The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.
A major weakness is present in Windows Vista, 7, 8, Server 2008, Server 2008 R2 and Server 2012, which allows any authenticated user to gain system privileges under certain circumstances.
In Windows there is a service called IKEEXT (IKE and AuthIP IPsec Keyring Modules), which runs as SYSTEM and tries to load a DLL that doesn’t exist. The default DLL search order of Windows includes several system directories and ends with PATH folders. To put it simple, if one of these folders is configured with weak permissions, any authenticated user can plant a malicious DLL to execute code as SYSTEM and thus elevate his/her privileges.
This PowerShell script consists of 2 Cmdlets:
– Invoke-IkeextCheck – Only checks whether the machine is vulnerable.
– Invoke-IkeextExploit – If the machine is vulnerable, exploit it by dropping a specifically crafted DLL to the first weak folder.
The Invoke-IkeextCheck Cmdlet performs the following checks:
– OS version – If the OS is Windows Vista/7/8 then the machine is potentially vulnerable.
– IKEEXT status and start type – If the service is enabled, the machine is potentially vulnerable (default).
– PATH folders with weak permissions – If at least one folder is found, the machine is potentially vulnerable.
– Is wlbsctrl.dll already present in some system folder (i.e. a folder where DLLs can be loaded from)? – If wlbsctrl.dll doesn’t exist, the machine is potentially vulnerable (default).
First of all, it’s important to note that this vulnerability was patched in Windows 8.1 and above. In these versions of Windows, wlbsctrl.dll search is limited to C:\Windows\System32\.
If you’re stuck with Windows 7 / Server 2008R2 because of compatibility issues for example, several counter measures can be applied:
+ PATH folders with weak permissions – Some applications are installed directly in C:\ and add themselves to the PATH environment variable. By default, folders created in C:\ are writable by any authenticated user so make sure to drop these privileges.
+ Disable IKEEXT – In most cases, IKEEXT could simply be disabled by applying a GPO. This can be a good solution for servers but it is not advised for workstations.
+ Deploy you own DLL – Deploying a dummy wlbsctrl.dll in C:\Windows\System32\ for example is an efficient solution since this directory has a higher priority than PATH folders.
Use and Download:
git clone https://github.com/itm4n/Ikeext-Privesc && cd Ikeext-Privesc