Rapid7 Vulnerability & Exploit Database

MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

Back to Search

MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation



This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system.


  • Unknown
  • ryujin
  • Shahin Ramezany
  • juan vazquez <juan.vazquez@metasploit.com>






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > show targets
msf exploit(ms_ndproxy) > set TARGET < target-id >
msf exploit(ms_ndproxy) > show options
    ...show and set options...
msf exploit(ms_ndproxy) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security