Windows Escalate Task Scheduler XML Privilege Escalation
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable.
Rank
- Normal
Authors
- jduck < jduck [at] metasploit.com >
Vulnerability References
Development
Similar Modules
- post/windows/escalate/bypassuac
- post/windows/escalate/droplnk
- post/windows/escalate/getsystem
- post/windows/escalate/ms10_073_kbdlayout
- post/windows/escalate/net_runtime_modify
- post/windows/escalate/screen_unlock
- post/windows/escalate/service_permissions
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/escalate/ms10_092_schelevator
msf post(ms10_092_schelevator) > set SESSION [INTEGER]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/escalate/ms10_092_schelevator
msf post(ms10_092_schelevator) > set SESSION [INTEGER]
Module Options
| CMD | Command to execute instead of a payload |
| RHOST | Host |
| RPORT | Port (default: 4444) |
| SESSION | The session to run this module on. |
| TASKNAME | A name for the created task (default random) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |