This module exploits a Time-Of-Check Time-Of-Use (TOCTOU) race condition within the Windows Defender remediation process to achieve arbitrary code execution with SYSTEM privileges. The exploit chain leverages the Windows Cloud Files API (cfapi) and an EICAR test string to purposely pause the antivirus engine's remediation thread using a Batch Oplock. During this suspended state, the module uses NTFS mount points (directory junctions) to redirect the highly privileged antivirus file operations from a temporary directory to a protected system folder (C:\Windows\System32). When the oplock is released, the antivirus mistakenly overwrites a legitimate system binary (TieringEngineService.exe) during its cleanup routine. The module then replaces this corrupted binary with a malicious payload and triggers a specific COM object to start the service, yielding a SYSTEM agent. The steps performed by the exploit are: Creates a decoy executable containing a dynamically generated EICAR test string within a temporary directory to trigger an immediate antimalware response. Registers the temporary directory as a Cloud Sync Root and converts the decoy file into a cloud placeholder to intercept system interactions. Freezes the highly privileged antivirus remediation thread at a precise moment by requesting a Batch Oplock that trips when the engine scans the placeholder file. Executes a TOCTOU race condition by renaming the original directory and replacing it with an NTFS mount point targeting C:\Windows\System32. Releases the oplock, tricking the antivirus engine into blindly overwriting the target service binary (TieringEngineService.exe) as part of its automated threat remediation. Replaces the overwritten service binary with the exploit payload and invokes the Tiering Management Engine COM object to start the service as NT AUTHORITY\SYSTEM. Creates a named pipe to get the current session id and executes an interactive CORE Impact agent directly into the target user's desktop session.

This module exploits a Time-Of-Check Time-Of-Use (TOCTOU) race condition within the Windows Defender signature update mechanism to achieve arbitrary code execution with SYSTEM privileges. The exploit chain leverages Cloud Files oplocks and an EICAR synchronization trigger to purposefully freeze Windows Defender's I/O operations. During this paused state, the module uses NTFS directory junctions and Object Manager symbolic links to redirect Defender's file access from a legitimate signature update file to the locked SAM database within a Volume Shadow Copy (VSS). After reading the SAM hive into memory, the module performs offline AES/DES decryption to harvest local NTLM hashes. Finally, it uses the pass-the-hash technique to temporarily reset an administrator's password, creates a self-deleting Windows service, and injects an interactive SYSTEM-level agent directly into the target user's desktop session. The steps performed by the exploit are: Downloads the Windows Defender signature update and extracts the required files directly into memory to evade disk-based detection. Freezes Windows Defender's file input/output operations at a precise moment by chaining an EICAR test file trigger with Cloud Files oplocks. Captures the exact object namespace path of the temporary Volume Shadow Copy (VSS) generated during Defender's remediation workflow. Executes a TOCTOU race condition using an NTFS junction and Object Manager symlink to trick Defender into opening the locked SAM database instead of the signature file. Reads the SAM database contents into memory and utilizes offline AES and DES decryption to extract local NTLM hashes. Employs a pass-the-hash technique to temporarily alter an administrator password, registers a self-deleting service to achieve SYSTEM privileges, and injects a CORE Impact agent into the active user's desktop session.

ATBroker.exe (Windows Accessibility Infrastructure) resolves AT configuration from the per-user ATConfig path but performs unsafe file/registry operations. A registry symlink race condition in the ATConfig handling lets a local attacker write arbitrary values into protected HKLM keys and redirect the configuration load to a malicious AT entry, leading to arbitrary code execution as SYSTEM. The steps performed by the exploit are: Write target value to ATConfig registry path Set oplock on oskmenu.xml Lock workstation Wait for oplock (user interaction) Start target service (run agent as SYSTEM)

An authorization bypass vulnerability exists in the AsIO3.sys functionality of Asus Armoury Crate. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit to elevate privileges are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Trigger the vulnerability to bypass the authorization Abuse the driver to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value

The Windows Cloud Files Mini Filter module (clfs.sys) present in Microsoft Windows is vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition, which can result in arbitrary file write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Start RasMan service Create sync root directory Create junction directory Create target junction and symlink Register sync root Create threads to exploit race condition and detect exploitation Trigger race condition Write the agent and execute it

The Agere Windows Modem module (ltmdm64.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Leak the address of the current process Leak the address of the System process Leak the address of the I/O ring Trigger the vulnerability to overwrite IoRing->RegBuffersCount Trigger the vulnerability to overwrite IoRing->RegBuffers Leak the address of the System process token using I/O ring Overwrite the current process token using I/O ring Reset IoRing->RegBuffersCount to 0 Inject the agent into an elevated process

The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a Use After Free, which can result in an arbitrary write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Create target directory Perform a pool spray using pipes Creates two threads to win the race condition and trigger the UAF Use the RtlSetAllBits function to enable all privileges in the current process Inject a new agent into an elevated process to run as SYSTEM Successful exploitation is probabilistic and depends critically on two factors: CLFS internal state: The log container lifecycle must be coerced into the precise sequence that releases a vulnerable structure while references remain accessible. Interruptions (other CLFS activity, antivirus hooks, or system load) can alter timing and invalidate the race window. Pool spray: The density, timing, and size-class alignment of sprayed pipe allocations must closely match the freed allocation slot. Memory fragmentation, other kernel consumers, or spray volume reduce the odds of landing a controlled object in the target slot.

The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as "LOCAL SERVICE" to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Leak the address of the ExpProfileDelete kernel function Trigger the vulnerability to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value

A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.

A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.