MS15-076
-
We can Copies a file to any privileged location on disk
-
The POC was from @monoxgas
Vulnerability reference:
notes
- Exploit can only be one once every 2-3 minutes. This is because RPC can be held up by LocalSystem
- The destination file can't already exist
- Tested on x64/x86 Windows 7/8.1
- Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory
Usage
c:> trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll