# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
# Date: 11/11/2021
# Exploit Author: it
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
# Version: Version 6.1 Compilation 7601 Service Pack 1
# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version
Description
Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade
Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache
Vulnerability Type: Privilege Escalation
Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1
Language OS: English
The Vulnerability
Clément wrote a very useful permissions-checking tool for Windows that
find various misconfigurations in Windows that could allow a local
attacker to elevate their privileges. On a typical Windows 7 and
Server 2008 R2 machine, the tool found that all local users have write
permissions on two registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
These didn't immediately seem exploitable, but Clément did the legwork
and found the Windows Performance Monitoring mechanism can be made to
read from these keys - and eventually load the DLL provided by the
local attacker. To most everyone's surprise, not as the local user,
but as Local System.
In short, a local non-admin user on the computer just creates a
Performance subkey in one of the above keys, populates it with some
values, and triggers performance monitoring, which leads to a Local
System WmiPrvSE.exe process loading attacker's DLL and executing code
from it.
About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
I detected that in another version of windows it is also vulnerable,
Windows Multipoint 2011, which can affect customers who use extended
license;
I can't say if there are any other vulnerable unpublished versions
besides the ones I've posted here
How to Produce Exploitation
Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
Release x64 and Compile.
Is necessary install microsoft visual c++ redistributable on Windows
MultiPoint 2011 for execute exploit
The exploit Add Subkeys in
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance
Library = Name of your performance DLL
Open = Name of your Open function in your DLL
Collect = Name of your Collect function in your DLL
Close = Name of your Close function in your DLL
and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI
Tools and Exploit:
https://github.com/itm4n/PrivescCheck
Exploit:
https://github.com/itm4n/Perfusion