module
Nvidia (nvsvc) Display Driver Service Local Privilege Escalation
| Disclosed | Created |
|---|---|
| 2012-12-25 | 2018-05-30 |
Disclosed
2012-12-25
Created
2018-05-30
Description
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to
interact with the service. It contains a stacked based buffer overflow as a result
of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
the service name is 'nvsvc', and the named pipe is 'nsvr'.
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
interact with the service. It contains a stacked based buffer overflow as a result
of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
the service name is 'nvsvc', and the named pipe is 'nsvr'.
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
Authors
Peter Wintersmith
Ben Campbell eat_meatballs@hotmail.co.uk
Ben Campbell eat_meatballs@hotmail.co.uk
Platform
Windows
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.