• Office OLE Multiple DLL Side Loading Vulnerabilities
    Disclosure Date: 2015-12-08
    First seen: 2020-04-26
    exploit/windows/fileformat/office_ole_multiple_dll_hijack
    Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. Authors: - Yorick Koster
  • Office OLE Multiple DLL Side Loading Vulnerabilities
    Disclosure Date: 2015-12-08
    First seen: 2020-04-26
    exploit/windows/fileformat/office_ole_multiple_dll_hijack
    Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. Authors: - Yorick Koster
  • MS15-134 Microsoft Windows Media Center MCL Information Disclosure
    Disclosure Date: 2015-12-08
    First seen: 2020-04-26
    auxiliary/server/ms15_134_mcl_leak
    This module exploits a vulnerability found in Windows Media Center. It allows an MCL file to render itself as an HTML document in the local machine zone by Internet Explorer, which can be used to leak files on the target machine. Please be aware that if this exploit is used against a patched Windows, it can cause the computer to be very slow or unresponsive (100% CPU). It seems to be related to how the exploit uses the URL attribute in order to render itself as an HTML file. Authors: - Francisco Falcon - sinn3r <sinn3r@metasploit.com>
  • MS15-100 Microsoft Windows Media Center MCL Vulnerability
    Disclosure Date: 2015-09-08
    First seen: 2020-04-26
    exploit/windows/fileformat/ms15_100_mcl_exe
    This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution. Authors: - sinn3r <sinn3r@metasploit.com>
  • MS15-078 Microsoft Windows Font Driver Buffer Overflow
    Disclosure Date: 2015-07-11
    First seen: 2020-04-26
    exploit/windows/local/ms15_078_atmfd_bof
    This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed in the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. Authors: - Eugene Ching - Mateusz Jurczyk - Cedric Halbronn - juan vazquez <juan.vazquez@metasploit.com>
  • MS15-078 Microsoft Windows Font Driver Buffer Overflow
    Disclosure Date: 2015-07-11
    First seen: 2020-04-26
    exploit/windows/local/ms15_078_atmfd_bof
    This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed in the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. Authors: - Eugene Ching - Mateusz Jurczyk - Cedric Halbronn - juan vazquez <juan.vazquez@metasploit.com>
  • Microsoft Windows Shell LNK Code Execution
    Disclosure Date: 2015-03-10
    First seen: 2020-04-26
    exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader
    This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. Authors: - Michael Heerklotz - juan vazquez <juan.vazquez@metasploit.com>
  • Microsoft Windows Shell LNK Code Execution
    Disclosure Date: 2015-03-10
    First seen: 2020-04-26
    exploit/windows/smb/ms15_020_shortcut_icon_dllloader
    This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. Authors: - Michael Heerklotz - juan vazquez <juan.vazquez@metasploit.com>
  • MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
    Disclosure Date: 2015-01-13
    First seen: 2020-04-26
    exploit/windows/local/ms15_004_tswbproxy
    This module abuses a process creation policy in Internet Explorer's sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the Protected Mode and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11. Authors: - Unknown - Henry Li - juan vazquez <juan.vazquez@metasploit.com>
  • MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
    Disclosure Date: 2014-11-13
    First seen: 2020-04-26
    exploit/windows/browser/ms14_064_ole_code_execution
    This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 box due to the Powershell limitation. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead. Authors: - Robert Freeman - yuange - Rik van Duijn - Wesley Neelen - GradiusX <francescomifsud@gmail.com> - b33f - sinn3r <sinn3r@metasploit.com>
  • MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
    Disclosure Date: 2014-11-12
    First seen: 2020-04-26
    exploit/windows/fileformat/ms14_064_packager_python
    This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. Authors: - Haifei Li - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • MS14-064 Microsoft Windows OLE Package Manager Code Execution
    Disclosure Date: 2014-10-21
    First seen: 2020-04-26
    exploit/windows/fileformat/ms14_064_packager_run_as_admin
    This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. Authors: - Haifei Li - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • MS14-060 Microsoft Windows OLE Package Manager Code Execution
    Disclosure Date: 2014-10-14
    First seen: 2020-04-26
    exploit/windows/fileformat/ms14_060_sandworm
    This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function. This module will generate three files: an INF, a GIF, and a PPSX file. You are required to set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an older version of Windows (such as XP) work best for this because they require little configuration to get going. The PPSX file is what you should send to your target. In detail, the vulnerability has to do with how the Object Packager 2 component (packager.dll) handles an INF file that contains malicious registry changes, which may be leveraged for code execution. First of all, Packager does not load the INF file directly. As an attacker, you can trick it to load your INF anyway by embedding the file path as a remote share in an OLE object. The packager will then treat it as a type of media file, and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will download it with a CopyFileW call, save it in a temp folder, and pass that information for later. The exploit will do this loading process twice: first for a fake gif file that's actually the payload, and the second for the INF file. The packager will also look at each OLE object's XML Presentation Command, specifically the type and cmd property. In the exploit, "verb" media command type is used, and this triggers the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3" is used (again, for the INF file), it will cause the packager to try to find appropriate handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that will install/run the malicious INF file, and finally give us arbitrary code execution. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Windows TrackPopupMenu Win32k NULL Pointer Dereference
    Disclosure Date: 2014-10-14
    First seen: 2020-04-26
    exploit/windows/local/ms14_058_track_popup_menu
    This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> - Spencer McIntyre - OJ Reeves <oj@buffered.io>
  • MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check
    Disclosure Date: 2014-09-30
    First seen: 2020-04-26
    exploit/windows/local/ntapphelpcachecontrol
    On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. This module currently only affects Windows 8 and Windows 8.1, and requires access to C:\Windows\System\ComputerDefaults.exe (although this can be improved). Authors: - James Forshaw - sinn3r <sinn3r@metasploit.com>
  • MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow
    Disclosure Date: 2013-11-08
    First seen: 2020-04-26
    exploit/windows/browser/ms13_090_cardspacesigninhelper
    This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com>
  • MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
    First seen: 2020-04-26
    auxiliary/scanner/http/ms15_034_http_sys_memory_dump
    This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable. Using a larger target file should result in more memory being dumped, and SSL seems to produce more data as well. Authors: - Rich Whitcroft <rwhitcroft@gmail.com> - sinn3r <sinn3r@metasploit.com> - Sunny Neo <sunny.neo@centurioninfosec.sg>
  • MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
    First seen: 2020-04-26
    auxiliary/dos/http/ms15_034_ulonglongadd
    This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service. Authors: - Bill Finlayson - sinn3r <sinn3r@metasploit.com>
  • SMB Group Policy Preference Saved Passwords Enumeration
    First seen: 2020-04-26
    auxiliary/scanner/smb/smb_enum_gpp
    This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller. Authors: - Joshua D. Abraham <jabra@praetorian.com>
19 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!