This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against a fully updated Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows.
Windows
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/local/cve_2020_1054_drawiconex_lpe
msf exploit(cve_2020_1054_drawiconex_lpe) > show targets
...targets...
msf exploit(cve_2020_1054_drawiconex_lpe) > set TARGET < target-id >
msf exploit(cve_2020_1054_drawiconex_lpe) > show options
...show and set options...
msf exploit(cve_2020_1054_drawiconex_lpe) > exploit
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security