New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add butchered version of CVE-2015-1701 #5466
Conversation
This module isn't using report_auth_info, so this comment is no longer needed.
* Fixes bug with Pro Vuln Validation validation pushes
Sounds wonderful to me! Thanks dude :)
|
Cool! |
if (huser32 == NULL) | ||
return 0; | ||
|
||
pse = (PSHAREDINFO)GetProcAddress(huser32, "gSharedInfo"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My guess is that this is why the exploit is not working on server 2003. user32!gSharedInfo
is not available on older versions of Windows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, good point.
Thanks @wchen-r7 ! I know that @zeroSteiner has more work coming here as well to get things working on some earlier versions. Cheers for landing :) |
Cheers! |
Does not seem to work... I always get a does not support WOW64... |
It works perfectly. Your Meterpreter session must match the target architecture. |
Yep, my bad :) I had to check the source and figure it out. Just migrate... |
This PR includes the first pass of a module and source that provides a local privilege escalation for CVE-2015-1701 (MS15-051), documented by FireEye.
Code for this module was blatantly purloined from this repository. It has very few adjustments, other than the ones to make it work within the Meterpreter ecosystem. Those changes are:
I haven't spent any time tidying the C source up at all. The MSF module pretty much a direct copy of an existing local exploit module with the appropriate tweaks made.
I have successfully tested this on Windows 7 x64 and x86 (build 7600), and on Windows 2008 R2 SP1 x64, though according to the technet articles the vulnerability should work on earlier versions as well.
I'd like to call on the fine minds of @zeroSteiner, @wchen-r7 and @jvazquez-r7 to cast an eye over this. It could use some serious tidying up and you guys are meticulous! Any comments would be appreciated. My feeling is that this can be landed 'as is' without too many changes, and we can spend more time later tidying up the C code if we feel like it.
Note: this PR includes functioning binaries as part of a signed commit.
Verification
exploit/windows/local/ms15_051_client_copy_image
.Sample Runs
Windows 7 x86
Windows 7 x64
Windows 2008 R2 SP1 x64
Thanks to @multiplex3r for helping out with testing.