• Microsoft Error Reporting Local Privilege Elevation Vulnerability
    Disclosure Date: 2023-07-11
    First seen: 2023-10-08
    This module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
  • CVE-2023-21554 - QueueJumper - MSMQ RCE Check
    Disclosure Date: 2023-04-11
    First seen: 2023-09-11
    This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the integer wraps around and depending on the length could cause an out-of-bounds write. In the context of this module a response is sent back, which indicates that the system is vulnerable. Authors: - Wayne Low - Haifei Li - Bastian Kanbach <bastian.kanbach@securesystems.de>
  • Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability
    Disclosure Date: 2023-04-11
    First seen: 2023-10-08
    A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. The clfs.sys driver contains a function CreateLogFile that is used to create open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly. This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation. The exploits creates a controlled memory space by first looping over the CreatePipe function to to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the 0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space. This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252). Authors: - Ricardo Narvaja - Esteban.kazimirow - jheysel-r7
  • Ancillary Function Driver (AFD) for WinSock Elevation of Privilege
    Disclosure Date: 2023-01-10
    First seen: 2023-09-11
    A vulnerability exists in the Windows Ancillary Function Driver for Winsock (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates). Authors: - chompie - b33f - Yarden Shafir - Christophe De La Fuente
  • Microsoft Office Word MSDTJS
    Disclosure Date: 2022-05-29
    First seen: 2022-12-23
    This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.
  • User Profile Arbitrary Junction Creation Local Privilege Elevation
    Disclosure Date: 2022-03-17
    First seen: 2022-12-23
    The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka "Always Notify Me When", in order for the code to be executed as NT AUTHORITY\SYSTEM. Note however that "Always Notify Me When" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process. Authors: - KLINIX5 - Grant Willcox
  • Win32k NtGdiResetDC Use After Free Local Privilege Elevation
    Disclosure Date: 2021-10-12
    First seen: 2022-12-23
    A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work. Authors: - IronHusky - Costin Raiu - Boris Larin - Red Raindrop Team of Qi'anxin Threat Intelligence Center - KaLendsi - ly4k - Grant Willcox
  • Microsoft Office Word Malicious MSHTML RCE
    Disclosure Date: 2021-09-23
    First seen: 2022-12-23
    This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.
  • Print Spooler Remote DLL Injection
    Disclosure Date: 2021-06-08
    First seen: 2022-12-23
    The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. Authors: - Zhiniang Peng - Xuefeng Li - Zhipeng Huo - Piotr Madej - Zhang Yunhai - cube0x0 - Spencer McIntyre - Christophe De La Fuente
9 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!