Metasploit modules that can be used to exploit Microsoft » Windows 10 » 1607
-
Microsoft Office Word MSDTJS
Disclosure Date: 2022-05-29First seen: 2022-12-23exploit/windows/fileformat/word_msdtjs_rceThis module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code. -
User Profile Arbitrary Junction Creation Local Privilege Elevation
Disclosure Date: 2022-03-17First seen: 2022-12-23exploit/windows/local/cve_2022_26904_superprofileThe user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process. Authors: - KLINIX5 - Grant Willcox -
Win32k NtGdiResetDC Use After Free Local Privilege Elevation
Disclosure Date: 2021-10-12First seen: 2022-12-23exploit/windows/local/cve_2021_40449A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work. Authors: - IronHusky - Costin Raiu - Boris Larin - Red Raindrop Team of Qi'anxin Threat Intelligence Center - KaLendsi - ly4k - Grant Willcox -
Microsoft Office Word Malicious MSHTML RCE
Disclosure Date: 2021-09-23First seen: 2022-12-23exploit/windows/fileformat/word_mshtml_rceThis module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. -
Print Spooler Remote DLL Injection
Disclosure Date: 2021-06-08First seen: 2022-12-23exploit/windows/dcerpc/cve_2021_1675_printnightmareThe print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Authors: - Zhiniang Peng - Xuefeng Li - Zhipeng Huo - Piotr Madej - Zhang Yunhai - cube0x0 - Spencer McIntyre - Christophe De La Fuente -
Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
Disclosure Date: 2020-03-10First seen: 2020-06-11exploit/windows/local/cve_2020_0787_bits_arbitrary_file_moveThis module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later. Authors: - itm4n - gwillcox-r7 -
Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation
Disclosure Date: 2020-02-20First seen: 2020-12-15exploit/windows/local/cve_2020_1054_drawiconex_lpeThis module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against a fully updated Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. Authors: - Netanel Ben-Simon - Yoav Alon - bee13oy - timwr -
Service Tracing Privilege Elevation Vulnerability
Disclosure Date: 2020-02-11First seen: 2020-05-14exploit/windows/local/cve_2020_0668_service_tracingThis module leverages a trusted file overwrite with a DLL hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets. Authors: - itm4n - bwatters-r7 -
Microsoft Windows Uninitialized Variable Local Privilege Elevation
Disclosure Date: 2019-12-10First seen: 2020-10-15exploit/windows/local/cve_2019_1458_wizardopiumThis module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated. Authors: - piotrflorczyk - unamer - timwr -
Microsoft UPnP Local Privilege Elevation Vulnerability
Disclosure Date: 2019-11-12First seen: 2020-04-26exploit/windows/local/comahawkThis exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM. Authors: - NCC Group - hoangprod - bwatters-r7 -
Microsoft Spooler Local Privilege Elevation Vulnerability
Disclosure Date: 2019-11-04First seen: 2020-09-17exploit/windows/local/cve_2020_1048_printerdemonThis exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. Authors: - Yarden Shafir - Alex Ionescu - shubham0d - bwatters-r7 -
Microsoft Spooler Local Privilege Elevation Vulnerability
Disclosure Date: 2019-11-04First seen: 2021-01-16exploit/windows/local/cve_2020_1337_printerdemonThis exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. Authors: - Peleg Hadar - Tomer Bar - 404death - sailay1996 - bwatters-r7 -
Windows NtUserSetWindowFNID Win32k User Callback
Disclosure Date: 2018-10-09First seen: 2020-04-26exploit/windows/local/cve_2018_8453_win32k_priv_escAn elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This module is tested against Windows 10 v1703 x86. Authors: - ze0r - Kaspersky Lab - Jacob Robles -
Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
Disclosure Date: 2018-08-27First seen: 2020-04-26exploit/windows/local/alpc_taskschedulerOn vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. WARNING: The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host will be overwritten when the exploit runs. This module has been tested against Windows 10 Pro x64. Authors: - SandboxEscaper - bwatters-r7 - asoto-r7 - Jacob Robles -
LNK Code Execution Vulnerability
Disclosure Date: 2017-06-13First seen: 2020-04-26exploit/windows/local/cve_2017_8464_lnk_lpeThis module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%. Authors: - Uncredited - Yorick Koster - Spencer McIntyre -
LNK Code Execution Vulnerability
Disclosure Date: 2017-06-13First seen: 2020-04-26exploit/windows/fileformat/cve_2017_8464_lnk_rceThis module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive. Authors: - Uncredited - Yorick Koster - Spencer McIntyre
16 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details