Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076) Exploit

ID 1337DAY-ID-24042
Type zdt
Reporter monoxgas
Modified 2015-08-14T00:00:00


Exploit for windows platform in category local exploits

MS15-076 (CVE-2015-2370) Privilege Escalation
Copies a file to any privileged location on disk
Compiled with VS2015, precompiled exe in Binary directory
Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll
This is a lightly modified Proof of Concept by James Forshaw with Google, found here:
CreateSymlink tool was written by James Forshaw found here:
Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory
Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem
Tested on x64/x86 Windows 7/8.1
Proof of Concept:

# [2018-04-11]  #