The Protected Mode of Microsoft Internet Explorer can be bypassed by exploiting a logical flaw when checking the Integrity Level of a file. This vulnerability allows an agent running in the context of iexplore.exe with Low Integrity Level to install a new agent that will run with Medium Integrity Level, by launching the browser against an HTML file having Untrusted Integrity Level. This module needs to re-exploit Internet Explorer with any web browser exploit that has been proved successful against the target (i.e an exploit that was able to install an agent on the target). The user must specify the URL of any web browser exploit (typically the same one used to install the Low Integrity agent) which is already running in Core Impact through the BROWSER EXPLOIT URL parameter.

Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows to execute arbitrary code via crafted inputs to ASP pages.

When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is seted with the pseudo-handle 0xfffffffe or 0xffffffff by the callback function, the bug is triggered.

When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is modified by the callback function, the bug is triggered.

This module exploits a buffer overflow vulnerability in smcFanControl in Apple Mac OS X 10.4 that allows local users to get code execution with elevated privileges.

This module exploits a vulnerability in the The PPP daemon (pppd) in Apple Mac OS X which allows an attacker to load arbitrary plugins and gain root privileges by bypassing this check.

This module exploits a vulnerability on "i386_set_ldt" function of "mach_kernel" creating a "call gate" entry in the LDT. Then it jumps to the new call gate selector, setting from the ring 0 the UID and the EUID of the current process to ROOT ( ID 0 ).

This module exploits a format string vulnerability in CUPS lppasswd in Apple Mac OS X 10.5.6 that allows local users to get code execution with elevated privileges. Exploitation requires valid local user, with access to the lppasswd command. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the previous agent. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"), and by using the setuid module (see setuid module documentation), it can be changed to zero (root).

This module exploits a vulnerability in ARDAgent in Apple Mac OS X 10.4 and 10.5 that allows local users to gain privileges via an osascript tell command.

When a process executes a setuid executable, all existing rights to the task port are invalidated, to make sure unauthorized processes do not retain control of the process. Exception handlers however remain installed, and when some kind of hardware exception occurs, the exception handler can receive a new right to the task port as one of its arguments, and thus regain full control over the process. Interestingly, the code to reset the exception handlers (and hence thwart this attack) upon exec() of a setuid executable has been present in the kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.