MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. Three exploit techniques are available with this module. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, but may take some time to complete.
Module Name
exploit/windows/local/ms13_005_hwnd_broadcast
Authors
- Tavis Ormandy
- Axel Souchet
- Ben Campbell <eat_meatballs [at] hotmail.co.uk>
References
Targets
- Windows x86
- Windows x64
Platforms
- windows
Architectures
- x86
- x64
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/local/ms13_005_hwnd_broadcast
msf exploit(ms13_005_hwnd_broadcast) > show targets
...targets...
msf exploit(ms13_005_hwnd_broadcast) > set TARGET <target-id>
msf exploit(ms13_005_hwnd_broadcast) > show options
...show and set options...
msf exploit(ms13_005_hwnd_broadcast) > exploit