Metasploit modules that can be used to exploit Microsoft products

This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed in the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. Authors: - Eugene Ching - Mateusz Jurczyk - Cedric Halbronn - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. Authors: - Unknown - hfirefox - OJ Reeves - Spencer McIntyre

More information

This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. Authors: - Michael Heerklotz - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. Authors: - Michael Heerklotz - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot have X-Frame-Options or it will fail). You can also have your own custom JavaScript by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if you are behind NAT. Authors: - David Leo - filedescriptor - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com>

More information

This module abuses a process creation policy in Internet Explorer's sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the Protected Mode and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11. Authors: - Unknown - Henry Li - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008. Authors: - Tom Maddock - Sylvain Monne - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 box due to the Powershell limitation. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead. Authors: - Robert Freeman - yuange - Rik van Duijn - Wesley Neelen - GradiusX <francescomifsud@gmail.com> - b33f - sinn3r <sinn3r@metasploit.com>

More information

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. Authors: - Haifei Li - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys can allow a local attacker to trigger a NULL pointer dereference by using a specially crafted IOCTL. This flaw can be abused to elevate privileges to SYSTEM. Authors: - Matt Bergin <level@korelogic.com> - Jay Smith <jsmith@korelogic.com>

More information

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. Authors: - Haifei Li - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die

More information

Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die

More information

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function. This module will generate three files: an INF, a GIF, and a PPSX file. You are required to set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an older version of Windows (such as XP) work best for this because they require little configuration to get going. The PPSX file is what you should send to your target. In detail, the vulnerability has to do with how the Object Packager 2 component (packager.dll) handles an INF file that contains malicious registry changes, which may be leveraged for code execution. First of all, Packager does not load the INF file directly. As an attacker, you can trick it to load your INF anyway by embedding the file path as a remote share in an OLE object. The packager will then treat it as a type of media file, and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will download it with a CopyFileW call, save it in a temp folder, and pass that information for later. The exploit will do this loading process twice: first for a fake gif file that's actually the payload, and the second for the INF file. The packager will also look at each OLE object's XML Presentation Command, specifically the type and cmd property. In the exploit, "verb" media command type is used, and this triggers the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3" is used (again, for the INF file), it will cause the packager to try to find appropriate handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that will install/run the malicious INF file, and finally give us arbitrary code execution. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> - Spencer McIntyre - OJ Reeves <oj@buffered.io>

More information

On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. This module currently only affects Windows 8 and Windows 8.1, and requires access to C:\Windows\System\ComputerDefaults.exe (although this can be improved). Authors: - James Forshaw - sinn3r <sinn3r@metasploit.com>

More information

This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\windows\\system32\\calc.exe Authors: - Soroush Dalili - sinn3r <sinn3r@metasploit.com>

More information

A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process. Authors: - Matt Bergin - Spencer McIntyre

More information

A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Authors: - Matt Bergin <level@korelogic.com> - Jay Smith <jsmith@korelogic.com>

More information

This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This module was created by reversing a public malware sample. Authors: - Haifei Li - Spencer McIntyre - unknown

More information