module
MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
| Disclosed | Created |
|---|---|
| 2012-11-27 | 2018-05-30 |
Disclosed
2012-11-27
Created
2018-05-30
Description
Due to a problem with isolating window broadcast messages in the Windows kernel,
an attacker can broadcast commands from a lower Integrity Level process to a
higher Integrity Level process, thereby effecting a privilege escalation. This
issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and
RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#
does not work in Vista, so the attacker will have to check if the user is already
running a command prompt and set SPAWN_PROMPT false.
Three exploit techniques are available with this module. The WEB technique will
execute a powershell encoded payload from a Web location. The FILE technique
will drop an executable to the file system, set it to medium integrity and execute
it. The TYPE technique will attempt to execute a powershell encoded payload directly
from the command line, but may take some time to complete.
an attacker can broadcast commands from a lower Integrity Level process to a
higher Integrity Level process, thereby effecting a privilege escalation. This
issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and
RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#
does not work in Vista, so the attacker will have to check if the user is already
running a command prompt and set SPAWN_PROMPT false.
Three exploit techniques are available with this module. The WEB technique will
execute a powershell encoded payload from a Web location. The FILE technique
will drop an executable to the file system, set it to medium integrity and execute
it. The TYPE technique will attempt to execute a powershell encoded payload directly
from the command line, but may take some time to complete.
Authors
Tavis Ormandy
Axel Souchet
Ben Campbell eat_meatballs@hotmail.co.uk
Axel Souchet
Ben Campbell eat_meatballs@hotmail.co.uk
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.