@@ -12,18 +12,39 @@ class MetasploitModule < Msf::Exploit::Local
1212 include Msf ::Post ::Windows ::ReflectiveDLLInjection
1313 prepend Msf ::Exploit ::Remote ::AutoCheck
1414
15+ include Msf ::Exploit ::Deprecated
16+ moved_from 'exploit/windows/local/cve_2021_1732_win32k'
17+
1518 def initialize ( info = { } )
1619 super (
1720 update_info (
1821 info ,
1922 {
20- 'Name' => '' ,
23+ 'Name' => 'Win32k ConsoleControl Offset Confusion ' ,
2124 'Description' => %q{
25+ A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
26+ NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
27+ treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
28+ achieve an out of bounds write operation, eventually leading to privilege escalation.
29+
30+ This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
31+ In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
32+ is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
33+ function on a wider range of Windows 10 targets.
2234 } ,
2335 'License' => MSF_LICENSE ,
2436 'Author' => [
37+ # CVE-2021-1732
38+ 'BITTER APT' , # exploit as used in the wild
39+ 'JinQuan' , # detailed analysis
40+ 'MaDongZe' , # detailed analysis
41+ 'TuXiaoYi' , # detailed analysis
42+ 'LiHao' , # detailed analysis
43+ # CVE-2022-21882
2544 'L4ys' , # github poc
26- 'KaLendsi' , # github poc
45+ # both CVEs
46+ 'KaLendsi' , # github pocs
47+ # Metasploit exploit
2748 'Spencer McIntyre' # metasploit module
2849 ] ,
2950 'Arch' => [ ARCH_X64 ] ,
@@ -33,26 +54,34 @@ def initialize(info = {})
3354 'EXITFUNC' => 'thread'
3455 } ,
3556 'Targets' => [
36- [ 'Windows 10 v20H2 -21H2 x64' , { 'Arch' => ARCH_X64 } ]
57+ [ 'Windows 10 v1803 -21H2 x64' , { 'Arch' => ARCH_X64 } ]
3758 ] ,
3859 'Payload' => {
3960 'DisableNops' => true
4061 } ,
4162 'References' => [
63+ # CVE-2021-1732 references
64+ [ 'CVE' , '2021-1732' ] ,
65+ [ 'URL' , 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ] ,
66+ [ 'URL' , 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ] ,
67+ [ 'URL' , 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ] ,
68+ [ 'URL' , 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ] ,
69+ # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
70+ [ 'URL' , 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ] ,
71+ [ 'URL' , 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ] ,
72+ [ 'URL' , 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ] ,
73+ [ 'URL' , 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ] ,
74+ # CVE-2022-21882 references
4275 [ 'CVE' , '2022-21882' ] ,
4376 [ 'URL' , 'https://github.com/L4ys/CVE-2022-21882' ] ,
4477 [ 'URL' , 'https://github.com/KaLendsi/CVE-2022-21882' ]
4578 ] ,
46- 'DisclosureDate' => '' ,
79+ 'DisclosureDate' => '2021-02-09' , # CVE-2021-1732 disclosure date
4780 'DefaultTarget' => 0 ,
4881 'Notes' => {
4982 'Stability' => [ CRASH_OS_RESTARTS , ] ,
5083 'Reliability' => [ REPEATABLE_SESSION , ] ,
51- 'SideEffects' => [ ] ,
52- 'RelatedModules' => [
53- # this module exploits the original vulnerability for which this is a patch bypass
54- 'exploit/windows/local/cve_2021_1732_win32k'
55- ]
84+ 'SideEffects' => [ ]
5685 }
5786 }
5887 )
0 commit comments