• Ancillary Function Driver (AFD) for WinSock Elevation of Privilege
    Disclosure Date: 2023-01-10
    First seen: 2023-09-11
    A vulnerability exists in the Windows Ancillary Function Driver for Winsock (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates). Authors: - chompie - b33f - Yarden Shafir - Christophe De La Fuente
  • Microsoft Office Word MSDTJS
    Disclosure Date: 2022-05-29
    First seen: 2022-12-23
    This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.
  • User Profile Arbitrary Junction Creation Local Privilege Elevation
    Disclosure Date: 2022-03-17
    First seen: 2022-12-23
    The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process. Authors: - KLINIX5 - Grant Willcox
  • CVE-2022-21999 SpoolFool Privesc
    Disclosure Date: 2022-02-08
    First seen: 2022-12-23
    The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The `SpoolDirectory`, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via `SetPrinterDataEx()` provided the caller has the `PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not exist, it will be created once the print spooler reinitializes. Calling `SetPrinterDataEx()` with the `CopyFiles\` registry key will load the dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory` location can be loaded by the print spooler. Using a directory junction and UNC path for the `SpoolDirectory`, the exploit writes a payload to `C:\Windows\System32\spool\drivers\x64\4` and loads it by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM. Authors: - Oliver Lyak - Shelby Pace
  • Win32k NtGdiResetDC Use After Free Local Privilege Elevation
    Disclosure Date: 2021-10-12
    First seen: 2022-12-23
    A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work. Authors: - IronHusky - Costin Raiu - Boris Larin - Red Raindrop Team of Qi'anxin Threat Intelligence Center - KaLendsi - ly4k - Grant Willcox
  • Win32k ConsoleControl Offset Confusion
    Disclosure Date: 2021-02-09
    First seen: 2022-12-23
    A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets. Authors: - BITTER APT - JinQuan - MaDongZe - TuXiaoYi - LiHao - L4ys - KaLendsi - Spencer McIntyre
  • Active Directory Certificate Services (ADCS) privilege escalation (Certifried)
    First seen: 2023-09-11
    This module exploits a privilege escalation vulnerability in Active Directory Certificate Services (ADCS) to generate a valid certificate impersonating the Domain Controller (DC) computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT preauthentication mechanism. The module will get and cache the Ticket-Granting-Ticket (TGT) for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools. Authors: - Oliver Lyak - CravateRouge - Erik Wynter - Christophe De La Fuente
7 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!