• Microsoft Office Word MSDTJS
    Disclosure Date: 2022-05-29
    First seen: 2022-12-23
    exploit/windows/fileformat/word_msdtjs_rce
    This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.
  • User Profile Arbitrary Junction Creation Local Privilege Elevation
    Disclosure Date: 2022-03-17
    First seen: 2022-12-23
    exploit/windows/local/cve_2022_26904_superprofile
    The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process. Authors: - KLINIX5 - Grant Willcox
  • CVE-2022-21999 SpoolFool Privesc
    Disclosure Date: 2022-02-08
    First seen: 2022-12-23
    exploit/windows/local/cve_2022_21999_spoolfool_privesc
    The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The `SpoolDirectory`, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via `SetPrinterDataEx()` provided the caller has the `PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not exist, it will be created once the print spooler reinitializes. Calling `SetPrinterDataEx()` with the `CopyFiles\` registry key will load the dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory` location can be loaded by the print spooler. Using a directory junction and UNC path for the `SpoolDirectory`, the exploit writes a payload to `C:\Windows\System32\spool\drivers\x64\4` and loads it by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM. Authors: - Oliver Lyak - Shelby Pace
  • Win32k NtGdiResetDC Use After Free Local Privilege Elevation
    Disclosure Date: 2021-10-12
    First seen: 2022-12-23
    exploit/windows/local/cve_2021_40449
    A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work. Authors: - IronHusky - Costin Raiu - Boris Larin - Red Raindrop Team of Qi'anxin Threat Intelligence Center - KaLendsi - ly4k - Grant Willcox
  • Microsoft Office Word Malicious MSHTML RCE
    Disclosure Date: 2021-09-23
    First seen: 2022-12-23
    exploit/windows/fileformat/word_mshtml_rce
    This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.
  • Print Spooler Remote DLL Injection
    Disclosure Date: 2021-06-08
    First seen: 2022-12-23
    exploit/windows/dcerpc/cve_2021_1675_printnightmare
    The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Authors: - Zhiniang Peng - Xuefeng Li - Zhipeng Huo - Piotr Madej - Zhang Yunhai - cube0x0 - Spencer McIntyre - Christophe De La Fuente
  • Print Spooler Remote DLL Injection
    Disclosure Date: 2021-06-08
    First seen: 2022-12-23
    exploit/windows/dcerpc/cve_2021_1675_printnightmare
    The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Authors: - Zhiniang Peng - Xuefeng Li - Zhipeng Huo - Piotr Madej - Zhang Yunhai - cube0x0 - Spencer McIntyre - Christophe De La Fuente
  • Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
    Disclosure Date: 2020-03-10
    First seen: 2020-06-11
    exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
    This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later. Authors: - itm4n - gwillcox-r7
  • Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation
    Disclosure Date: 2020-02-20
    First seen: 2020-12-15
    exploit/windows/local/cve_2020_1054_drawiconex_lpe
    This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against a fully updated Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. Authors: - Netanel Ben-Simon - Yoav Alon - bee13oy - timwr
  • Service Tracing Privilege Elevation Vulnerability
    Disclosure Date: 2020-02-11
    First seen: 2020-05-14
    exploit/windows/local/cve_2020_0668_service_tracing
    This module leverages a trusted file overwrite with a DLL hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets. Authors: - itm4n - bwatters-r7
  • Microsoft Windows Uninitialized Variable Local Privilege Elevation
    Disclosure Date: 2019-12-10
    First seen: 2020-10-15
    exploit/windows/local/cve_2019_1458_wizardopium
    This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated. Authors: - piotrflorczyk - unamer - timwr
  • Microsoft UPnP Local Privilege Elevation Vulnerability
    Disclosure Date: 2019-11-12
    First seen: 2020-04-26
    exploit/windows/local/comahawk
    This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM. Authors: - NCC Group - hoangprod - bwatters-r7
  • Microsoft Spooler Local Privilege Elevation Vulnerability
    Disclosure Date: 2019-11-04
    First seen: 2021-01-16
    exploit/windows/local/cve_2020_1337_printerdemon
    This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. Authors: - Peleg Hadar - Tomer Bar - 404death - sailay1996 - bwatters-r7
  • Microsoft Spooler Local Privilege Elevation Vulnerability
    Disclosure Date: 2019-11-04
    First seen: 2020-09-17
    exploit/windows/local/cve_2020_1048_printerdemon
    This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. Authors: - Yarden Shafir - Alex Ionescu - shubham0d - bwatters-r7
  • CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
    Disclosure Date: 2019-05-14
    First seen: 2020-04-26
    auxiliary/scanner/rdp/cve_2019_0708_bluekeep
    This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability. Authors: - National Cyber Security Centre - JaGoTu - zerosum0x0 - Tom Sellers
  • CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
    Disclosure Date: 2019-05-14
    First seen: 2020-04-26
    exploit/windows/rdp/cve_2019_0708_bluekeep_rce
    The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option. Authors: - Sean Dillon <sean.dillon@risksense.com> - Ryan Hanson - OJ Reeves <oj@beyondbinary.io> - Brent Cook <bcook@rapid7.com>
  • Microsoft Windows NtUserMNDragOver Local Privilege Elevation
    Disclosure Date: 2019-03-12
    First seen: 2020-05-14
    exploit/windows/local/ntusermndragover
    This module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.
  • Windows NtUserSetWindowFNID Win32k User Callback
    Disclosure Date: 2018-10-09
    First seen: 2020-04-26
    exploit/windows/local/cve_2018_8453_win32k_priv_esc
    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This module is tested against Windows 10 v1703 x86. Authors: - ze0r - Kaspersky Lab - Jacob Robles
  • Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
    Disclosure Date: 2018-08-27
    First seen: 2020-04-26
    exploit/windows/local/alpc_taskscheduler
    On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\windows\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\windows\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. WARNING: The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host will be overwritten when the exploit runs. This module has been tested against Windows 10 Pro x64. Authors: - SandboxEscaper - bwatters-r7 - asoto-r7 - Jacob Robles
  • Windows SetImeInfoEx Win32k NULL Pointer Dereference
    Disclosure Date: 2018-05-09
    First seen: 2020-04-26
    exploit/windows/local/ms18_8120_win32k_privesc
    This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64. Authors: - unamer - bigric3 - Anton Cherepanov - Dhiraj Mishra <dhiraj@notsosecure.com>
69 metasploit modules found
1 2 3 4
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!