Share
## https://sploitus.com/exploit?id=9294745A-E98B-5CB9-8937-0E350D5C3034
# Reverse Shell-able Exploit POCs

Sharing the list of Windows exploits I encountered during my preparation for OSCP that didn't require GUI access and can be exploited via reverse shell. 

I wrote a small proof-of-concept writeup for each of them and the affected versions were collected using [this script](get_vulns.py) I wrote in a quick and dirty way by scraping Microsoft and CVE website. 

I do not guarantee the accuracy of the informations listed here, you know what you are doing best! Suggested aproach is to use this wiki after running Windows Exploit Suggester / Sherlock / Watson.


| CVE / MS  | Title | Vulns |
| --------- | ----- | ----- |
|  [CVE-2017-0213](CVE-2017-0213.md) | Windows COM Aggregate Marshaler Lets Local Users Gain Elevated Privileges  | win_10 version_1511, win_10 version_1607, win_10 version_1703, win_10 version_1511 arc_x86, win_10 version_1607 arc_x86, win_10 version_1703 arc_x86, win_7 sp_1, win_7 sp_1 arc_x86, win_8.1, win_8.1 arc_x86, win_server_2008 sp_2, win_server_2008 sp_2 arc_x86, win_server_2008_r2 sp_1, win_server_2008_r2 sp_1 arc_x86, win_server_2012, win_server_2012 arc_x86, win_server_2016, win_server_2016 arc_x86 |
| [CVE-2018-8440](CVE-2018-8440.md) | Microsoft Windows Task Scheduler ALPC Interface Local Privilege Escalation Vulnerability | win_10 version_1607 arc_x64,win_10 version_1607 arc_x86,win_server_2008 sp_2 arc_x64,win_rt arc_x86,win_10 version_1803 arc_x86,win_10 arc_x64,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_server_2016 arc_x86,win_server_2008 sp_2 arc_x86,win_server_1709 arc_x86,win_8.1 arc_x86,win_server_1803 arc_x86,win_server_2008 sp_1 arc_x64,win_10 version_1803 arc_x64,win_7 sp_1 arc_x86,win_10 arc_x86,win_server_2008 sp_1 arc_x86 |
| [CVE-2008-4250 / MS08-067](ms08-067.md) | Microsoft Windows Server - Code Execution | win_vista sp_1 arc_x64,win_server_2003 arc_x64,win_xp sp_2 arc_x86,win_xp sp_3 arc_x86,win_xp arc_x64,win_server_2003 sp_1 arc_x86,win_server_2008 arc_x64,win_server_2003 sp_2 arc_x86,win_server_2003 sp_2 arc_x64,win_2000 sp_4 arc_x86,win_xp sp_2 arc_x64,win_vista sp_1 arc_x86,win_server_2008 arc_x86 |
| [CVE-2009-0079 / MS09-012](ms09-012.md) | Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation. Churraskito.exe/churrasco.exe | win_2000 sp_4 arc_x86,win_vista sp_1 arc_x86,win_vista sp_1 arc_x64,win_xp sp_2 arc_x64,win_server_2008 arc_x64,win_xp sp_2 sp_3 arc_x86,win_server_2008 arc_x86,win_xp sp_2 arc_x86,win_server_2003 sp_2 arc_x64,win_xp sp_3 arc_x86,win_server_2003 sp_1 sp_2 arc_x86 |
| [CVE-2010-2554 / MS10-059](ms10-059.md) | Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege. Chimichurri.exe | win_server_2008 sp_2 arc_x86,win_vista sp_1 sp_2 arc_x86,win_server_2008 arc_x86,win_10 arc_x86,win_server_2008 arc_x64,win_vista sp_1 sp_2 arc_x64,win_server_2008 sp_2 arc_x64,win_10 arc_x64 |
| [CVE-2015-1701 / MS15-051](ms15-051.md) | ClientCopyImage Win32k | win_vista sp_2 arc_x64,win_8 arc_x64,win_server_2008 sp_2 arc_x64,win_8 arc_x86,win_server_2012 arc_x86,win_server_2003 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_8.1 arc_x86,win_8.1 arc_x64,win_10 sp_1 arc_x86,win_server_2008 sp_2 arc_x86,win_vista sp_2 arc_x86,win_server_2003 sp_2 arc_x86,win_10 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 |
| [CVE-2016-0099 / MS16-032](ms16-032.md) | Secondary Logon Handle Privilege Escalation | win_server_2008 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_10 arc_x64,win_vista sp_2 arc_x86,win_10 version_1511 arc_x86,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_10 version_1511 arc_x64,win_server_2008 sp_2 arc_x86,win_10 arc_x86,win_8.1 arc_x86,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_7 sp_1 arc_x86,win_server_2008 sp_1 arc_x86 |
| [MS16-075](ms16-075.md) | Rotten Potato โ€“ Privilege Escalation from Service Accounts to SYSTEM (JuicyPotato) | win_server_2008 sp_2 arc_x64,win_server_2008 sp_1 arc_x64,win_10 arc_x64,win_vista sp_2 arc_x86,win_10 version_1511 arc_x86,win_server_2012 arc_x86,win_7 sp_1 arc_x64,win_10 version_1511 arc_x64,win_server_2008 sp_2 arc_x86,win_10 arc_x86,win_8.1 arc_x86,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_7 sp_1 arc_x86,win_server_2008 sp_1 arc_x86 |
| [CVE-2016-3309 / MS16-098](ms16-098.md) | RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects | win_7 version_1511 arc_x64,win_7 version_1511 arc_x86,win_server_2008 sp_2 arc_x86,win_10 sp_1 arc_x86,win_10 sp_1 arc_x64,win_server_2012 arc_x86,win_7 version_1607 arc_x64,win_vista sp_2 arc_x64,win_8.1 arc_x64,win_server_2008 sp_2 arc_x64,win_7 arc_x64,win_8.1 arc_x86,win_7 arc_x86,win_7 version_1607 arc_x86,win_vista sp_2 arc_x86,win_server_2008 sp_1 arc_x64,win_server_2008 sp_1 arc_x86 |
| [CVE-2017-0144 / MS17-010](ms17-010.md) | Windows SMB Remote Code Execution (Eternalblue) | win_server_2008 sp_1 arc_x64,win_7 version_1511 arc_x64,win_server_2016 arc_x64,win_7 version_1607 arc_x86,win_server_2008 sp_2 arc_x64,win_server_2008 sp_2 arc_x86,win_7 arc_x64,win_vista sp_2 arc_x86,win_8.1 arc_x86,win_10 sp_1 arc_x64,win_server_2008 sp_1 arc_x86,win_10 sp_1 arc_x86,win_vista sp_2 arc_x64,win_7 version_1607 arc_x64,win_7 arc_x86,win_8.1 arc_x64,win_7 version_1511 arc_x86,win_server_2012 arc_x86 |