• Win32k NtGdiResetDC Use After Free Local Privilege Elevation
    Disclosure Date: 2021-10-12
    First seen: 2022-12-23
    exploit/windows/local/cve_2021_40449
    A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work. Authors: - IronHusky - Costin Raiu - Boris Larin - Red Raindrop Team of Qi'anxin Threat Intelligence Center - KaLendsi - ly4k - Grant Willcox
  • Microsoft Office Word Malicious MSHTML RCE
    Disclosure Date: 2021-09-23
    First seen: 2022-12-23
    exploit/windows/fileformat/word_mshtml_rce
    This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.
  • Print Spooler Remote DLL Injection
    Disclosure Date: 2021-06-08
    First seen: 2022-12-23
    exploit/windows/dcerpc/cve_2021_1675_printnightmare
    The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Authors: - Zhiniang Peng - Xuefeng Li - Zhipeng Huo - Piotr Madej - Zhang Yunhai - cube0x0 - Spencer McIntyre - Christophe De La Fuente
  • Windows IIS HTTP Protocol Stack DOS
    Disclosure Date: 2021-05-11
    First seen: 2022-12-23
    auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
    This module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSOD'ing before subsequently rebooting. Note that the target IIS server may or may not come back up, this depends on the target's settings as to whether IIS is configured to start on reboot. Authors: - Max - Stefan Blair - Axel Souchet - Maurice LAMBERT <mauricelambert434@gmail.com>
  • Win32k ConsoleControl Offset Confusion
    Disclosure Date: 2021-02-09
    First seen: 2022-12-23
    exploit/windows/local/cve_2022_21882_win32k
    A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets. Authors: - BITTER APT - JinQuan - MaDongZe - TuXiaoYi - LiHao - L4ys - KaLendsi - Spencer McIntyre
  • CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP
    Disclosure Date: 2020-03-10
    First seen: 2021-01-12
    exploit/windows/local/cve_2020_17136
    The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user. Authors: - James Foreshaw - Grant Willcox
  • Windows Update Orchestrator unchecked ScheduleWork call
    Disclosure Date: 2019-11-04
    First seen: 2020-09-25
    exploit/windows/local/cve_2020_1313_system_orchestrator
    This exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours. Authors: - Imre Rad - bwatters-r7
  • Microsoft Spooler Local Privilege Elevation Vulnerability
    Disclosure Date: 2019-11-04
    First seen: 2021-01-16
    exploit/windows/local/cve_2020_1337_printerdemon
    This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. Authors: - Peleg Hadar - Tomer Bar - 404death - sailay1996 - bwatters-r7
8 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!