New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Exploit for CVE-2021-40449 #15834
Conversation
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
|
||
//puts("[*] Spraying palettes"); | ||
|
||
SprayPalettes(0xe20); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be 0xe98 for Microsoft Windows [Version 10.0.17763.1] but I'm not sure how it's calculated for other versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Odd, see the documentation, I tested this on a 10.0.17763 install with fairly recent patches and this worked fine. Are you implying that something changed the structures between when 10.0.17763 first came out and the latest patches? I would find that hard to believe given most of these structures stay the same between major releases but it is possible, just would want to see some more evidence given this worked for me in my tests so that we know specifically what was changed and address it appropriately.
Keep in mind this code is taken from https://github.com/ly4k/CallbackHell; I have not modified @ly4k's code very much; mainly made some minor changes to get things to compile without warnings where possible and made some type changes where it made sense. The logic of the code should still be the same though as I didn't touch anything like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies 0xe20 works too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good, was just curious if I had missed something :) I'll leave this issue open in case we encounter problems down the line though; will be good to reference this to check if its related
external/source/exploits/CVE-2021-40449/CVE-2021-40449/dllmain.c
Outdated
Show resolved
Hide resolved
Confirmed working on Windows 10 1809
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should take a look at external/source/include/windows/definitions.h
which includes a bunch of definitions that you have here. Should be able to include that rather than redefining them here.
external/source/exploits/CVE-2021-40449/CVE-2021-40449/dllmain.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2021-40449/CVE-2021-40449/dllmain.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2021-40449/CVE-2021-40449/dllmain.c
Outdated
Show resolved
Hide resolved
a36e0b9
to
3af93cb
Compare
@smcintyre-r7 @h00die 9f9942f should incorporate the rest of both of your feedback. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Nice work.
I can land this once the tests pass
Release notesAdds a module for CVE-2021-40449 aka CallbackHell, a Windows local privilege escalation exploit caused by a use after free during the NtGdiResetDC callback in vulnerable versions of win32k.sys. |
Add in an exploit for CVE-2021-40449 as described as being exploited in the wild at https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/. Work was taken from the POC at https://github.com/ly4k/CallbackHell from @ly4k, which builds off of the work at https://github.com/KaLendsi/CVE-2021-40449-Exploit from @KaLendsi. Additional info came from https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ and the Red Raindrop Team of the Qi'anxin Threat Intelligence Center who did a very detailed writeup of this vulnerability.
This exploit should work against Windows 10 x64 build 14393 and 17763, however it should also work against older versions of Windows 10 as well. Newer versions of Windows 10 introduced additional protections that may make some of the exploit techniques utilized by this exploit irrelevant so I'm not sure how exploitation fairs on newer versions of Windows, however its likely that older versions such as Windows 7 could also be exploited with some tweaks to this exploit.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/local/cve_2021_40449
SESSION
,LHOST
, etc.exploit