Security Research# Security Research for FUN
All focused on Microsoft Windows OS
## CVE-2019-0986
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0986
This is the PoC I've sent to Microsoft when I reported the above vulnerability
This PoC exploits "User Profile Service" (ProfSvc.dll).
It will delete all files within an arbitrary directory despite of the permissions set on that directory
(except files that are exclusively locked by SYSTEM processes).
Requisite for this:
1) attacker user cannot have a current active session (he has to be logged-off the system).
2) attacker user must have an existing HOME directory.
This is why we are going to delete NTUSER.DAT file (in the attacker HOME directory) in order to trigger the right condition for exploitation.
So, next step: you shoud log in with another arbitrary "user_2" and exec the exploit with user_1 (attacker) credentials.
You'll find a precompiled exe bin\x64\Debug directory
```
Usage :
NtDataPoc.exe USERNAME DOMAINNAME PASSWORD DIRECTORY_TO_DELETE
Example :
NtDataPoc.exe theuser win10-dev MySecretPwd c:\secureDirectory
```
IDE VS 2015/2017 | CSproj is available. Compile platform choiche is yours: suggested is x64
This has been tested on :
```
OS Name: Microsoft Windows 10 Enterprise N
OS Version: 10.0.17763 N/A Build 17763
```
```
OS Name: Microsoft Windows 8.1 Pro
OS Version: 6.3.9600 N/D build 9600
```
---
 [Buy me a beer if you like ;-)](https://www.buymeacoffee.com/padovah4ck)
[4.0K] /data/pocs/122c93864bdc0caeb11ac26cbefdea81f1a550f2
├── [4.0K] NtDataPoc
│ ├── [ 569] App.config
│ ├── [4.0K] bin
│ │ └── [4.0K] x64
│ │ └── [4.0K] Debug
│ │ ├── [ 28K] NtDataPoc.exe
│ │ ├── [ 569] NtDataPoc.exe.config
│ │ └── [ 40K] NtDataPoc.pdb
│ ├── [5.4K] HardLink.cs
│ ├── [ 20K] JunctionPoint.cs
│ ├── [9.8K] NativeWin32.cs
│ ├── [2.8K] NetworkConnection.cs
│ ├── [1.5K] NotepadHelper.cs
│ ├── [4.6K] NtDataPoc.csproj
│ ├── [ 396] NtDataPoc.csproj.user
│ ├── [2.1K] NtHardLink.cs
│ ├── [4.0K] obj
│ │ ├── [4.0K] Debug
│ │ │ ├── [2.9K] DesignTimeResolveAssemblyReferences.cache
│ │ │ ├── [6.7K] DesignTimeResolveAssemblyReferencesInput.cache
│ │ │ ├── [ 17K] DnsTest.csprojAssemblyReference.cache
│ │ │ ├── [ 42] DnsTest.csproj.CoreCompileInputs.cache
│ │ │ ├── [ 922] DnsTest.csproj.FileListAbsolute.txt
│ │ │ ├── [6.6K] DnsTest.csprojResolveAssemblyReference.cache
│ │ │ ├── [ 20K] DnsTest.exe
│ │ │ ├── [ 28K] DnsTest.pdb
│ │ │ ├── [ 86K] Interop.ADODB.dll
│ │ │ ├── [3.5K] Interop.APEDBSet.dll
│ │ │ ├── [ 24K] Interop.Bonjour.dll
│ │ │ ├── [ 48K] Interop.CDO.dll
│ │ │ ├── [4.0K] Interop.CertCOMLib.dll
│ │ │ ├── [ 15K] Interop.OWSSUPP.dll
│ │ │ ├── [3.5K] Interop.WEFDebug.dll
│ │ │ └── [ 72K] Interop.WUApiLib.dll
│ │ └── [4.0K] x64
│ │ └── [4.0K] Debug
│ │ ├── [ 672] DesignTimeResolveAssemblyReferences.cache
│ │ ├── [6.6K] DesignTimeResolveAssemblyReferencesInput.cache
│ │ ├── [ 18K] DnsTest.csprojAssemblyReference.cache
│ │ ├── [ 42] DnsTest.csproj.CoreCompileInputs.cache
│ │ ├── [ 452] DnsTest.csproj.FileListAbsolute.txt
│ │ ├── [ 20K] DnsTest.exe
│ │ ├── [ 32K] DnsTest.pdb
│ │ ├── [ 42] NtDataPoc.csproj.CoreCompileInputs.cache
│ │ ├── [ 394] NtDataPoc.csproj.FileListAbsolute.txt
│ │ ├── [ 28K] NtDataPoc.exe
│ │ └── [ 38K] NtDataPoc.pdb
│ ├── [ 11K] ProcExtension.cs
│ ├── [ 14K] Program.cs
│ └── [4.0K] Properties
│ └── [1.4K] AssemblyInfo.cs
└── [1.6K] README.md
9 directories, 43 files