Posted on 2 Comments

MS16-016 WEBDAV privilege escalation

Good evening friends. Recently we have seen privilege escalation in Windows 7 with bypass uac exploit. Today we will see another exploit named ms16-016 mrxdav.sys WEBDAV for privilege escalation in Windows 32bit machines. mrxdav.sys is a Windows driver. It is also called as Windows NT WebDav Minirdr and is used on Windows computers to utilize WebDAV servers. This exploit uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server to escalate privileges. Now let us see how this exploit works.

First hack the Windows system with Metasploit by using one of the methods shown  here, here or here . Once you got a meterpreter session, check the privileges by typing command “getuid“.  We don’t have system privileges. Background the session by typing command “background” as shown below.

ms16-016 a

Load the ms16-016 webdav exploit as shown below.

webdav2

We need only one option: session id of the session we just backgrounded. Set the session id as shown below. Run the exploit. The exploit ran successfully.

webdav3

Now verify the privileges by typing “getuid” command once again as shown below.  We successfully got system privileges.

webdav4

As we can see in the above image, we now have SYSTEM privileges on the target.  See how to enumerate all the installed programs on the target.

2 thoughts on “MS16-016 WEBDAV privilege escalation

  1. […] aspiring hackers. Till now we have seen various ways of hacking windows, escalating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, […]

  2. […] acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.