module
MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
| Disclosed | Created |
|---|---|
| 11/27/2012 | 05/30/2018 |
Disclosed
11/27/2012
Created
05/30/2018
Description
Due to a problem with isolating window broadcast messages in the Windows kernel,
an attacker can broadcast commands from a lower Integrity Level process to a
higher Integrity Level process, thereby effecting a privilege escalation. This
issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and
RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#
does not work in Vista, so the attacker will have to check if the user is already
running a command prompt and set SPAWN_PROMPT false.
Three exploit techniques are available with this module. The WEB technique will
execute a powershell encoded payload from a Web location. The FILE technique
will drop an executable to the file system, set it to medium integrity and execute
it. The TYPE technique will attempt to execute a powershell encoded payload directly
from the command line, but may take some time to complete.
an attacker can broadcast commands from a lower Integrity Level process to a
higher Integrity Level process, thereby effecting a privilege escalation. This
issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and
RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#
does not work in Vista, so the attacker will have to check if the user is already
running a command prompt and set SPAWN_PROMPT false.
Three exploit techniques are available with this module. The WEB technique will
execute a powershell encoded payload from a Web location. The FILE technique
will drop an executable to the file system, set it to medium integrity and execute
it. The TYPE technique will attempt to execute a powershell encoded payload directly
from the command line, but may take some time to complete.
Authors
Tavis OrmandyAxel SouchetBen Campbell
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/local/ms13_005_hwnd_broadcast
msf /(t) > show actions
...actions...
msf /(t) > set ACTION < action-name >
msf /(t) > show options
...show and set options...
msf /(t) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.