Microsoft Web Distributed Authoring and Versioning aka WebDAV handles input improperly which leads to elevation of privilege to SYSTEM!
Let’s start with the information about lab environment and get our hands dirty.
|Operating System||System Name||User Logged in||IP Address|
|Kali Linux (attacker machine)||Kali||Root||192.168.245.134|
|Windows 7 (x64 bit architecture)||Win7||lowuser (without administrative privileges)||192.168.245.154|
We will be demonstrating the working of the exploit in two scenarios. One having graphical access to the victim machine and the other one having initial level foothold of the victim machine in a reverse shell.
Here we have managed to have graphical access to the victim machine with the initial foothold as ‘lowuser’ ( a normal user without administrative privileges) . Download the exploit from the link. This exploit will spawn a new command prompt in the graphical session with SYSTEM privileges.
The exploit first tries to load the malicious Shellcode.dll into the memory and then retrieves the address of the exported/loaded Dynamic Link Library (DLL) function. After a series of link calls of memory address of shellcode.dll, prints the output of NtAllocateVirtualMemory() function.
Figure: Info of lowuser
As we are on the Windows 7 64-bit architecture machine, we will head straight to the EoP.exe executable. On Windows 10, the exploit causes Blue Screen of Death (BSOD). Open PowerShell or command prompt and run the following
Figure: Running EoP.exe
And BOOM! We have a new command prompt with SYSTEM privileges
Figure: Spawned Command Prompt
The exploit works very smooth and a new command prompt is spawned. However, while solving CTF’s or performing an pentest there is a very small possibility that we may find RDP access to the target machine. Things can become tedious if we have the working exploit and it requires RDP access to complete it.
In the next demonstration we have shown how we can leverage the vulnerability to run the same command window with SYSTEM privileges and not spawning a new shell which require graphical access. It has been allotted a CVE ID 2016-0051 and addressed by Microsoft in the Security Bulletin ( https://docs.microsoft.com/en-us/security updates/securitybulletins/2016/ms16-016 )
We have the reverse shell of lowuser account on our attacker machine kali linux. We will upload the exploit to the victim machine, the exploit will trigger in the same way as explained above but now on the same shell ( *We do not need interactive logon*).
Figure: Reverse shell of lowuser
The exploit can be downloaded from this link, it is packed with the executable and the malicious DLL. Once the exploit is uploaded to the victim machine, we just need to execute it.
Figure: Exploit is uploaded
The exploit starts the Web Client service on the victim machine and as a result WebDAV server gets started.
Figure: WebClient Service Started
The WebClient service runs with Local system privileges and hence after running the exploit we have the Local System privileges.
Running as NT AUTHORITY/ SYSTEM on the same process.
Figure: Escalated to SYSTEM!! (same shell)
We will be covering more privilege escalation techniques and focus on such points which are overlooked during pentesting. Till then hacknpentest!!
Author: Yash Bharadwaj
Editor: Puneet Choudhary