## https://sploitus.com/exploit?id=8C567A57-1501-50F5-8D9D-F4F3F46E3BDD
# WPTaskScheduler Persistence & CVE-2024-49039, as one of Attack Surface within Task Scheduler.
WPTaskScheduler.dll is a component of Task Scheduler, since win 10 1507.
This is likely a backdoor tool used for persistence, which was analyzed by security researchers,
who found that able to bypass Restricted Token Sandbox, child-process restrictions and elevate to Medium Integrity.
## ???
1: Establish RPC connection, but restricted tokens such as Google Chrome renderer process seem unable to establish RPC connection,
so it could to be useless? Well, audio.mojom.AudioService and gpu-process bypass success......
2: It seems that AppContainers unable to escape, but it's hard to that this is not the only attack point.
Fail in (BasepCreateLowBox->NtCreateLowBoxToken) before restarting, and create process success as AppContainers after restarting?
## Patch:
__WPTaskScheduler.dll!TsiRefisterRPCInterface__ adjust the RPC Interface Security, no longer be accessed by Everyone.
Required Medium Integrity at least now (and other Service Account...)
![](https://github.com/je5442804/WPTaskScheduler_CVE-2024-49039/blob/main/1.jpg)
## Project
Visual Studio 2022 -> Release x64
Both persistence and a poc to test.
## Test
I suggest download WpTasks.exe from https://www.tenforums.com/general-support/157178-hidden-task-revealer.html......
1: Compile as exe, use SystemInformer, TokenUniverse, sandbox-attacksurface-analysis-tools
or other tools to play.
2: Compile as dll, use Reflective DLL Injection or MemoryModule to play around Real scenes,
(Chrome Low Integrity-> gpu-process, audio.mojom.AudioService)
btw what happen if "donut shellcode" in Untrust Sandbox Process...
## Tested on
Windows 11 23H2 (10.0.22631.4317)
Windows Server 2016 (10.0.14393.5786)
## References & Credits
1: https://www.tenforums.com/general-support/157178-hidden-task-revealer.html
2: https://www.tenforums.com/general-support/157178-hidden-task-revealer-6.html
3: https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/
4: https://github.com/gtworek/PSBits/tree/master/WNF
5: https://googleprojectzero.blogspot.com/2015/05/in-console-able.html