Build 1809 patched JuicyPotato

[hypnoticpattern]

Hi,
I am trying to run the tool on a Windows 10 Enterprise 1809. I opened a terminal and used psexec64 to run a console under the nt authority\local service user and verified with Process Explorer that SeImpersonatePrivilege is enabled.

c:\>whoami
nt authority\local service

c:\>JuicyPotato.exe -l 6666 -p c:\windows\system32\cmd.exe -t u -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 6666
COM -> recv failed with error: 10038
c:\>net helpmsg 10038

An operation was attempted on something that is not a socket.

I also tried using the default CLSID with the same result. Any clue what I might be doing wrong?

[ohpe]

I just tested in Windows 10 Enterprise v10.0.16299.125 and it works.
Try to change port, this should work:
JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

[hypnoticpattern]

Isn’t build 16299 fall creator update (2017)? Windows 10 1809 was released in October 2018. I also tried to use rotten potato and in windows 1809 it doesn’t work anymore. I don’t have any problem in versions prior to 1809.

[ohpe]

Ah right, build 1809 and Windows 2019 are patched.
Check @decoder-it blog, he explained the story:
https://decoder.cloud/2018/10/29/no-more-rotten-juicy-potato/

[jayuniversal]

Anyone heard if Microsoft will patch the exploits for 2016 server and 2012 server

https://support.plesk.com/hc/en-us/articles/360010138760

[bannsec]

Would be good to have the patched into on the main github README.

[mvineza]

Hi @hypnoticpattern , you can also try to use a different CLSID.

https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard