WebDAV Exploit | Elevation of Privilege

Sharing is caring!

WebDAV Elevation of Privilege

Microsoft Web Distributed Authoring and Versioning aka WebDAV handles input improperly which leads to elevation of privilege to SYSTEM!

Let’s start with the information about lab environment and get our hands dirty.

Lab Configuration

Operating SystemSystem NameUser Logged inIP Address
Kali Linux (attacker machine)KaliRoot192.168.245.134
Windows 7 (x64 bit architecture)Win7lowuser (without administrative privileges)192.168.245.154

We will be demonstrating the working of the exploit in two scenarios. One having graphical access to the victim machine and the other one having initial level foothold of the victim machine in a reverse shell.

Method 1

Here we have managed to have graphical access to the victim machine with the initial foothold as ‘lowuser’ ( a normal user without administrative privileges) . Download the exploit from the link. This exploit will spawn a new command prompt in the graphical session with SYSTEM privileges.

The exploit first tries to load the malicious Shellcode.dll into the memory and then retrieves the address of the exported/loaded Dynamic Link Library (DLL) function. After a series of link calls of memory address of shellcode.dll, prints the output of NtAllocateVirtualMemory() function.

WebDAV Elevation of Privilege 1

Figure: Info of lowuser

As we are on the Windows 7 64-bit architecture machine, we will head straight to the EoP.exe executable. On Windows 10, the exploit causes Blue Screen of Death (BSOD). Open PowerShell or command prompt and run the following

WebDAV Elevation of Privilege 2

 

Figure: Running EoP.exe

 

And BOOM! We have a new command prompt with SYSTEM privileges

WebDAV Elevation of Privilege 3

Figure: Spawned Command Prompt

The exploit works very smooth and a new command prompt is spawned. However, while solving CTF’s or performing an pentest there is a very small possibility that we may find RDP access to the target machine. Things can become tedious if we have the working exploit and it requires RDP access to complete it.

In the next demonstration we have shown how we can leverage the vulnerability to run the same command window with SYSTEM privileges and not spawning a new shell which require graphical access. It has been allotted a CVE ID 2016-0051 and addressed by Microsoft in the Security Bulletin ( https://docs.microsoft.com/en-us/security updates/securitybulletins/2016/ms16-016 )

Method 2

We have the reverse shell of lowuser account on our attacker machine kali linux. We will upload the exploit to the victim machine, the exploit will trigger in the same way as explained above but now on the same shell ( *We do not need interactive logon*).

WebDAV Elevation of Privilege 4

Figure: Reverse shell of lowuser

The exploit can be downloaded from this link, it is packed with the executable and the malicious DLL. Once the exploit is uploaded to the victim machine, we just need to execute it.

WebDAV Elevation of Privilege 5

 

Figure: Exploit is uploaded

 

The exploit starts the Web Client service on the victim machine and as a result WebDAV server gets started.

WebDAV Elevation of Privilege 6

Figure: WebClient Service Started

The WebClient service runs with Local system privileges and hence after running the exploit we have the Local System privileges.

Running as NT AUTHORITY/ SYSTEM on the same process.

WebDAV Elevation of Privilege 7

Figure: Escalated to SYSTEM!! (same shell)

We will be covering more privilege escalation techniques and focus on such points which are overlooked during pentesting. Till then hacknpentest!!

Share

You may also like...

2 Responses

  1. Avatar Ashvani Soni says:

    Excellent work

Leave a Reply

Your email address will not be published. Required fields are marked *