New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2022-1373 and CVE-2022-2334 exploit chain #19084
base: master
Are you sure you want to change the base?
Conversation
'WfsDelay' => 300 | ||
}, | ||
'Platform' => 'win', | ||
# the software itself only supports x64, see |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the software only supports x64, is there a reason why we also provide an x86 DLL since this is a DLL hijack attack?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I suppose there's no reason to have a x86 DLL - removed in afd4b8a
|
||
def exploit | ||
# in this case, if it appears vulnerable, it should be enough to continue the exploit | ||
unless [CheckCode::Appears].include? check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We wouldn't have to call this if we add auto-check 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added in afd4b8a
else | ||
# have MSF create the malicious DLL | ||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334') | ||
arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the target is always x64, we can only select the x64 DLL. I think we can remove these lines, and define the target DLL as template_x64_windows.dll
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, changed in afd4b8a
end | ||
|
||
# clean up the planted DLL if the session is meterpreter | ||
def on_new_session(session) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to call super
in this method
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added in afd4b8a
end | ||
|
||
# load stdapi | ||
session.core.use('stdapi') if !session.ext.aliases.include?('stdapi') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The file cleanup functionality can be pulled in with the FileDropper
mixin 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried something in 8d6a206 - let me know if that looks OK!
include Msf::Exploit::EXE | ||
include Msf::Exploit::FileDropper | ||
include Msf::Exploit::Remote::HttpClient | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prepend Msf::Exploit::Remote::AutoCheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good stuff! Added in afd4b8a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we remove these payload files, we could potentially get an Administrator session from the Framework payload and one of the getsystem
techniques would work to elevate to NT AUTHORITY/SYSTEM, and leaving us with less .c files to maintain. The current approach seems like technique 3: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/windows/escalate/getsystem.md#3---token-duplication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I initially wanted to use Metasploit's C compiler like what was done for https://github.com/rapid7/metasploit-framework/blob/397781f2b1a51b9d8766918f9f7e6ab613f4b8b5/modules/exploits/windows/local/dnsadmin_serverlevelplugindll.rb, or even just generate a "normal" DLL, but both ways of generating DLLs don't work for this exploit - for the Metasploit C compiler method the DLL needs to be compiled with the .def file, for the "normal" DLL created with msfvenom
shells don't spawn, and if compiled with the .def file it spawns 18 shells of questionable stability on every exploit attempt.
I figured mutexes and some migration code would be a good idea and all that was already done before in the code for CVE-2017-8464 anyway, so I just reused that code. I'm sure the .c file could be a lot leaner in this case though (we only want to run shellcode and then migrate it to a more stable process).
@ide0x90 what's the best way to get the installer from you? |
I can share the installer over Google Drive, if that's OK? |
Yes, please send the link to msfdev@metasploit.com |
Shared the installer |
Got it; thanks! |
Hi there; I've hit a few snags, but I think I have it mostly working- the only catch is that I get an error message when it tries to restore the configuration, reporting
|
Darn, I forgot about that error - it's a tricky one that needs a workaround. I sent more stuff to msfdev@metasploit.com with additional info. |
This PR adds a module and related materials for CVE-2022-1373 and CVE-2022-2334 exploit chain against Softing Secure Integration Server 1.22 that was used during Pwn2Own 2022 Miami. This is dependent on #19075.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/http/softing_sis_rce
set RHOSTS <target_ip>
set SSL true
if necessaryset RPORT <target_port>
if SSL is setset USERNAME <username>
if necessary. Default isadmin
set PASSWORD <password>
if necessary. Default isadmin
set SIGNATURE <signature>
to use signature authentication.PASSWORD
will be ignored ifSIGNATURE
is set!set DLLPATH <path_to_custom_dll>
to use a custom DLL. It is assumed that the DLL is correctly compiled by the operator for the exploit.exploit
and get a shellC:\\Windows\\System32\\wbem\\wbemcomn.dll
Vulnerable Software
Softing Secure Integration Server 1.22
This version is no longer available for download on the vendor's page, but I have a copy of the installer that I can provide.
Test Environment
Widnows Server 2019 Standard x64.
Test run
TODO
session.fs.file.rm
doesn't.