Metasploit modules that can be used to exploit Microsoft » Windows Vista

This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. Authors: - Michael Heerklotz - juan vazquez <juan.vazquez@metasploit.com>

More information

This module abuses a process creation policy in Internet Explorer's sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the Protected Mode and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11. Authors: - Unknown - Henry Li - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008. Authors: - Tom Maddock - Sylvain Monne - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 box due to the Powershell limitation. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead. Authors: - Robert Freeman - yuange - Rik van Duijn - Wesley Neelen - GradiusX <francescomifsud@gmail.com> - b33f - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. Authors: - Haifei Li - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. Authors: - Haifei Li - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function. This module will generate three files: an INF, a GIF, and a PPSX file. You are required to set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an older version of Windows (such as XP) work best for this because they require little configuration to get going. The PPSX file is what you should send to your target. In detail, the vulnerability has to do with how the Object Packager 2 component (packager.dll) handles an INF file that contains malicious registry changes, which may be leveraged for code execution. First of all, Packager does not load the INF file directly. As an attacker, you can trick it to load your INF anyway by embedding the file path as a remote share in an OLE object. The packager will then treat it as a type of media file, and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will download it with a CopyFileW call, save it in a temp folder, and pass that information for later. The exploit will do this loading process twice: first for a fake gif file that's actually the payload, and the second for the INF file. The packager will also look at each OLE object's XML Presentation Command, specifically the type and cmd property. In the exploit, "verb" media command type is used, and this triggers the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3" is used (again, for the INF file), it will cause the packager to try to find appropriate handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that will install/run the malicious INF file, and finally give us arbitrary code execution. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> - Spencer McIntyre - OJ Reeves <oj@buffered.io>

More information

This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox. NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash. Authors: - Nils - Jon - Donato Capitella <donato.capitella@mwrinfosecurity.com> - Ben Campbell <ben.campbell@mwrinfosecurity.com>

More information

This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large value, which ends up being 0, but it still gets pushed as a dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user. Authors: - Unknown - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot] section. An arbitrary path can be used as screen saver, including a remote SMB resource, which allows for remote code execution when a malicious .theme file is opened, and the "Screen Saver" tab is viewed. The code execution is also triggered if the victim installs the malicious theme and stays away from the computer, when Windows tries to display the screensaver. Authors: - Eduardo Prado - juan vazquez <juan.vazquez@metasploit.com> - Matthew Hall <hallm@sec-1.com>

More information

This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. Authors: - Tavis Ormandy <taviso@cmpxchg8b.com> - progmboy <programmeboy@gmail.com> - Keebie4e - egypt <egypt@metasploit.com> - sinn3r <sinn3r@metasploit.com> - Ben Campbell <eat_meatballs@hotmail.co.uk> - juan vazquez <juan.vazquez@metasploit.com> - OJ Reeves

More information

Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. Three exploit techniques are available with this module. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, but may take some time to complete. Authors: - Tavis Ormandy - Axel Souchet - Ben Campbell <eat_meatballs@hotmail.co.uk>

More information

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition. Authors: - Luigi Auriemma - Daniel Godas-Lopez - Alex Ionescu - jduck <jduck@metasploit.com> - #ms12-020

More information

This module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This can allow attackers to trick victims into opening the malicious document, which will load up either a python or ruby payload, and finally, download and execute an executable. Authors: - Yorick Koster - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, msvcrt ROP is used by default. However, if you know your target's patch level, you may also try the 'MSHTML' advanced option for an info leak based attack. Currently, this module only supports two MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3. Or 8.0.6001.19120, which is patch level before the MS12-004 fix. Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop. Authors: - Shane Garrett - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a '.' may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash. Authors: - jduck <jduck@metasploit.com>

More information

This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the "Thumbnails" view. Authors: - Moti & Xu Hao - Yaniv Miron aka Lament of ilhack - jduck <jduck@metasploit.com>

More information

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild. Authors: - jduck <jduck@metasploit.com> - hdm <x@hdm.io>

More information