• User Profile Arbitrary Junction Creation Local Privilege Elevation
    Disclosure Date: 2022-03-17
    First seen: 2022-12-23
    exploit/windows/local/cve_2022_26904_superprofile
    The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process. Authors: - KLINIX5 - Grant Willcox
  • Microsoft Office Word Malicious MSHTML RCE
    Disclosure Date: 2021-09-23
    First seen: 2022-12-23
    exploit/windows/fileformat/word_mshtml_rce
    This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.
  • Windows IIS HTTP Protocol Stack DOS
    Disclosure Date: 2021-05-11
    First seen: 2022-12-23
    auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
    This module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSOD'ing before subsequently rebooting. Note that the target IIS server may or may not come back up, this depends on the target's settings as to whether IIS is configured to start on reboot. Authors: - Max - Stefan Blair - Axel Souchet - Maurice LAMBERT <mauricelambert434@gmail.com>
  • Win32k ConsoleControl Offset Confusion
    Disclosure Date: 2021-02-09
    First seen: 2022-12-23
    exploit/windows/local/cve_2022_21882_win32k
    A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets. Authors: - BITTER APT - JinQuan - MaDongZe - TuXiaoYi - LiHao - L4ys - KaLendsi - Spencer McIntyre
  • CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP
    Disclosure Date: 2020-03-10
    First seen: 2021-01-12
    exploit/windows/local/cve_2020_17136
    The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user. Authors: - James Foreshaw - Grant Willcox
  • PetitPotam
    First seen: 2022-12-23
    auxiliary/scanner/dcerpc/petitpotam
    Coerce an authentication attempt over SMB to other machines via MS-EFSRPC methods. Authors: - GILLES Lionel - Spencer McIntyre
6 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!