msi installer package of techsmith corporation doesn't need to run by admin. So, even users can run installer file, doing file operation at higher privilege with no prompts required.
About bug,
after snagit application installed on windows, a random name *.msi file is added to "C:\windows\installer" directory. Then you can find that techsmith's installer package file in "C:\windows\installer" by using explorer.
Then,
I repair that *.msi file with "C:\windows\installer> msiexec /fa 169a4170.msi" via low privilege account (non admin) and look at the process monitor (procmon) to check the processes of repairing Techsmith installer package.
then, check process monitor
and I found some interested things which are msiexec is WriteFiles into the Folder "C:\ProgramData\TechSmith\Snagit 20\" and SetSecurityFile to RegInfo.ini , PrinterPortFile with High privilege SYSTEM access which can be controlled by Everyone.
Then, I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero to create symbolic link.
I created Hardlink to the file "C:\windows\win.ini" which doesn't have access control by low privilege user and repairing the installer package again by running "msiexec /fa 169a4170.msi"
Then, created hardlink to that win.ini and repaired.
After the repairing is finished, the file "C:\windows\win.ini" can be access controlled by Everyone.
B00M !!! xD I can fully control that file.
To get SYSTEM shell with that bug, we can use "from-arbitrary-file-overwrite-to-system" of @decoder_it .
I modified it as simple.
FileWrite Weapon: https://github.com/sailay1996/FileWrite2system
To Exploit this bug,
Create hardlink to file "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll", then you can get fully control access on that dll file PrintConfig.dll . After you get fully control , run that powershell script and you will get SYSTEM shell .
B00m !!!! You g0t SYSTEM shell.
Thanks for reading.
@404death
One click poc comming soon for this bug.
https://github.com/sailay1996
Product Version : 20.1.0.4965
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Snagit Local Privilege Escalation through repairing msi installer package
Description :
After the Techsmith's Snagit Application is installed on Windows, an msi file is added to the “c:\windows\installer”(hidden by default) directory. Some of the .msi files in there will auto-elevate when you run them. They do not prompt, even on non-admin which have been discovered by @sandboxescaper . And also the msi installer package of techsmith corporation doesn't need to run by admin. So, even users can run installer file, doing file operation at higher privilege with no prompts required.
About bug,
after snagit application installed on windows, a random name *.msi file is added to "C:\windows\installer" directory. Then you can find that techsmith's installer package file in "C:\windows\installer" by using explorer.
I repair that *.msi file with "C:\windows\installer> msiexec /fa 169a4170.msi" via low privilege account (non admin) and look at the process monitor (procmon) to check the processes of repairing Techsmith installer package.
 |
| low privilege account(Non Admin) |
 |
| Repair Techsmith's installer package |
and I found some interested things which are msiexec is WriteFiles into the Folder "C:\ProgramData\TechSmith\Snagit 20\" and SetSecurityFile to RegInfo.ini , PrinterPortFile with High privilege SYSTEM access which can be controlled by Everyone.
 |
| Everyone:(F) Full control |
Then, I used symboliclink-testing-tools which have been created by James Forshaw (@tiraniddo) from Project Zero to create symbolic link.
I created Hardlink to the file "C:\windows\win.ini" which doesn't have access control by low privilege user and repairing the installer package again by running "msiexec /fa 169a4170.msi"
 |
| Access is denied by low privilege account |
 |
| Created Hardlink and repair msi |
 |
| C:\windows\win.in Everyone:(F) |
To get SYSTEM shell with that bug, we can use "from-arbitrary-file-overwrite-to-system" of @decoder_it .
I modified it as simple.
FileWrite Weapon: https://github.com/sailay1996/FileWrite2system
To Exploit this bug,
Create hardlink to file "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll", then you can get fully control access on that dll file PrintConfig.dll . After you get fully control , run that powershell script and you will get SYSTEM shell .
|
| nt authority\system |
B00m !!!! You g0t SYSTEM shell.
Thanks for reading.
@404death
One click poc comming soon for this bug.
https://github.com/sailay1996
Local Privilege Escalation In Techsmith's Camtasia
Product name : Camtasia 2019
Product Version : 19.0.9.17643
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Camtasia Local Privilege Escalation through repairing msi installer package
Description:
This Bug is exactly same as previous blog post which is Snagit Privilege Escalation.
Vuln File : "C:\ProgramData\TechSmith\Camtasia Studio 19\RegInfo.ini"
You can exploit by creating hardlink like previous Snagit Privilege Escalation with the same way.
Thanks for reading.
@404death
Product Version : 19.0.9.17643
Operating System tested on: Windows 10 1909 (x64)
Vulnerability: Camtasia Local Privilege Escalation through repairing msi installer package
Description:
This Bug is exactly same as previous blog post which is Snagit Privilege Escalation.
Vuln File : "C:\ProgramData\TechSmith\Camtasia Studio 19\RegInfo.ini"
 |
| Vuln File |
 |
| B00M !!! |
@404death
Subscribe to:
Posts (Atom)
Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit
After I read one of post from twitter which is about @jonasLyk's CVE-2020-16938 , I've some idea to do without using 7 zip file ma...
-
I found one interesting post in medium which is here and i got some idea to bypass UAC . And I notice windows stor... -
Version : AMD User Experience Program Launcher old version, (I forgot to snap). Operating System tested on : Windows 10 1909 (x64) Vulnera... -
Version : AMD User Experience Program Launcher 1.0.0.1 (latest) Operating System tested on : Windows 10 1909 (x64) Vulnerability : RAMD U...