Exploits | Core Security

This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.

The vulnerability in vkrnlintvsp.sys (VkiRootAdjustSecurityDescriptorForVmwp()) stems from insufficient validation of the Dacl AclSize field in a Security Descriptor. Since this value is user-controlled, an attacker can trigger an integer overflow in the ExAllocatePool2() size calculation, leading to a heap-based buffer overflow , allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Sprays WNF objects to control heap layout. Calls NtCreateCrossVmEvent with a malicious Security Descriptor to overflow a heap buffer. Frees corrupted WNF objects and replaces them with IORING RegBuffers and PipeAttribute objects. Uses IORING RegBuffers to hijack pointers and gain arbitrary kernel R/W. Locates system EPROCESS and copies its token to the target process. Overwrites the current process token to gain SYSTEM privileges. Restores corrupted objects to avoid crashes.

This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. The module will trigger the vulnerability by crafting a Veeam.Backup.EsxManager.xmlFrameworkDs .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will execute system commands to deploy the agent.

This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin. This user is automatically suggested during the initial setup, but administrators may choose a different name. The exploit will only succeed if the username provided exists on the system. Successful exploitation provides full administrative access to the CrushFTP WebInterface. This exploit performs the following steps: 1. Authentication Bypass - Sends a request to the 'getUserList' endpoint (typically at /WebInterface/function/) using a crafted 'CrushAuth' cookie and 'Authorization' header. - If the server returns the list of users, the target is confirmed vulnerable. 2. User Enumeration - Parses the XML response to extract usernames and displays them in the module output. 3. Optional User Creation - If parameters new_username and new_userpass are provided, a new user is created via the setUserItem endpoint.

This module uses a message header injection vulnerability to deploy an agent in Apache Camel that will run with the same privileges as the webapp. First, this module will use the vulnerability to determine the underlying OS system and check if the target is vulnerable. If the underlying OS can be determined, then the target is assumed to be vulnerable and the vulnerability will be used again to deploy an agent.

The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Register a sync root and set its reparse point data Spray memory using WNF and ALPC Trigger the vulnerability to get an arbitrary write Overwrite the token privileges of current process Inject a new agent into an elevated process to run as SYSTEM

The Windows Error Reporting (WER) service, which runs with SYSTEM privileges, interacts with registry keys to store and process crash reports. The vulnerability stems from weak access controls on these registry keys, allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Initializes Native APIs by loading necessary Windows APIs for low-level operations Modifies the Registry to hijack WerFault.exe by setting a malicious Debugger key Locks Resources by creating lock files and manipulating registry keys to ensure uninterrupted execution Triggers the Vulnerability by calling ReportFault, forcing the Windows Error Reporting service to execute the malicious payload Escalates Privileges by executing arbitrary code with SYSTEM-level privileges through the hijacked WerFault.exe Cleans Up by removing traces like the Debugger key and temporary files to avoid detection.

The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted BLF file. The steps performed by the exploit are: Create a crafted BLF file Trigger the vulnerability to get an arbitrary read/write primitive Get SYSTEM privileges by replacing the current process token

CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF. Create a fake CClfsContainer object with a fake vtable that points to the address of nt!PoFxProcessorNotification. Write additional data in the allocated memory region such as the address of nt!DbgkpTriageDumpRestoreState and the address of _KTHREAD.PreviousMode of the current thread. Call again CreateLogFile(). When the PoC invokes CreateLogFile() on the malicious BLF the driver does the following at kernel level: Dereference the malicious CClfsContainer object at address 0x0000000002100000. Call nt!PoFxProcessorNotification. nt!PoFxProcessorNotification redirects the execution flow to nt!DbgkpTriageDumpRestoreState. nt!DbgkpTriageDumpRestoreState is used to obtain an arbitrary write of 8 bytes (already discussed here). In this case it is exploited to overwrite the _KTHREAD.PreviousMode to 0 of the current thread, granting us arbitrary read/write primitives. Issue a series of calls to NtReadVirtualMemory()/NtWriteVirtualMemory() to replace the _EPROCESS.Token of the parent process with that of the system process (PID 4). Restore _KTHREAD.PreviousMode to 1 with a final NtWriteVirtualMemory()

Subscribe to Exploits

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Impressum