Exploit-db.com lists 1,239 Windows-related exploits. The Metasploit query grep -c exploit search platform:windows returns a count of 1,160 Windows exploit modules. The following table summarizes some of the most exploited Windows vulnerabilities of all time.
Exploits and Tutorials
A deliberate feature that allowed anonymous connections to the IPC$ share. It also unintentionally allowed attackers to enumerate large amounts of detail about the system, NetBIOS names, users, group memberships, shares, password/login policy, and more. CVE-1999-0519.
LM password hash
A weak hashing algorithm used in early versions of Windows, and still available in Windows Server 2016 and Windows 10. The password is converted to uppercase, and the hash is divided into two parts that are padded if necessary to be exactly 7 bytes long. Cracking LM hashes is simple and in some cases trivial.
- Cain & Abel
- John the Ripper
- NetBIOS Auditing Tool (NAT)
IIS 5.0 Unicode
Certain Unicode characters (such as %255c%255c) cause IIS 5.0 to behave unexpectedly, allowing for directory traversal, information disclosure, and remote code execution from a browser URL. This was a major vector in the spread of the nimda worm.
- Internet Explorer 5 or other browsers from that time period
- HTML-based email messages
IIS 5.0 WebDAV
Buffer overflow against the ntdll.dll SEARCH WebDAV method. Gave the attacker SYSTEM level remote code execution capabilities. CVE-2003-0109. Worked against Windows 2000, any service pack.
- Metasploit module exploit/windows/iis/ms03_007_ntdll_webdav
The RPCSS service controls DCOM messaging between software components on networked computers. The original exploit was published in many places and worked against Windows Server 2000, 2003, and XP. It is a buffer overflow that provides remote code execution at SYSTEM level and is highly reliable. CVE-2003-0352. There is a new variant that works against Windows 8.1. CVE-2015-2370.
- Metasploit module: exploit/windows/dcerpc/ms03_026_dcom
- Windows 8.1: https://www.exploit-db.com/exploits/37768/
Microsoft Server service relative path stack corruption. A weakness in NetAPI32.dll path parsing code permits a buffer overflow that grants remote code execution in SYSTEM privilege. Works against Windows 2000 through XP, and some 2003 targets. CVE-2008-4250.
- Metasploit module exploit/windows/smb/ms08_067_netapi