Due to a problem with isolating window broadcast messages in the Windows kernel,
an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process,
thereby effecting a privilege escalation.
This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT.
Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista,
so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false.
Three exploit techniques are available with this module.
The WEB technique will execute a powershell encoded payload from a Web location.
The FILE technique will drop an executable to the file system,
set it to medium integrity and execute it.
The TYPE technique will attempt to execute a powershell encoded payload directly from the command line,
but may take some time to complete.
- The exp was from @0vercl0k
Vulnerability reference:
msf > use exploit/windows/local/ms13_005_hwnd_broadcast
msf exploit(ms13_005_hwnd_broadcast) > show targets
...targets...
msf exploit(ms13_005_hwnd_broadcast) > set TARGET <target-id>
msf exploit(ms13_005_hwnd_broadcast) > show options
...show and set options...
msf exploit(ms13_005_hwnd_broadcast) > exploit