MS11-080: Privilege Escalation (Windows)
30 Dec

MS11-080: Privilege Escalation (Windows)

So, I’ve been neglecting this blog lately, while attending the Pentesting with BackTrack course and now studying for my Offensive Security Certified Professional exam. In preparation for the exam, I figured I would start looking for some local privilege escalation exploits. So, I went to the old faithful exploit-db.com and found MS11-080 Afd.sys Privilege Escalation Exploit, which exploits MS11-080. […]

read more »
30 Dec

Windows Privilege Escalation – a cheatsheet

This is a work in progress. Additions, suggestions and constructive feedback are welcome. The purpose of these cheatsheets is to, essentially, save time during an attack and study session. Stored credentials Search for credentials within: c:\unattend.xml Unattend credentials are stored in base64 and can be decoded manually with base64: user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA= Metasploit Framework […]

read more »
29 Dec

MS11-080 AfdJoinLeaf Privilege Escalation

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring its […]

read more »