Rapid7 VulnDB

MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

Back to Search

MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

Disclosed
11/27/2013
Created
05/30/2018

Description

This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system.

Author(s)

  • Unknown
  • ryujin
  • Shahin Ramezany
  • juan vazquez <juan.vazquez@metasploit.com>

Platform

Windows

Architectures

x86

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > show targets
    ...targets...
msf exploit(ms_ndproxy) > set TARGET < target-id >
msf exploit(ms_ndproxy) > show options
    ...show and set options...
msf exploit(ms_ndproxy) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;