From 3af93cbacc3a77e75c238f56a714cd9c84c29651 Mon Sep 17 00:00:00 2001 From: Grant Willcox Date: Mon, 8 Nov 2021 16:12:20 -0600 Subject: [PATCH] Fix up changes from timwr's review so long --- .../modules/exploit/windows/local/cve_2021_40449.md | 2 +- modules/exploits/windows/local/cve_2021_40449.rb | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/exploit/windows/local/cve_2021_40449.md b/documentation/modules/exploit/windows/local/cve_2021_40449.md index 2d10e9f572..41eb396fe3 100644 --- a/documentation/modules/exploit/windows/local/cve_2021_40449.md +++ b/documentation/modules/exploit/windows/local/cve_2021_40449.md @@ -4,7 +4,7 @@ A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object -that is referenced byt his handle being freed. The attacker can then replace the memory referenced by the handle +that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. diff --git a/modules/exploits/windows/local/cve_2021_40449.rb b/modules/exploits/windows/local/cve_2021_40449.rb index 4f307de1c1..b8d96e48f4 100644 --- a/modules/exploits/windows/local/cve_2021_40449.rb +++ b/modules/exploits/windows/local/cve_2021_40449.rb @@ -17,13 +17,13 @@ class MetasploitModule < Msf::Exploit::Local update_info( info, { - 'Name' => '', + 'Name' => 'Win32k NtGdiResetDC Use After Free Local Privilege Elevation', 'Description' => %q{ A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object - that is referenced byt his handle being freed. The attacker can then replace the memory referenced by the handle + that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. @@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Local return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!') end - build_num_raw = session.shell_command_token('cmd.exe /c ver') + build_num_raw = cmd_exec('cmd.exe /c ver') build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/) if build_num.nil? print_error("Couldn't retrieve the target's build number!")