Windows Local Privilege Escalation MS16-032

Windows Local Privilege Escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. – Wikipedia

The target machine i used for this tutorial is a lab which is available in (Lab 11).

I was tunneling through ssh to get access into the port 3389 which is in DMZ.

SSH Tunneling to RDP

After bruteforcing RDP (Remote Desktop Protocol) login using Patator, i was able to connect to the Windows Machine, but with limited permission (non administrator).

I was using CVE-2016-0099 to do Windows Local Privilege Escalation.

An elevation of privilege vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows manages request handles in memory. – Microsoft

After doing some “Googling”, i found a Local Exploit for windows 7 – Windows 10 (both 32/64bit).

Here is the exploit :

Windows Local Privilege Escalation

Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) (PowerShell)

Done, we got the system access..

Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.

Leave a Reply

Your email address will not be published. Required fields are marked *