module
Windows Escalate Task Scheduler XML Privilege Escalation
| Disclosed | Created |
|---|---|
| 09/13/2010 | 05/30/2018 |
Disclosed
09/13/2010
Created
05/30/2018
Description
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the task files that they have
created. By modifying the task file and creating a CRC32 collision, an attacker
can execute arbitrary commands with SYSTEM privileges.
NOTE: Thanks to webDEViL for the information about disable/enable.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the task files that they have
created. By modifying the task file and creating a CRC32 collision, an attacker
can execute arbitrary commands with SYSTEM privileges.
NOTE: Thanks to webDEViL for the information about disable/enable.
Author
jduck
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/local/ms10_092_schelevator
msf /(r) > show actions
...actions...
msf /(r) > set ACTION < action-name >
msf /(r) > show options
...show and set options...
msf /(r) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.