Scribd
Upload
92 views10 pages

Windows Privilege Escalation Exploits

The document provides information about various privilege escalation vulnerabilities and exploits that can be used on different versions of Windows. It includes vulnerability details like CVE IDs, MS bulletins, associated exploits and Metasploit modules. It also mentions the type of exploits like local, remote and whether they work on Windows, Linux or both.

Uploaded by

namishelex01
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
92 views10 pages

Windows Privilege Escalation Exploits

The document provides information about various privilege escalation vulnerabilities and exploits that can be used on different versions of Windows. It includes vulnerability details like CVE IDs, MS bulletins, associated exploits and Metasploit modules. It also mentions the type of exploits like local, remote and whether they work on Windows, Linux or both.

Uploaded by

namishelex01
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 10

PrivEsc

Exploit-DB Vuln Name MS# 2K XP 2003 2008


11199 KiTrap0D/vdmallowed (32bit) MS10-015 All All All All
14610 Chimichurri MS10-059 - - - All
15589 Task Scheduler MS10-092 - - - SP0/SP1/SP2
NDProxy.sys MS11-046 SP3 SP2
40627 Remote Access Service NDISTAPI MS11-060 SP3 SP2
18176 AFD.Sys MS11-080 - SP3 SP2 -
27296 HWND_BROADCAST Low to Medium MS13-005
I All
33213 NTUserMessageCall Win32k Kernel MS13-053
30014/37732/ NDPROXY MS14-002 SP3 SP2
33892 IE Sandbox Escape IE (8-11) ms14-009 All
39446 afd.sys' Dangling Pointer PrivilegeMS14-040
39525 afd.sys' Dangling Pointer PrivilegeMS14-040
39666/35101 win32k.sys MS14-058 SP3 SP3 SP1
37064 win32k.sys MS14-058
39666 win32k.sys MS14-058 SP3 SP3 SP1
37755/35936 TCP/IP IOCTL MS14-070 SP2
TCP/IP IOCTL MS14-070 SP2
35983 Web Proxy IE Sandbox Escape MS15-004
NtApphelpCacheControl ImproperMS15-001
39035 win32k Local Privilege Escalation MS15-010
37049 Microsoft Windows Kernel Memory MS15-051 SP2 ALL
Microsoft Windows Kernel Memory MS15-051 SP1 (64bit)
Windows XP/2K3/VISTA/2K8/7 use-af MS15-061 SP2 ALL
38222 Windows Font Driver Buffer Over MS15-078
39788 WebDAV Local Privilege EscalatioMS16-016
WebDAV Local Privilege EscalatioMS16-016
40107 Secondary Logon Service (x86) MS16-032 SP1/SP2
39719 Secondary Logon Service (x86) MS16-032 SP1/SP2
Win32k Elevation of Privilege VulnMS16-135
40823 Win32k Elevation of Privilege VulnMS16-135

Exploits
Vista 7 8.1 Type Metasploit
All All exe http://bhafsec.com/files/windows/KiTrap0d.zip
All SP0 Compiled (but couldn’t be tested)
SP1/SP2 SP0 script 15589.wsf
http://bhafsec.com/files/windows/ms11-046.exe
http://bhafsec.com/files/windows/MS11-062.exe
- - exe, py http://bhafsec.com/files/windows/ms110-080.exe
All All All ms13_005_hwnd_broadcast
SP0/SP1 ms13_053_schlamperei
http://bhafsec.com/files/windows/MS14-002.exe
All All All ms14_009_ie_dfsvc
x86 .exe MS14-40-x32.exe
x64 .exe
SP1 Windows TrackPopupMenu Win32k NULL Pointer Dereference
8.0/8.1 py -> exe 37064_dont_delete_win8.exe
SP1 exe 39666.exe (cant compile)
exe, py
ms14_070_tcpip_ioctl
SP1 ms15_004_tswbproxy
All ntapphelpcachecontrol
8.1 exe 39035.zip
ALL SP1 8.0/8.1 exe 37049-32.exe, 37049-64.exe,
SP1(32/64) ms15_051_client_copy_image
ALL ALL ALL Didn’t work for win7. http://bhafsec.com/files/windows/ms15-061.cpp
8.1x64 ms15_078_atmfd_bof
All exe 39788.zip
All ms16_016_webdav
SP2 SP1 8.1 ms16_032_secondary_logon_handle_privesc
SP2 SP1 8.1 ps1 39719.ps1 -> Powershell.exe -exec bypass -Command "& {Import-Module "C:\U
exe -> win1http://www.bhafsec.com/files/windows/MS16-135.zip
exe -> win140823.zip
nter Dereference

s/windows/ms15-061.cpp

ommand "& {Import-Module "C:\Users\Tanvir\Desktop\39719.ps1"; Invoke-MS16-032}"


Exploit-DBVuln NameMS# 2K XP 2003 2008 Vista 7 8.1
100 RPC DCOMMS03-026 SP3/4 - - - - -
103 RPC2 MS03-039 all (CN) - - - - -
109 RPC2 MS03-039 all - - - - -
119 Netapi MS03-049 SP4 - - - - -
3022 ASN.1 MS04-007 SP2/3/4 SP0/1 - - - -
275 SSL BOF MS04-011 SP4 ? - - - -
295 Lsasarv.dll MS04-011 SP2/3/4 SP0/1 - - - -
734 NetDDE BOMS04-031 SP2/3/4 SP0/1 - - - -
1075 MessagingMS05-017 SP3/4 SP0/1 - - - -
1149 PnP Servic MS05-039 SP4 - - - - -
2223 Canonicali MS06-040 - SP1 - - - -
2265 NetIPSRemMS06-040 SP0-4 SP0/1 - - - -
2789 NetPManagMS06-070 SP4 - - - - -
7104 Service Co MS08-067 SP4 SP2/3 SP1/2 -
7132 Service Co MS08-067 SP4 - SP2 - - -
14674 SRV2.SYS MS09-050 - - - All SP1/2 -
Microsoft PMS10-061 SP2/SP3 SP3 ALL SP1/SP2 All
24017 Microsoft IMS12-037 All
24495 Internet ExMS13-009 SP3 SP2
28187 Internet E ms13-055 SP3 All
Internet E MS13-059 SP1
39698 Microsoft MS15-112 SP1
Type Metasploit

ms06_040_netapi

ms08_067_netapi
http://bhafsec.com/files/windows/MS08-067.rar
smb2_negotiate_func_index
ms10_061_spoolss
html
IE ms13_009_ie_slayoutrun_uaf
IE ms13_055_canchor
IE ms13_059_cflatmarkuppointer
html
Name CVE Download_link
Samba CVE-2017-7494 http://www.securityfocus.com/data/vulnerabilities/exploits/98636.py
Samba CVE-2017-7494 https://dl.packetstormsecurity.net/1706-exploits/NAsamba.pl.txt
SMB MS17-010 https://www.exploit-db.com/exploits/41987/
Eternal_blue MS17-010 https://www.exploit-db.com/exploits/42031/
https://www.exploit-db.com/exploits/42030/
https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a

cve-2014-0038
CVE-2016-5195
DccwBypassUAC
MS-17-010
potato
cve-2016-7255
CVE-2016-3074 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/s
php < 7.0 CVE-2016-3078
nightmare https://github.com/dyntopia/exploits/tree/master/nightmare-ipc
php < 7 cve-2016-5399
ms08-067
smbv2 ms09-050
samba cve-2017-7494
CVE-2012-0217
MS14-070 35936-1.exe
All-in-one
cve-2016-7255
MS12-042 CVE-2012-0217
CVE-2014-4971
LPE_AT-UAC-Win7+
ms14-068.exe
MS03-026
MS05-039 - PnP Service
MS08-025 - win32k.sys
MS08-067
MS08-068
MS10-015 - KiTrap0D
MS11-080 - AFD.sys
MS14-002
MS14-058
MS14-070
MS14-070_01
MS14-070-02.exe
MS15-051
MS16-135
Potato
Potato_1
RottenPotato-master
MS16-075 SysExec-master
MS15-076 Trebuchet
UACME
WinSystemHelper-master
Info Machine TYPE
http://www.securityfocus.com/bid/98636/info
Linux RCE
Windows - RCE
Windows Server 2008 R2 64 RCE
Windows 7/2008 R2 RCE
Windows 8/2012 R2
Windows 7/2008

Windows 8/10
All RCE
win 7/8/10 server2008/1012 local
vista above all local
ubantu 15 rce
linux rce
Linux rce
Linux rce
xp/2000/2003/2008 rce
server 2008 R1/R2 rce
Linux
Win Server 2008 R2/R2 SP1/Win rce
7 Gold/SP1 local
Windows Server 2003 SP2 local
Windows
win 7 SP1/8.1/10 prior to build local
7/8,/8.1/10
1607/Server 2012 R2 local
win 7/sp1/server 2008 sp1/sp2 local

Windows 7+ local

Windows 7,8,10, Server 2008,


Server 2012
Windows 7,8,10, Server 2008, local
Server 2012
Windows 7,8,10, Server 2008, local
Server 2012 local
local
local
Windows
7/8/8.1/10TH1/10TH2/10RS1/1
0RS2 local
all local
[CVE-2017-0213](./CVE-2017-0213) [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010
- [MS17-010](./MS17-010) [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
- [MS16-135](./MS16-135) [KB3199135] [Windows Kernel Mode Drivers] (2016)
- [MS16-098](./MS16-098) [KB3178466] [Kernel Driver] (Win 8.1)
- [MS16-075](./MS16-075) [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
- [MS16-032](./MS16-032) [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
- [MS16-016](./MS16-016) [KB3136041] [WebDAV] (2008/Vista/7)
- [MS15-097](./MS15-097) [KB3089656] [remote code execution] (win8.1/2012)
- [MS15-076](./MS15-076) [KB3067505] [RPC] (2003/2008/7/8/2012)
- [MS15-077](./MS15-077) [KB3077657] [ATM] (XP/Vista/Win7/Win8/2000/2003/2008/2012)
- [MS15-061](./MS15-061) [KB3057839] [Kernel Driver] (2003/2008/7/8/2012)
- [MS15-051](./MS15-051) [KB3057191] [Windows Kernel Mode Drivers] (2003/2008/7/8/2012)
- [MS15-010](./MS15-010) [KB3036220] [Kernel Driver] (2003/2008/7/8)
- [MS15-015](./MS15-015) [KB3031432] [Kernel Driver] (Win7/8/8.1/2012/RT/2012 R2/2008 R2)
- [MS15-001](./MS15-001) [KB3023266] [Kernel Driver] (2008/2012/7/8)
- [MS14-070](./MS14-070) [KB2989935] [Kernel Driver] (2003)
- [MS14-068](./MS14-068) [KB3011780] [Domain Privilege Escalation] (2003/2008/2012/7/8)
- [MS14-058](./MS14-058) [KB3000061] [Win32k.sys] (2003/2008/2012/7/8)
- [MS14-040](./MS14-040) [KB2975684] [AFD Driver] (2003/2008/2012/7/8)
- [MS14-002](./MS14-002) [KB2914368] [NDProxy] (2003/XP)
- [MS13-005](./MS13-005) [KB2778930] [Kernel Mode Driver] (2003/2008/2012/78)
- [MS12-020](./MS12-020) [KB2671387] [RDP] (2003/2008/7/XP)
- [MS11-080](./MS11-080) [KB2592799] [AFD.sys] (2003/XP)
- [MS11-062](./MS11-062) [KB2566454] [NDISTAPI] (2003/XP)
- [MS11-046](./MS11-046) [KB2503665] [AFD.sys] (2003/2008/7/XP)
- [MS11-011](./MS11-011) [KB2393802] [kernel Driver] (2003/2008/7/XP/Vista)
- [MS10-092](./MS10-092) [KB2305420] [Task Scheduler] (2008/7)
- [MS10-059](./MS10-059) [KB982799] [ACL-Churraskito] (2008/7/Vista)
- [MS10-015](./MS10-015) [KB977165] [KiTrap0D] (2003/2008/7/XP)
- [MS09-050](./MS09-050) [KB975517] [Remote Code Execution] (2008/Vista)
- [MS09-012](./MS09-012) [KB959454] [Chimichurri] (Vista/win7/2008/Vista)
- [MS08-068](./MS08-068) [KB957097] [Remote Code Execution] (2000/XP)
- [MS08-067](./MS08-067) [KB958644] [Remote Code Execution] (Windows 2000/XP/Server 2003/Vista/Server 20
- [MS08-025](./MS08-025) [KB941693] [Win32.sys] (XP/2003/2008/Vista)
- [MS06-040](./MS06-040) [KB921883] [Remote Code Execution] (2003/xp/2000)
- [MS05-039](./MS05-039) [KB899588] [PnP Service] (Win 9X/ME/NT/2000/XP/2003)
- [MS03-026](./MS03-026) [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)

You might also like