Vulnerability & Exploit Database

Back to search

MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. Three exploit techniques are available with this module. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, but may take some time to complete.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/local/ms13_005_hwnd_broadcast

Authors

  • Tavis Ormandy
  • Axel Souchet
  • Ben Campbell <eat_meatballs [at] hotmail.co.uk>

References

Targets

  • Windows x86
  • Windows x64

Platforms

  • windows

Architectures

  • x86
  • x64

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/ms13_005_hwnd_broadcast msf exploit(ms13_005_hwnd_broadcast) > show targets ...targets... msf exploit(ms13_005_hwnd_broadcast) > set TARGET <target-id> msf exploit(ms13_005_hwnd_broadcast) > show options ...show and set options... msf exploit(ms13_005_hwnd_broadcast) > exploit

Related Vulnerabilities