module

Microsoft Windows ALPC Task Scheduler Local Privilege Elevation

Try Surface Command
Back to search
Disclosed
08/27/2018
Created
03/19/2019

Description

On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented
by the task scheduler service can be used to write arbitrary DACLs to `.job` files located
in `c:\windows\tasks` because the scheduler does not use impersonation when checking this
location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be
created to a file the user has read access to. After creating a hardlink, the vulnerability
can be triggered to set the DACL on the linked file.

WARNING:
The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host
will be overwritten when the exploit runs.

This module has been tested against Windows 10 Pro x64.

Authors

SandboxEscaperbwatters-r7asoto-r7Jacob Robles

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

    msf > use exploit/windows/local/alpc_taskscheduler
    msf /(r) > show actions
        ...actions...
    msf /(r) > set ACTION < action-name >
    msf /(r) > show options
        ...show and set options...
    msf /(r) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today