Posted on 2 Comments

MS16-016 WEBDAV privilege escalation

Good evening friends. Recently we have seen privilege escalation in Windows 7 with bypass uac exploit. Today we will see another exploit named ms16-016 mrxdav.sys WEBDAV for privilege escalation in Windows 32bit machines. mrxdav.sys is a Windows driver. It is also called as Windows NT WebDav Minirdr and is used on Windows computers to utilize WebDAV servers. This exploit uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server to escalate privileges. Now let us see how this exploit works.

First hack the Windows system with Metasploit by using one of the methods shown  here, here or here . Once you got a meterpreter session, check the privileges by typing command “getuid“.  We don’t have system privileges. Background the session by typing command “background” as shown below.

Load the ms16-016 webdav exploit as shown below.

We need only one option: session id of the session we just backgrounded. Set the session id as shown below. Run the exploit. The exploit ran successfully.

Now verify the privileges by typing “getuid” command once again as shown below.  We successfully got system privileges.

As we can see in the above image, we now have SYSTEM privileges on the target.  See how to enumerate all the installed programs on the target.