7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
8.6%
Name | ms16_032 |
---|---|
CVE | CVE-2016-0099 Exploit Pack |
VENDOR: Microsoft | |
Notes: | |
Our exploit module is really two modules: | |
#1 An exploit, based off of Google Project Zero’s post by James Foreshaw. It is extremely | |
reliable if the target is a non-virtualized (and multicore) machine. | |
#2 An Immunity-written exploit for handling the case of non-virtualized systems. It is | |
much less reliable. We discuss that below. |
IMPORTANT NOTE: we assume that almost every bare-metal system this will run on will have
multiple cores. Thus we only check whether a system is virtualized or not to determine
which exploit binary to execute.
NOTES ON EXPLOIT #2
It should be noted that this exploit has reliability issues, namely stemming from
SuspendThread and SetThreadContext providing unreliable process suspension and register
writing primitives. Many techniques have been tried to maintain control over the thread
after we suspend it, but they have proven unreliable in general.
This exploit will crash SecLogon and a number of other Windows services all at the same
time if successful. Even if the exploit is unsuccessful, it may crash those services as well.
However, it should be noted that these services will in fact restart.
Win7 / Win10 are the most reliable targets.
It also takes a long time to work. A few minutes should suffice, but not more than 5.
X86:
Windows XP Home SP0 - FAILED, incorrect handle number duplicated - likely not exploitable
Windows 8.1 SP1 - SUCCESS - Exploit created.
Windows 7 Ultimate SP1 - SUCCESS - Exploit created.
Windows 10 Enterprise - SUCCESS - Exploit created.
X86_64:
Windows Server 2008 R2 - VULNERABLE
Windows 8.1 Pro SP1 - VULNERABLE
Windows 10 Enterprise - SUCCESS - Exploit created.
Repeatability: Infinite
References: [‘https://technet.microsoft.com/en-us/library/security/ms16-032.aspx’, ‘http://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html’, ‘http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0099’]
CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0099
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
8.6%