Windows Local Privilege Escalation Module

[OneLogicalMyth]

This is the Windows priv esc by SandboxEscaper I have converted it as best as I can to PowerShell and it now priv escs in empire giving you a SYSTEM shell back.
Things I want to tidy up on it are;

1. Find a way to remove the need for my custom C++ XPS print job trigger .exe and replace with native code, I struggled for days to get anything to call to the XPS print api
2. I manually patched the DLL file to use C:\Windows\Tasks\Update.bat which will be loaded with an empire stager, its horrible I don't like it and perhaps more time is needed to find a functional DLL that can have the bytes replaced correctly on it
3. The PowerShell process executing the exploit places a handle on the DLL thus you can't trigger an XPS print job until that process is closed. So you have to for now interact with the agent and trigger the executable manually, code to do this is displayed as output on the agent interaction menu.

The source code for the TriggerXPSPrint.exe can be found at my repo here;
https://github.com/OneLogicalMyth/zeroday-powershell

Not my finest work, but it works. It gives the user a console popup for the TriggerXPSPrint.exe if you have an interactive low priv. It can be easily fingerprinted, but maybe that isn't such a bad thing until MS patch it. Feel free to improve it. 🙂 (edited)

[Kruxinator]

I will get an exception if I use this module thus no job is started.

(Empire: ***) > usemodule privesc/ms18-999
(Empire: powershell/privesc/ms18-999) > set [...]
(Empire: powershell/privesc/ms18-999) > run
[>] Module is not opsec safe, run? [y/N] y
[!] Exception: Module instance has no attribute 'sessionID'

[OneLogicalMyth]

Hi there,

I wasn't able to replicate this issue the agent name is used to grab the session ID so it should work. Here is where the session ID is set;
https://github.com/OneLogicalMyth/Empire/blob/2216484bc94eaa8a1a9511788549418ab1425a72/lib/modules/powershell/privesc/ms18-999.py#L186

Is the agent name valid?
Try spawning a new agent and see if that helps.

[OneLogicalMyth]

When I tested this it worked, but I have noticed an error on lines;

• 202
• 206
• 211

Can you replace self.sessionID with sessionID and try again?

[Kruxinator]

replacing self.sessionID with sessionID did the job.

Thank you very much.

//(Empire: powershell/privesc/ms18-999) > [*] Agent ZL6XTVD2 returned results. Exploit Successful, you just need to trigger the XPS print job. shell $a=Start-Process C:\Windows\Tasks\TriggerXPSPrint.exe -PassThru;sleep 5;Stop-Process -Id $a.Id -Force [*] Valid results returned by 192.168.0.200
Still normal user

[ThePirateWhoSmellsOfSunflowers]

Same error as @Kruxinator, but your workaround is ok 👍
A little bit unrelated but on my W10 lab machine, i can't test the full chain because the .bat is flagged by Defender.

[OneLogicalMyth]

Mine didn't get detected by defender, I left safe checks as False by default which normally triggers the detection on Windows 10. Did you enable safe checks?

Glad replacing the string worked for you both, I will update the files.

[ThePirateWhoSmellsOfSunflowers]

Indeed, with Safecheck False, it's ok...well almost because now, I figure out that my VM seems to be patched against the exploit.
Maybe you can add a check for patched target ?

EDIT : Just try on my unpatched lab, works like a charm, nice work. If I have some time, I'll looking for a solution to use native code instead of your .exe

🌻

[Clemenzah]

Just tried it out.. keep getting this error:

Exploit Failed, most likely SYSTEM has insufficent permissions on 'C:\windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_995df3a27d527cea\Amd64\PrintConfig.dll'. Exploit Failed, most likely SYSTEM has insufficent permissions on 'C:\windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_995df3a27d527cea\Amd64\PrintConfig.dll'.

I've tried it with SafeChecks True and False, no difference.

[Kruxinator]

Try killing spoolsv.exe

[ThePirateWhoSmellsOfSunflowers]

@Clemenzah are you sure your system is vulnerable ?