Share
## https://sploitus.com/exploit?id=8C567A57-1501-50F5-8D9D-F4F3F46E3BDD
# WPTaskScheduler Persistence & CVE-2024-49039, as one of Attack Surface within Task Scheduler.  

WPTaskScheduler.dll is a component of Task Scheduler, since win 10 1507.  
  
This is likely a backdoor tool used for persistence, which was analyzed by security researchers,  
who found that able to bypass Restricted Token Sandbox, child-process restrictions and elevate to Medium Integrity.  

## ???
1: Establish RPC connection, but restricted tokens such as Google Chrome renderer process seem unable to establish RPC connection,  
so it could to be useless? Well, audio.mojom.AudioService and gpu-process bypass success......  

2: It seems that AppContainers unable to escape, but it's hard to that this is not the only attack point.  
Fail in (BasepCreateLowBox->NtCreateLowBoxToken) before restarting, and create process success as AppContainers after restarting?  

## Patch:
__WPTaskScheduler.dll!TsiRefisterRPCInterface__ adjust the RPC Interface Security, no longer be accessed by Everyone.  
Required Medium Integrity at least now (and other Service Account...)  
 ![](https://github.com/je5442804/WPTaskScheduler_CVE-2024-49039/blob/main/1.jpg)

## Project
Visual Studio 2022 -> Release x64  
Both persistence and a poc to test.  

## Test
I suggest download WpTasks.exe from https://www.tenforums.com/general-support/157178-hidden-task-revealer.html......  

1: Compile as exe, use SystemInformer, TokenUniverse, sandbox-attacksurface-analysis-tools  
or other tools to play.  

2: Compile as dll, use Reflective DLL Injection or MemoryModule to play around Real scenes,  
(Chrome Low Integrity-> gpu-process, audio.mojom.AudioService)  
btw what happen if "donut shellcode" in Untrust Sandbox Process...  

## Tested on
Windows 11 23H2 (10.0.22631.4317)  
Windows Server 2016 (10.0.14393.5786)  

## References & Credits
1: https://www.tenforums.com/general-support/157178-hidden-task-revealer.html  
2: https://www.tenforums.com/general-support/157178-hidden-task-revealer-6.html  
3: https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/  
4: https://github.com/gtworek/PSBits/tree/master/WNF  
5: https://googleprojectzero.blogspot.com/2015/05/in-console-able.html