Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
This module exploits the keyboard layout vulnerability exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.
Rank
- Normal
Authors
- Ruben Santamarta < >
- jduck < jduck [at] metasploit.com >
Vulnerability References
- OSVDB-68552
- CVE-2010-2743
- MSB-MS10-073
- http://www.vupen.com/blog/20101018.Stuxnet_Win32k_Windows_Kernel_0Day_Exploit...
- http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1
- EDB-15985
Development
Similar Modules
- post/windows/escalate/bypassuac
- post/windows/escalate/droplnk
- post/windows/escalate/getsystem
- post/windows/escalate/ms10_092_schelevator
- post/windows/escalate/net_runtime_modify
- post/windows/escalate/screen_unlock
- post/windows/escalate/service_permissions
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/escalate/ms10_073_kbdlayout
msf post(ms10_073_kbdlayout) > set SESSION [INTEGER]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/escalate/ms10_073_kbdlayout
msf post(ms10_073_kbdlayout) > set SESSION [INTEGER]
Module Options
| SESSION | The session to run this module on. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |