Windows Privilege Escalation

In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true.

Even worse for the enterprising hacker, modern browser exploitation frequently gives you the lowest possible privileges, even without the ability to read or write files outside of certain directories or interact with processes other than your own, due to sandboxing. One major advantage of kernel vulnerabilities is the fact that they skip right out of those sandboxes straight to NT AUTHORITY\SYSTEM.

Two Windows vulnerabilities, one patched in February and the second in March, get exploits this week for your privilege escalating pleasure.

Test Our Mettle

Over the years there have been several iterations of Meterpreter for a POSIX environment, with limited success. As of this week, we're shipping a new contender for the throne of unix payloads: Mettle. It's a ground-up implementation of the Meterpreter protocol and featureset for multiple architectures and POSIX platforms. One of the barriers to such a payload has been the fact that it requires packaging up a static libc and any libraries it will need on target. This is in contrast to Windows where the extreme adherence to backwards compatibility through the ages means that things like socket functions in ws2_32.dll can be relied upon pretty universally, which just isn't remotely true of all the various unices. Android's Bionic libc was the most recent, but several issues have made it clear we needed something else. Mettle uses musl, a small, highly portable, optimized libc. While we're currently only testing Linux, musl's portability will give us the ability to expand to other things like Solaris and BSD in the future.

The old implementation will continue to live side-by-side with the new one for a while, but once Mettle has the main required features, the Bionic-based POSIX Meterpreter will be allowed to retire to a beach somewhere to drink margaritas and complain about kids these days.

New Modules

Exploit modules (5 new)

Auxiliary and post modules (3 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.11...4.12.14

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.