Archive for Windows Exploits

MS11-080 Local Privilege Escalation

MS11-080 – CVE-2011-2005 A great little Python script that escalates privileges and results in a SYSYEM shell. It works on Windows XP SP3 and Windows 2003 SP2.  Running the script as a standard non admin user will escalate privileges to compromise the system via Afd.sys. It does require Python installed on the victims system which is […]


Impersonating The Domain Administrator via SQL Server

A recent presentation I gave for 7Safe. It demonstrates how it is possible to fully compromise the domain using a fully patched Microsoft SQL server that has a firewall enabled. Using the SQL server I impersonate the domain administrator account without any passwords or password hashes being known or extracted. It also demonstrates the risk […]


Own With An iPhone

Something a little bit different here… You expect to see all hackers with a laptop right….? Think again!. Tweet


Real World Pen Testing Demonstration

A recent hacking presentation I gave in London for 7Safe demonstrating client side exploits, pivot attacks using Metasploit. Tweet


Print Spooler Exploit – MS10-061

This is an interesting exploit. No client interaction is required. This exploits the print spooler on target systems by submitting a job into the schedule which then executes as SYSTEM. Microsoft ref MS10-061. Tweet


Token Kidnapping’s Revenge

Token kidnapping returns! You may remember back in 2009 a token kidnapping issue was discovered and exploited by Cesar Cerrudo. This allowed you to impersonate a service in use running as a higher service account (network service to system) and compromise the server. This was patched by Microsoft in April 2009 – MS09-012. Cesar is […]


Windows 2008 VDM Exploit

This is a great little exploit to use. Works on Windows 7, Windows 2008 SP1 and all the way back to Windows XP. This was released around November 2009 and Microsoft released the patch around Feb 2010 (Ms10-015). Most AV scanners pick this up now, but did have a good few months of fun with […]