Windows MultiPoint Server 2011 SP1 – RpcEptMapper and Dnschade Local Privilege Escalation

• Exploit Database
• 45 阅读

• 作者： Marcio Mendes
  日期： 2021-11-12
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50517/

• # Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
  # Date: 11/11/2021
  # Exploit Author: it
  # Vendor Homepage: https://www.microsoft.com
  # Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
  # Version: Version 6.1 Compilation 7601 Service Pack 1
  # Tested on: Microsoft Windows MultiPoint Server 2011 - English Version
  
  Description
  Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade
  
  Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache
  
  Vulnerability Type: Privilege Escalation
  
  Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1
  
  Language OS: English
  
  The Vulnerability
  
  Clément wrote a very useful permissions-checking tool for Windows that
  find various misconfigurations in Windows that could allow a local
  attacker to elevate their privileges. On a typical Windows 7 and
  Server 2008 R2 machine, the tool found that all local users have write
  permissions on two registry keys:
  
  HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
  
  HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
  
  These didn't immediately seem exploitable, but Clément did the legwork
  and found the Windows Performance Monitoring mechanism can be made to
  read from these keys - and eventually load the DLL provided by the
  local attacker. To most everyone's surprise, not as the local user,
  but as Local System.
  
  In short, a local non-admin user on the computer just creates a
  Performance subkey in one of the above keys, populates it with some
  values, and triggers performance monitoring, which leads to a Local
  System WmiPrvSE.exe process loading attacker's DLL and executing code
  from it.
  
  About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
  I detected that in another version of windows it is also vulnerable,
  Windows Multipoint 2011, which can affect customers who use extended
  license;
  
  I can't say if there are any other vulnerable unpublished versions
  besides the ones I've posted here
  
  How to Produce Exploitation
  
  Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
  Release x64 and Compile.
  
  Is necessary install microsoft visual c++ redistributable on Windows
  MultiPoint 2011 for execute exploit
  
  The exploit Add Subkeys in
  
  HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
  
  HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance
  
  Library = Name of your performance DLL
  
  Open = Name of your Open function in your DLL
  
  Collect = Name of your Collect function in your DLL
  
  Close = Name of your Close function in your DLL
  
  and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI
  
  Tools and Exploit:
  https://github.com/itm4n/PrivescCheck
  
  Exploit:
  https://github.com/itm4n/Perfusion