blackarrowsec / redteam-research Goto Github PK

Target DC: Windows Server 2012 R2 with none patch.
local env: Kali linux, python 3.8.5

root@kali:/opt/redteam-research/CVE-2020-1472# python3 CVE-2020-1472.py WIN-CSMHCU65E3A Administrator 192.168.1.101
[!] CVE-2020-1472 PoC by BlackArrow (Tarlogic)

Performing authentication attempts...
===================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack. (attempt=499)

Traceback (most recent call last):
  File "CVE-2020-1472.py", line 153, in <module>
    passwordSet2(rpc_con, nbios_name, computer)
  File "CVE-2020-1472.py", line 134, in passwordSet2
    resp = dce.request(request)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 877, in request
    raise exception
impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Hello,

I've compiled the code for storsvc with only 1 change, which is windows 10 to windows 11 in storsvc_c.c. And when I ran the RpcClient.exe binary on a Windows 11 system, I encountered an error:

Exception: 1753 - 0x000006d9

When trying to look for more information on this error code, I found mostly issues around Windows Firewall service. However, Windows Firewall service is running on my box. So I'm just wondering if you encountered this issue before, and how you'd fix it.

Thanks!

Exception: 1753 - 0x000006d9

So I have this Windows 10 21H2 with the following precise version :

I build both RpcClient.exe and SprintCSP.dll without changing anyhting, I kept the default command in the DLL as for the define macro. I have a writable SYSTEM path "C:\python" where I put the DLL, I monitored the execution of RpcClient.exe with ProcMon and I can see the loading of the DLL :

It is laoded while I start RpcClient but the command is not executed (I tried different commands).

I noticed this error :

I tried changing autorisations to full for everybody but it didn't do anything.

What is the problem? What did I do wrong?

Feel free to ask me for more informations
(Obviously Windows Defender is asleep)

Edit: I tried with a Windows 10 21H1 version 10.0.19043.928 and I get the same result, search a bit through Internet for "FILE LOCKED ONLY FOR READERS" and it may seems linked with the fact that the files (.dll and .exe) come from a Shared folder (VMware shared folder between the victim VM and my host), I'll try to compile everything on the VM.

Second edit: i actually build everything on the target machine and it worked. But building everything on the machine you want to privesc is not really stealth and accurate for redteam. Do you know why I get the error in ProcMon when i compile files on my host machine and not on the target?

Hey,
everything works fine when i execute as normal user
but it gives Error: 1314 when using as NT System
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348

Hi. Do you have string for windows 2016?

static const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface = { sizeof(RPC_CLIENT_INTERFACE), #if defined(WIN10) {{0xbe6293d3,0x2827,0x4dda,{0x80,0x57,0x85,0x88,0x24,0x01,0x24,0xc9}},{0,0}}, #endif #if defined(WIN11) {{0xec029036,0x297f,0x4f3a,{0xa1,0x69,0x7a,0x2f,0xef,0xa5,0xcc,0x3e}},{0,0}}, #endif #if defined(WIN2019) {{0xbe7f785e,0x0e3a,0x4ab7,{0x91,0xde,0x7e,0x46,0xe4,0x43,0xbe,0x29}},{0,0}}, #endif #if defined(WIN2022) {{0xd8140e00,0x5c46,0x4ae6,{0x80,0xac,0x2f,0x9a,0x76,0xdf,0x22,0x4c}},{0,0}}, #endif {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 0, 0, 0, 0, &DefaultIfName_ProxyInfo, 0x02000000 };

Hi there,

Hope you guys are doing great & Thank you for your efforts in demonstrating this exploit.

Am trying to run the exploit on windows server 2012 R2 Datacenter & am facing the following exception [ Exception: 1753 - 0x000006d9 ]. I do think it has something to do with the RPC UUID (macro) defined in [ storsvc_c.c {lines: 4 & 64 ].

It would help a lot if you guys could help in giving the right RPC UUID (macro) for windows server 2012 R2 Datacenter.

Thanks once again.

The current user is "DefaultAppPool" and i can get other tokens, but i cannot get response when i use other tokens to create process with Hanshell