Microsoft Windows 8.1 – DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)

• Exploit Database
• 15 阅读

• 作者： monoxgas
  日期： 2015-08-13
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37768/

• Source: https://github.com/monoxgas/Trebuchet
  
  Trebuchet
  MS15-076 (CVE-2015-2370) Privilege Escalation
  
  Copies a file to any privileged location on disk
  
  Compiled with VS2015, precompiled exe in Binary directory
  
  Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll
  
  This is a lightly modified Proof of Concept by James Forshaw with Google, found here: https://code.google.com/p/google-security-research/issues/detail?id=325
  
  CreateSymlink tool was written by James Forshaw found here: https://github.com/google/symboliclink-testing-tools
  
  Notes:
  
  Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory
  Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem
  Tested on x64/x86 Windows 7/8.1
  
  Proof of Concept:
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37768.zip