Everything posted by 9o3
As of now, most payloads simply remove the entire RunMRU history. This however may be noticed by a user that regularly uses the run dialog. Instead removing just the last entry can be done like so: #Remove latest run entry $p="HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";$m="MRUList";$l=(gp $p).$m;rp $p $l;sp $p $m $l.SubString(1); Let's break it down: First we grab a list of all entries in RunMRU MRUList: $l=(gp $p).$m After this we remove the last entry by its key: rp $p $l Finally we update the MRUList to omit the remove key: sp $p $m $l.SubString(1) gp -> Get-ItemProperty rp -> Remove-ItemProperty sp -> Set-ItemProperty I hope this can be useful to some of you. ~9o3 P.s. I shortened the snippet as much as possible, however it's still a good idea to include this in a second stage if possible.
Hi Hitem, First off awesome that you also made a BB payload for the SeriousSAM vulnerability! If I had known you were also working on it I wouldn't have submitted my own payload. My apologies for that. I look forward to seeing what other payloads you'll create. ~9o3
Hi, I'm 9o3. I am a Solution Architect, Bug bounty hunter, programmer, and most of all a cyber security enthusiast. I love finding edge cases and finding ways to make machines do things they aren't supposed to. I look forward to getting to know all of you 🙂