-
Notifications
You must be signed in to change notification settings - Fork 14
Common Windows exploits
lethanhtung01011980 edited this page Apr 23, 2020
·
31 revisions
- Multiple Windows Expoits: https://github.com/SecWiki/windows-kernel-exploits or https://github.com/lethanhtung01011980/windows-kernel-exploits-seckwiki (backup)
- MS09-012 (not tested): https://github.com/egre55/windows-kernel-exploits
- MS09-050 - CVE2009-3103: https://github.com/lethanhtung01011980/Notes/wiki/ms09_-050_-cve2009_3103
- MS10-059 (Arctic): https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled
- MS16-032 (Optimum): https://www.exploit-db.com/exploits/39719 and https://github.com/egre55/windows-kernel-exploits
- MS16-135: https://github.com/lethanhtung01011980/Empire/tree/master/data/module_source/privesc
- MS17-010 - CVE 2017-0143: https://github.com/lethanhtung01011980/Notes/wiki/ms17_010-_cve2017_0143, https://github.com/lethanhtung01011980/MS17-010 and (if no named pipe) https://wiki.jacobshodd.com/writeups/hack-the-box/blue
- CVE-2017-7269 (Grandpa): https://github.com/lethanhtung01011980/Notes/wiki/Common-Windows-exploits#web-target and https://github.com/lethanhtung01011980/iis6-exploit-2017-CVE-2017-7269
- CVE-2017-0213: COM Aggregate Marshaler: https://github.com/egre55/windows-kernel-exploits
- Win Exp Suggester: https://github.com/lethanhtung01011980/Notes/wiki/WinExpSuggester
- WIndowsEnum (PoE): https://github.com/absolomb/WindowsEnum
IIS 6.0:
- Ref: Grandpa
- Windows 2003 x86
- CVE-2017-7269
- https://www.exploit-db.com/exploits/41738
- MSF: use exploit/windows/iis/iis_webdav_scstoragepathfromurl
- Working sample: https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell
- Can get reverse shell as normal user
- Manual exploit: https://exp1o1t9r.com/2020/01/26/hackthebox-grandpa-writeup/
- Nmap NSE scan script: https://github.com/nmap/nmap/pull/828#issuecomment-435436237
- Common initial scan to get suggested Windows exploits
- Ref: Grandpa
- Tutorial: https://null-byte.wonderhowto.com/how-to/get-root-with-metasploits-local-exploit-suggester-0199463/
- Need to have reverse session! => Press "Ctrl-Z" to background the current Meterpreter session
- MSF: use post/multi/recon/local_exploit_suggester => set SESSION [id1] => run
- User suggested exploits to attack/run in default x86. TO MIGRATE AFTER THIS STEP IF IN X64.
- Go back sessions [id1] to check if elevated: getuid