This module uses an Authentication Bypass vulnerability in Magento eCommerce Web Sites and a blind SQL Injection to gain arbitrary code execution on the affected system.
FortiClient is prone to a privilege-escalation vulnerability that affects mdare64_48.sys, mdare32_48.sys, mdare32_52.sys, mdare64_52.sys and Fortishield.sys drivers. All these drivers expose an API to manage processes and the windows registry, for instance, the IOCTL 0x2220c8 of the mdareXX_XX.sys driver returns a full privileged handle to a given process PID. In particular, this same function is replicated inside Fortishield.sys. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of any selected process. This module uses the previous vulnerability to inject an agent inside lsass.exe process.
Solarwinds FSM is vulnerable to an authentication bypass in userlogin.jsp that allows attacker to upload an agent via a weekness in the username atribute in settings-new.jsp allowing us to install an agent.
This module exploits a buffer overflow vulnerability in the FastBack server service (FastBackServer.exe) of the IBM Tivoli Storage Manager. The exploit triggers a stack-based buffer overflow by sending a pre-authentication specially crafted packet to port 11460/TCP of the vulnerable system and installs an agent if successful.
This module exploits a vulnerability in the Windows Packager COM object (packager.dll). This module runs a web server waiting for vulnerable clients to connect to it. When the client connects, it will try to install an agent by exploiting the previous vulnerability.
Usermin is vulnerable to an arbitrary command execution in the email signature configuration due to a lack of sanitization on the signature file parameter.
An elevation of privilege vulnerability exists when the Win32k.sys kernel-mode driver improperly handles objects in memory. The vulnerability exists in the Windows OS process of creating windows for applications. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. This module exploits the previous vulnerability to deploy an agent that runs with SYSTEM privileges.
This module exploits an "Use After Free" vulnerability in "win32k.sys" by calling to "SetClassLong" function with crafted parameters.
This module exploits a vulnerability in "atmfd.dll" Windows kernel module by loading a crafted OTF font.
When a Windows computer is joined to any domain, usually, the "gpt.ini" file is downloaded by this from the Domain Controller server. If this file has a new number version, it means that there are new policies to download. When new policies are present, the client downloads the 'gpttmpl.inf' file and applies the policies contained by this. Using a "Man In The Middle" attack, this module intercepts the communication explained before and installs an agent running as 'system' user.