Lucene search

K
exploitdbMonoxgasEDB-ID:37768
HistoryAug 13, 2015 - 12:00 a.m.

Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)

2015-08-1300:00:00
monoxgas
www.exploit-db.com
108

6.5 Medium

AI Score

Confidence

Low

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

16.8%

Source: https://github.com/monoxgas/Trebuchet

Trebuchet
MS15-076 (CVE-2015-2370) Privilege Escalation

Copies a file to any privileged location on disk

Compiled with VS2015, precompiled exe in Binary directory

Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll

This is a lightly modified Proof of Concept by James Forshaw with Google, found here: https://code.google.com/p/google-security-research/issues/detail?id=325

CreateSymlink tool was written by James Forshaw found here: https://github.com/google/symboliclink-testing-tools

Notes:

Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory
Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem
Tested on x64/x86 Windows 7/8.1

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37768.zip

6.5 Medium

AI Score

Confidence

Low

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

16.8%

Related for EDB-ID:37768