Win32k Elevation of Privilege Vulnerability (CVE-2023-29336) - Githubissues

rapid7 / metasploit-framework

Metasploit Framework

https://www.metasploit.com/

Other

34.1k stars 13.96k forks source link

Win32k Elevation of Privilege Vulnerability (CVE-2023-29336) #18081

Open h00die opened 1 year ago

h00die commented 1 year ago

Summary

Windows priv esc for 10+ and 2008+ on the server side

Basic example

https://github.com/numencyber/Vulnerability_PoC/blob/main/CVE-2023-29336/poc.cpp

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29336

Motivation

the more windows priv esc the better!

gwillcox-r7 commented 1 year ago

Been taking a look into this but haven't managed to get the POC to run successfully on a target yet. If someone has instructions on how to get the PoC working though I'd be open to hearing what needs to be adjusted. Atm its a little confusing.

gwillcox-r7 commented 1 year ago

Well found out why its likely failing compiling. Author decided to use hardcoded offsets into USER32.dll and then didn't tell people which OS its meant to be running on 🙄 Guessing the reason its crashing for me is that offset from the start of IsMenu is incorrect for my OS.

EDIT: Upon further investigation there were two PoCs both of which contain similar code but with slight differences. Switching back over to https://github.com/numencyber/Vulnerability_PoC/blob/main/CVE-2023-29336/poc.cpp shows that the PoC is meant to work on Windows Server 2016 Dataserver with May patches installed, I presume meaning that May 2023 patches should be installed on the target. However May 2023 patches are also the ones meant to fix this vulnerability so now I'm not sure. At the very least I know Windows Server 2016 Dataserver should be used though.

h00die commented 1 year ago

@numencyber any insight on what OS the PoC is supposed to work against? Not asking you to defend your code or anything like that, just hoping to help shed some light on how we could get this in metasploit

gwillcox-r7 commented 1 year ago

Taking a closer look at the demo video they appear to be running it on Windows Server 2016 Datacenter Evaluation with build 14393.rs1_release.230329-2152. They also show the language is en-us so I don't think that would make a difference like I thought it might, and that the following hotpatch fixes are installed:

KB3192137
KB3211320
KB5023788
KB5025228

gwillcox-r7 commented 1 year ago

Looks like a fresh evaluation install gives me Build 14393.rs1_release.161220-1747, which is from 2017/01/11, and the version that was tested is from 2023/04/12 aka just before the May Update.

gwillcox-r7 commented 1 year ago

Okay after installing the updates, got the same build release number so going to take a snapshot and see if I can get the PoC working.

gwillcox-r7 commented 1 year ago

After installing the same build snapshot I can now build the exploit but getting BSODs with SYSTEM SERVICE EXCEPTION inside win32kfull.sys when running the exploit using the release and debug compiled versions of the code.

gwillcox-r7 commented 1 year ago

Okay I think I should have something for this shortly, going to upload the code I have and then link it here in case we need a backup.

Here is the list of improvements I made:

Documented the code where I could. Comments are likely of pretty poor quality due to lack of available info and a lot of the comments being done on best guesses and past experience with certain exploit patterns that I've seen in related exploits.
Improved the exploit so it should in theory work on more than just the one version of USER32.dll on Windows Server 2016.
Removed extra code that wasn't being used in the code where possible; should be resolved but may be some more in places - for some reason Visual Studio wasn't finding the dead code in its analysis, so its possible I missed some stuff.
Added some acknowledgements.
Some minor spelling fixes.