OP 27 November, 2020 - 12:12 AM
he posted his shit link so when I read his write up it seemed bypassable to me (if you’re reading this it4mn fuck ur papa anus but good job lad u admire ma cum).
Let’s get into the bug, on a default configuration there’s a file in
this file is used for event logging that happen in
process, which runs in the context of the local system (highest privileges that exist on windows), as
said when the log file should reach 16,777,216 bytes (16MB) in order to trigger the bug let’s thing on process monitor, you can download it here dogs
okay lets try to fuck the bug up and see what shit we can get from it :
![[Image: tsco94d.png]](https://i.imgur.com/tsco94d.png)
Let’s see what happens on procmon
![[Image: miFhSD2.png]](https://i.imgur.com/miFhSD2.png)
As you can see the patch seems to be working as it supposed to be, you can see the
handling the junction with
access and then he execute the control code
and
both result in success, the get reparse point control is simply check if the directory is a reparse point but the control code delete reparse point will attempt to convert the junction
to a directory then it proceeds to delete it. Seems to be patched correctly! but there’s still something wrong with the patch, what if we created a junction inside the mpcmdrun.log.bak ? ex:
, let’s check it out:
![[Image: l7Ilu4n.png]](https://i.imgur.com/l7Ilu4n.png)
It worked we now have an arbitrary file deletion issue in windows defender.
Okay let’s do some more damage like hella
shit cum, let’s go for a system shell oof i like shell part
NOTE: this method will work on windows 10 only don't try on ur homo win7 and moan like peter cunt parter
Let’s see what privileges are given to :
we can inspect them in process explorer
![[Image: zD81qim.png]](https://i.imgur.com/zD81qim.png)
It seems look like
is child process from
which is actually the AV
Let’s check the AV:
![[Image: HFzSSTS.png]](https://i.imgur.com/HFzSSTS.png)
It ran in the context of
but what about other privileges in the token ?
![[Image: SHrRF45.png]](https://i.imgur.com/SHrRF45.png)
The
seems to be enabled this happen because of the inherit token of
This seems to be destructive, this privilege will allow its owner to delete any file even if it isn’t allowed to do so the ACL.
![[Image: YgsvGbI.png]](https://i.imgur.com/YgsvGbI.png)
In this case we will have the ability to hijack a service which we will target the Windows Media Player Network Service which is by default located on
, this file is protected by
this mitigation protected such folders from being deleted from a privileged process (such as
or
) and then here’s the roll of having the
Enabled this will allow us to bypass this mitigation so we can clean the entire directory
, However the Windows Media Player Network Service is on demand service start in windows 10 and it’s ACL allow INTERACTIVE group to start it we can inspect such services detail in process hacker
![[Image: yk6ccn7.png]](https://i.imgur.com/yk6ccn7.png)
![[Image: rw1PqLX.png]](https://i.imgur.com/rw1PqLX.png)
Those are some good info so if we have the ability to recreate
directory we can hijack the service with a malicious one, luckily and a big thanks to jonasLyk for providing a technique to allow arbitrary directory creation from an arbitrary file deletion you can see the article here 13
The technique is simple if we deleted the entire
directory, the windows error reporting tool will recreate it for us and then create
allowing authenticated Users to have write&delete access on both WER and Temp directories
![[Image: tAnRl9t.png]](https://i.imgur.com/tAnRl9t.png)
which will allow user to abuse the Temp folder creation by creating a reparse point from
to
and then creating a symlink from
->
so as soon we rerun the scheduled task
the
folder will be created with new rights allowing authenticated user to write on it so we can write a payload and then start the service the only problem we will have is the gained privileges
![[Image: 9CNYXjV.png]](https://i.imgur.com/9CNYXjV.png)
As you can see here we aren’t running as
instead the service is ran as
this service account doesn’t have full control over the system which is an issue we can easily address, Thanks again to it4mn for his awesome shit cunt security patch and bypassable papa but he is a good gay at least not super lq good shit
itm4n.github.io he has some super cool stuff like github.com/klinix5/WinDefend_ZeroDay and https://itm4n.github.io/printspoofer-abu...rivileges/
Let’s get into the bug, on a default configuration there’s a file in
Code:
c:\windows\temp\mpcmdrun.logCode:
mpcmdrun.logCode:
it4mnokay lets try to fuck the bug up and see what shit we can get from it :
Let’s see what happens on procmon
As you can see the patch seems to be working as it supposed to be, you can see the
Code:
MpCmdRun.exeCode:
GENERIC_ALLCode:
FSCTL_GET_REPARSE_POINTCode:
FSCTL_DELETE_REPARSE_POINTCode:
mpcmdrun.log.bakCode:
mpcmdrun.log.bak\testIt worked we now have an arbitrary file deletion issue in windows defender.
Okay let’s do some more damage like hella
shit cum, let’s go for a system shell oof i like shell part NOTE: this method will work on windows 10 only don't try on ur homo win7 and moan like peter cunt parter
Let’s see what privileges are given to :
Code:
MpCmdRun.exeIt seems look like
Code:
mpcmdrunCode:
MsMpEng.exeLet’s check the AV:
It ran in the context of
Code:
NT AUTHORITY\SYSTEMThe
Code:
SeRestorePrivilegeCode:
MsMpEng.exeThis seems to be destructive, this privilege will allow its owner to delete any file even if it isn’t allowed to do so the ACL.
In this case we will have the ability to hijack a service which we will target the Windows Media Player Network Service which is by default located on
Code:
C:\Program Files\Windows Media Player\wmpnetwk.exeCode:
NT SERVICE\TRUSTEDINSTALLERCode:
administratorsCode:
SYSTEMCode:
SeRestorePrivilegeCode:
C:\Program Files\Windows Media PlayerThose are some good info so if we have the ability to recreate
Code:
C:\Program Files\Windows Media PlayerThe technique is simple if we deleted the entire
Code:
C:\ProgramData\Microsoft\Windows\WERCode:
C:\ProgramData\Microsoft\Windows\WER\Tempwhich will allow user to abuse the Temp folder creation by creating a reparse point from
Code:
C:\ProgramData\Microsoft\Windows\WERCode:
\RPC CONTROL\Code:
\RPC CONTROL\TempCode:
C:\Program Files\Windows Media PlayerCode:
\Microsoft\Windows\Windows Error Reporting\QueueReportingCode:
C:\Program Files\Windows Media PlayerAs you can see here we aren’t running as
Code:
NT AUTHORITY\SYSTEMCode:
NT AUTHORITY\Network Serviceitm4n.github.io he has some super cool stuff like github.com/klinix5/WinDefend_ZeroDay and https://itm4n.github.io/printspoofer-abu...rivileges/
- exploiting the issue will take up to 35min according to clement we need to fill with 16.5mb data in order to trigger the issue.Code:
mpcmdrun.log
don't forget 16.5mb dummies and ty for hella time that u gave me to rape ur brain with ma dog style words and gtfoh![[Image: monkayes.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.to%2F%2Fimages%2Fsmilies%2Fmonkayes.gif)
![[Image: giphy.gif?cid=790b7611d129f058fe9adc1639...y.gif&ct=g]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia4.giphy.com%2Fmedia%2FreKXjF0DqTAKvPTsXl%2Fgiphy.gif%3Fcid%3D790b7611d129f058fe9adc1639880af69124fc22f7735bf2%26amp%3Brid%3Dgiphy.gif%26amp%3Bct%3Dg)
![[Image: 2H8l6eR.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fiili.io%2F2H8l6eR.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)
![[Image: 9Oq6tka.gif]](https://i.imgur.com/9Oq6tka.gif)