-
Notifications
You must be signed in to change notification settings - Fork 2
/
SCADA local exploits on windows 7 platform.txt
45 lines (45 loc) · 2.75 KB
/
SCADA local exploits on windows 7 platform.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[+]exploit/windows/local/ms18_8120_win32k_privesc
[+]exploit/windows/local/ms10_092_schelevator:
This module exploits the Task Scheduler 2.0 XML 0day exploited by
Stuxnet. When processing task files, the Windows Task Scheduler only
uses a CRC32 checksum to validate that the file has not been
tampered with. Also, In a default configuration, normal users can
read and write the task files that they have created. By modifying
the task file and creating a CRC32 collision, an attacker can
execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to
webDEViL for the information about disable/enable.
[+]exploit/windows/local/ms13_053_schlamperei:
This module leverages a kernel pool overflow in Win32k which allows
local privilege escalation. The kernel shellcode nulls the ACL for
the winlogon.exe process (a SYSTEM process). This allows any
unprivileged process to freely migrate to winlogon.exe, achieving
privilege escalation. This exploit was used in pwn2own 2013 by MWR
to break out of chrome's sandbox. NOTE: when a meterpreter session
started by this exploit exits, winlogin.exe is likely to crash.
[+]exploit/windows/local/ms13_081_track_popup_menu:
This module exploits a vulnerability in win32k.sys where under
specific conditions TrackPopupMenuEx will pass a NULL pointer to the
MNEndMenuState procedure. This module has been tested successfully
on Windows 7 SP0 and Windows 7 SP1.
[+]exploit/windows/local/ms14_058_track_popup_menu:
This module exploits a NULL Pointer Dereference in win32k.sys, the
vulnerability can be triggered through the use of TrackPopupMenu.
Under special conditions, the NULL pointer dereference can be abused
on xxxSendMessageTimeout to achieve arbitrary code execution. This
module has been tested successfully on Windows XP SP3, Windows 2003
SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1
and Windows 2008 R2 SP1 64 bits.
[+]exploit/windows/local/ms15_051_client_copy_image:
This module exploits improper object handling in the win32k.sys
kernel mode driver. This module has been tested on vulnerable builds
of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.
[+]exploit/windows/local/ms16_075_reflection:
Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to
achieve a SYSTEM handle for elevation of privilege. Currently the
module does not spawn as SYSTEM, however once achieving a shell, one
can easily use incognito to impersonate the token.
[+]exploit/windows/local/ppr_flatten_rec:
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due
to the usage of uninitialized data which allows to corrupt memory.
At the moment, the module has been tested successfully on Windows XP
SP3, Windows 2003 SP1, and Windows 7 SP1.