automatic module_metadata_base.json update

Author: msjenkins-r7

db/modules_metadata_base.json

@@ -148224,35 +148224,25 @@
     ],
     "needs_cleanup": true
   },
-  "exploit_windows/local/cve_2021_1732_win32k": {
-    "name": "Win32k ConsoleControl Offset Confusion",
-    "fullname": "exploit/windows/local/cve_2021_1732_win32k",
+  "exploit_windows/local/cve_2021_21551_dbutil_memmove": {
+    "name": "Dell DBUtil_2_3.sys IOCTL memmove",
+    "fullname": "exploit/windows/local/cve_2021_21551_dbutil_memmove",
     "aliases": [
 
     ],
     "rank": 400,
-    "disclosure_date": "2021-02-10",
+    "disclosure_date": "2021-05-04",
     "type": "exploit",
     "author": [
-      "BITTER APT",
-      "JinQuan",
-      "MaDongZe",
-      "TuXiaoYi",
-      "LiHao",
-      "KaLendsi",
+      "Kasif Dekel",
+      "SentinelLabs",
       "Spencer McIntyre"
     ],
-    "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n            NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n            treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n            achieve an out of bounds write operation, eventually leading to privilege escalation.",
+    "description": "The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by\n            an attacker read and write kernel-mode memory.",
     "references": [
-      "CVE-2021-1732",
-      "URL-https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/",
-      "URL-https://github.com/KaLendsi/CVE-2021-1732-Exploit",
-      "URL-https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e",
-      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732",
-      "URL-https://www.fuzzysecurity.com/tutorials/expDev/22.html",
-      "URL-https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm",
-      "URL-https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html",
-      "URL-https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html"
+      "CVE-2021-21551",
+      "URL-https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/",
+      "URL-https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability"
     ],
     "platform": "Windows",
     "arch": "x64",
@@ -148264,12 +148254,12 @@
 
     ],
     "targets": [
-      "Windows 10 v1803-20H2 x64"
+      "Windows x64"
     ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
-    "path": "/modules/exploits/windows/local/cve_2021_1732_win32k.rb",
+    "mod_time": "2021-09-08 21:56:02 +0000",
+    "path": "/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb",
     "is_install_path": true,
-    "ref_name": "windows/local/cve_2021_1732_win32k",
+    "ref_name": "windows/local/cve_2021_21551_dbutil_memmove",
     "check": true,
     "post_auth": false,
     "default_credential": false,
@@ -148279,35 +148269,38 @@
       ],
       "Reliability": [
         "repeatable-session"
-      ],
-      "SideEffects": [
-
       ]
     },
     "session_types": [
       "meterpreter"
     ],
     "needs_cleanup": null
   },
-  "exploit_windows/local/cve_2021_21551_dbutil_memmove": {
-    "name": "Dell DBUtil_2_3.sys IOCTL memmove",
-    "fullname": "exploit/windows/local/cve_2021_21551_dbutil_memmove",
+  "exploit_windows/local/cve_2021_40449": {
+    "name": "Win32k NtGdiResetDC Use After Free Local Privilege Elevation",
+    "fullname": "exploit/windows/local/cve_2021_40449",
     "aliases": [
 
     ],
     "rank": 400,
-    "disclosure_date": "2021-05-04",
+    "disclosure_date": "2021-10-12",
     "type": "exploit",
     "author": [
-      "Kasif Dekel",
-      "SentinelLabs",
-      "Spencer McIntyre"
+      "IronHusky",
+      "Costin Raiu",
+      "Boris Larin",
+      "Red Raindrop Team of Qi'anxin Threat Intelligence Center",
+      "KaLendsi",
+      "ly4k",
+      "Grant Willcox"
     ],
-    "description": "The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by\n            an attacker read and write kernel-mode memory.",
+    "description": "A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by\n            an attacker to escalate privileges to those of `NT AUTHORITY\\SYSTEM`. The flaw exists due to the fact\n            that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers\n            can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object\n            that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle\n            with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the\n            attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the\n            kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\\SYSTEM.\n\n            This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions\n            of Windows 10 will likely also work.",
     "references": [
-      "CVE-2021-21551",
-      "URL-https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/",
-      "URL-https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability"
+      "CVE-2021-40449",
+      "URL-https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/",
+      "URL-https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ",
+      "URL-https://github.com/KaLendsi/CVE-2021-40449-Exploit",
+      "URL-https://github.com/ly4k/CallbackHell"
     ],
     "platform": "Windows",
     "arch": "x64",
@@ -148319,12 +148312,12 @@
 
     ],
     "targets": [
-      "Windows x64"
+      "Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)"
     ],
-    "mod_time": "2021-09-08 21:56:02 +0000",
-    "path": "/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb",
+    "mod_time": "2021-11-08 16:12:20 +0000",
+    "path": "/modules/exploits/windows/local/cve_2021_40449.rb",
     "is_install_path": true,
-    "ref_name": "windows/local/cve_2021_21551_dbutil_memmove",
+    "ref_name": "windows/local/cve_2021_40449",
     "check": true,
     "post_auth": false,
     "default_credential": false,
@@ -148334,38 +148327,49 @@
       ],
       "Reliability": [
         "repeatable-session"
+      ],
+      "SideEffects": [
+
       ]
     },
     "session_types": [
       "meterpreter"
     ],
     "needs_cleanup": null
   },
-  "exploit_windows/local/cve_2021_40449": {
-    "name": "Win32k NtGdiResetDC Use After Free Local Privilege Elevation",
-    "fullname": "exploit/windows/local/cve_2021_40449",
+  "exploit_windows/local/cve_2022_21882_win32k": {
+    "name": "Win32k ConsoleControl Offset Confusion",
+    "fullname": "exploit/windows/local/cve_2022_21882_win32k",
     "aliases": [
-
+      "exploit/windows/local/cve_2021_1732_win32k"
     ],
-    "rank": 400,
-    "disclosure_date": "2021-10-12",
+    "rank": 200,
+    "disclosure_date": "2021-02-09",
     "type": "exploit",
     "author": [
-      "IronHusky",
-      "Costin Raiu",
-      "Boris Larin",
-      "Red Raindrop Team of Qi'anxin Threat Intelligence Center",
+      "BITTER APT",
+      "JinQuan",
+      "MaDongZe",
+      "TuXiaoYi",
+      "LiHao",
+      "L4ys",
       "KaLendsi",
-      "ly4k",
-      "Grant Willcox"
+      "Spencer McIntyre"
     ],
-    "description": "A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by\n            an attacker to escalate privileges to those of `NT AUTHORITY\\SYSTEM`. The flaw exists due to the fact\n            that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers\n            can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object\n            that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle\n            with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the\n            attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the\n            kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\\SYSTEM.\n\n            This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions\n            of Windows 10 will likely also work.",
+    "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n            NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n            treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n            achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n            This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n            In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n            is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n            function on a wider range of Windows 10 targets.",
     "references": [
-      "CVE-2021-40449",
-      "URL-https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/",
-      "URL-https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ",
-      "URL-https://github.com/KaLendsi/CVE-2021-40449-Exploit",
-      "URL-https://github.com/ly4k/CallbackHell"
+      "CVE-2021-1732",
+      "URL-https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/",
+      "URL-https://github.com/KaLendsi/CVE-2021-1732-Exploit",
+      "URL-https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732",
+      "URL-https://www.fuzzysecurity.com/tutorials/expDev/22.html",
+      "URL-https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm",
+      "URL-https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html",
+      "URL-https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html",
+      "CVE-2022-21882",
+      "URL-https://github.com/L4ys/CVE-2022-21882",
+      "URL-https://github.com/KaLendsi/CVE-2022-21882"
     ],
     "platform": "Windows",
     "arch": "x64",
@@ -148377,12 +148381,12 @@
 
     ],
     "targets": [
-      "Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)"
+      "Windows 10 v1803-21H2 x64"
     ],
-    "mod_time": "2021-11-08 16:12:20 +0000",
-    "path": "/modules/exploits/windows/local/cve_2021_40449.rb",
+    "mod_time": "2022-02-24 11:24:20 +0000",
+    "path": "/modules/exploits/windows/local/cve_2022_21882_win32k.rb",
     "is_install_path": true,
-    "ref_name": "windows/local/cve_2021_40449",
+    "ref_name": "windows/local/cve_2022_21882_win32k",
     "check": true,
     "post_auth": false,
     "default_credential": false,