Skip to content
cyberexploits
localwindowstext

Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)

Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)

Published on 2015-08-13

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/local/37768.txt7eac4c3a
raw
Source: https://github.com/monoxgas/Trebuchet



Trebuchet

MS15-076 (CVE-2015-2370) Privilege Escalation



Copies a file to any privileged location on disk



Compiled with VS2015, precompiled exe in Binary directory



Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll



This is a lightly modified Proof of Concept by James Forshaw with Google, found here: https://code.google.com/p/google-security-research/issues/detail?id=325



CreateSymlink tool was written by James Forshaw found here: https://github.com/google/symboliclink-testing-tools



Notes:



Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory

Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem

Tested on x64/x86 Windows 7/8.1



Proof of Concept:



https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37768.zip

View on GitHub