module

Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability

Try Surface Command
Back to search
Disclosed
2020-03-10
Created
2020-06-11

Description

This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the
Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll
with a malicious DLL containing the attacker's payload.

To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which
will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking
issue within the Update Session Orchestrator Service.

Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the
Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,
so your mileage may vary on Windows Server 2016 and later.

Authors

itm4n
gwillcox-r7

Platform

Windows

Architectures

x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
    msf exploit(cve_2020_0787_bits_arbitrary_file_move) > show targets
        ...targets...
    msf exploit(cve_2020_0787_bits_arbitrary_file_move) > set TARGET < target-id >
    msf exploit(cve_2020_0787_bits_arbitrary_file_move) > show options
        ...show and set options...
    msf exploit(cve_2020_0787_bits_arbitrary_file_move) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today