Skip to content

Commit 86a5fcd

Browse files
forrest-orrforrest-orr
forrest-orr
authored and
forrest-orr
committed
Update README.md
1 parent d98fde1 commit 86a5fcd

File tree

1 file changed

+14
-4
lines changed

1 file changed

+14
-4
lines changed

README.md

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,10 @@ versions of Windows, the full chain will only work on Windows 8.1.
4949
5050
Overview
5151
52+
While this exploit chain makes use of two (now patched) 0day exploits, it also
53+
contains a sandbox escape and EoP technique which are still as of 5/4/2021 not
54+
patched, and remain feasible for integration into future attacka chains today.
55+
5256
The Darkhotel APT group (believed to originate from South Korea) launched a
5357
campaign againt Chinese and Japanese business executives and government officials
5458
through a combination of spear phishing and hacking of luxury hotel networks in
@@ -62,7 +66,7 @@ RCE through the Internet Explorer and Firefox web browsers: CVE-2020-0674 in
6266
particular (a UAF in the legacy jscript.dll engine) is exploitable in any process
6367
in which legacy JS code can be executed via jscript.dll. In late 2017, Google
6468
Project Zero released a blog post entitled "aPAColypse now: Exploiting Windows 10
65-
in a Local Network with WPAD/PAC and JScript" https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
69+
in a Local Network with WPAD/PAC and JScript" [1].
6670
6771
This research brought to light a very interesting attack vector which (at the
6872
time) affected all versions of Windows from 7 onward: the WPAD service (or
@@ -97,9 +101,8 @@ LOCAL SERVICE to SYSTEM. However, Rotten Potato (which utilizes a port binding
97101
in conjunction with a coerced connection/NTLM authentication from the SYSTEM
98102
account to generate a security context it then impersonates) had recently had
99103
its most popular method to coerce network authentication from the SYSTEM account
100-
patched by Microsoft, and I settled on a more robust/modern technique recently
101-
publicized by itm4n instead:
102-
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
104+
patched by Microsoft, and I settled on a more robust/modern technique instead:
105+
named pipe impersonation of a coerced RPC connection from the Print Spooler [2]
103106
104107
This technique combined an old RPC interface popular among Red Teamers for TGT
105108
harvesting in environments with unconstrained delegation enabled (aka the
@@ -179,5 +182,12 @@ HackSys Team - for tips on the WPAD service and low level JS debugging.
179182
180183
itm4n - for the original research on combining the RPC printer bug with
181184
named pipe impersonation.
185+
186+
~
187+
188+
Links
189+
190+
[1] https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
191+
[2] https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
182192
183193
```

0 commit comments

Comments
 (0)