Immunity, Inc.
Name unmarshal_to_system
CVE CVE-2018-0824
Exploit Pack CANVAS
DescriptionCVE-2018-0824 QC Marshal Interceptor Insecure COM Unmarshal LPE
NotesCVE Name: CVE-2018-0824
VENDOR: Microsoft
Notes:
Tested against:
---------------
Windows 7 x86 - NOT VULNERABLE
Windows Server 2016 - NOT VULNERABLE

Windows 8.1 - SUCCESSFUL EOP
Windows 10 1607 - SUCCESSFUL EOP
Windows 10 10240 - SUCCESSFUL EOP

Credits
---------------
+ Mattias Kaiser for inspiring our exploit
+ James Foreshaw of Google Project Zero for exposing the method of
forcing a COM service to demarshal an object written to an IStorage
object

IMPORTANT CEU NOTE
---------------
As of 6/29/2018 you must set the target host to the IP address of the
node on which you wish to escalate.


Repeatability: Infinite
References: ['https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html', 'http://m.bianma.org/jishu/1473.html', 'https://bbs.pediy.com/thread-228829.htm', 'https://bbs.ichunqiu.com/thread-42157-1-1.html']
CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0824

Learn more about the CANVAS Exploit Pack here: CANVAS