Dec0ne / KrbRelayUp

KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
1.54k stars 205 forks source link

DCOM Error - 0x80070422 #6

Closed rpgmaster280 closed 2 years ago

rpgmaster280 commented 2 years ago

This is more for documentation reasons but if you run the tool from the DC you get the following DCOM error:

image

If you see this error, try running this tool on a domain joined computer that isn't the domain controller.

Dec0ne commented 2 years ago

It seems like this error is related to the service "ActiveX Installer (AxInstSV)" and not specifically to the fact that the tool is being ran on a DC (as I've seen this error on other devices other than a DC). Try and see if that service is is configured with Startup Type=Disabled on your machine, if so - change it to Manual and then try running the tool again (This requires admin privs but try it just for debugging purposes). I will be adding the option to specify a different CLSID that potentially will use a different service that can be utilized to achieve the desired results in cases where the "ActiveX Installer (AxInstSV)" is disabled... image

Shad0wC0ntr0ller commented 2 years ago

hello, I seemed to have fixed this issue after the comment above about replacing the clsid. I used CLSID for App Readiness which is "c980e4c2-c178-4572-935d-a8a429884806" and it works fine now, tested on 3 different machine that had this error

rpgmaster280 commented 2 years ago

I have a prod machine that did display this error. I'll test it and let you guys know the outcome. Should only need to change line 17 of Relay.cs, correct? This should probably be a parameter for the program in future releases.

Shad0wC0ntr0ller commented 2 years ago

I have a prod machine that did display this error. I'll test it and let you guys know the outcome. Should only need to change line 17 of Relay.cs, correct? This should probably be a parameter for the program in future releases.

yes that is correct. Thats what i did.

im currently trying to fully obfuscate it now since its flagged by at least 8 vendors on antiscan me, then port it to powershell however im running into an error for now. anyway that should be a temp fix for you until [Dec0ne] has time to update or provide a better solution

rpgmaster280 commented 2 years ago

I would imagine they will sig on this tool heavily, both now and in the future. You could just patch AMSI and reflection load it since it's a dotnet assembly. I'm still working on transferring the built PE file for testing.

Shad0wC0ntr0ller commented 2 years ago

I would imagine they will sig on this tool heavily, both now and in the future. You could just patch AMSI and reflection load it since it's a dotnet assembly.

im aware that once its ported to powershell i can just do an amsi bypass before calling the script, however ive attempted the methods from s3cur3thisshit by setting classes and main method public and replacing environment.exit with return. however when you run the program with reflection you get

[+] Init COM server CoInitializeSecurity Error: 0x80010119. Exploit will fail. [+] Looking for available ports.. [+] Port 10246 available [+] Register COM server [+] Forcing SYSTEM authentication System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) at KrbRelayUp.Relay.Ole32.CoGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsid, Object pUnkOuter, CLSCTX dwClsCtx, IStorage pstg, UInt32 cmq, MULTI_QI[] rgmqResults) at KrbRelayUp.Relay.Relay.Run()

rpgmaster280 commented 2 years ago

Okay, yeah Ill test it with reflection loading as well and let you know if the results on my side match what you're seeing.

rpgmaster280 commented 2 years ago

Alright, while this tool did not work in the environment I tested it in and cant give specifics, I will say that enabling the service @Dec0ne identified does prevent the DCOM exception and that the CLSID @imthatguypal identified is a valid workaround. I suspect it had nothing to do with the tool though, so it will probably work for default AD configs. I unfortunately was unable to test it with reflection due to time constraints.

Dec0ne commented 2 years ago

I added the flag --Clsid so you can now specify a different CLSID that works for that particular environment. Thanks for your help with this issue.