The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an integer overflow, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Spray the memory with data queue entries Trigger the vulnerability to overwrite the victim data entry Leak adjacent pool memory and bypass KASLR Forge a data queue entry to get an arbitrary memory read Leak the address of the current process token Leak the address of the SYSTEM process token Create a new data queue entry and leak its IRP Forge an IRP and the data queue entry Read 1 byte to trigger the arbitrary write and get SYSTEM privileges

Afd.sys module present in Microsoft Windows is vulnerable to a race condition during buffer management, where a temporary reference counter increment is improperly handled, leading to use-after-free scenarios. This occurs when accessing registered buffers for send/receive operations. The steps performed by the exploit are: Creates corrupt kernel structures Gets arbitrary read/write primitives Steals token for privilege escalation Restores system state Creates a new agent process running as SYSTEM

This module uses a stack-based buffer overflow vulnerability to deploy an agent in Ivanti Connect Secure that will run with the nr user privileges. First, this module will check if the target is an Ivanti Connect Secure appliance. If it is, it will determine if the target is vulnerable by retrieving it's version number using 2 different methods. Then, the module will try to leak the base address of the libdsplibs.so library. To perform this, a random endpoint will be registered in the local webserver. Then, the vulnerability will be used while bruteforcing the base address of the library in order to the execute a cURL command that will send the request to the registered random endpoint. Once the base address of the libdsplibs.so library is obtained, the vulnerability will be used one more time to deploy an agent.

This exploit leverages an Information Disclosure vulnerability in Microsoft Office. By sending an email with a specially crafted link, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an HTTP server. When the client opens it in a browser, if the user is on the trusted list, it connects to the HTTP server and obtains the NTLM user hashes. This exploit does not install an agent, it manages to obtain the NTLM hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.

This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.

An SQL injection vulnerability in F5 BIG-IP Next Central Manager may allow unauthenticated remote attackers to bypass authentication in the target application. The vulnerability is reached via the /api/login endpoint. This module will use the vulnerability to retrieve the administrative user password hash.

This exploit leverages the CVE-2024-24401 and CVE-2024-24402 vulnerabilities in Nagios XI to fully compromise the system and gain total remote control. The monitoringwizard.php component of Nagios XI version 2024R1.01 is vulnerable to a critical SQL Injection, identified as CVE-2024-24401. Initially, the exploit targets this component, performing an SQL Injection to extract the administrator key (admin key). Before proceeding, it authenticates using an existing user, regardless of their privilege level, ensuring access to the system for subsequent stages. With the administrator key obtained, a new administrator user is created, along with an identity associated with this user, using the newly generated credentials. This identity enables reauthentication and the ability to perform elevated actions. Subsequently, the exploit executes arbitrary commands on the system using the privileges of the newly created administrator. Next, it installs an agent and escalates its privileges to root, exploiting the CVE-2024-24402 vulnerability. During this process, the exploit manages the npcd service binary: first, the original service is stopped, and a backup of the npcd binary is created in the /usr/local/nagios/bin/ directory as npcd.backup. Then, the agent binary is copied to the same directory under the name npcd, replacing the original binary. Finally, the npcd service is restarted to execute the agent. These steps result in a full system compromise, granting the attacker total remote control and the ability to execute arbitrary actions with root privileges.

The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM

An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent. The exploit does the following steps: Sends a request containing a header parameter for authentication bypass(CVE-2024-0012) to inject a command within a "user" request body parameter(CVE-2024-9474) and receive an elevated PHP user session ID(PHPSESSID) in the response, whereby the injected command is written to a local session cache file. Sends a request with the elevated PHPSESSID to trigger evaluation of the injected local session cache file. Repeats the process with all the necessary commands to deploy an agent.