The TCP/IP Driver (tcpip.sys) present in Microsoft Windows fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x00120028) to the vulnerable driver.
This module exploits a privilege escalation vulnerability in the Microsoft Windows Task Scheduler Service. This vulnerability is currently exploited by the Stuxnet malware.
This module exploits a privilege escalation vulnerability in Microsoft Windows by setting a specially crafted SystemDefaultEUDCFont value in the HKEY_CURRENT_USER\EUDC Registry key, and then calling EnableEUDC() function in GDI32 library. It allows local unprivileged users to execute arbitrary code with SYSTEM privileges.
On Intel CPUs, sysret to non-canonical addresses causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the current privilege level (CPL) is changed. Windows is vulnerable due to the way the Windows User Mode Scheduler handles system requests. This module exploits the vulnerability and installs an agent with system privileges.
This module takes advantage of an insufficient library path check in spoolsv.exe service to load a dll from an arbitrary directory with System user privileges.
This module exploits a vulnerability in the Microsoft Windows via a specially crafted set of OpenType Postscript fonts.
The On-Screen Keyboard application of Microsoft Windows is prone to a privilege escalation vulnerability when handling mouse input originated from a process running with Low Integrity Level. This vulnerability allows an agent running with Low Integrity Level to escalate privileges in order to install a new agent that will run with Medium Integrity Level, by sending mouse input to the On-Screen Keyboard when its input mode is set to "Hover over keys".
The MQ Access Control Driver (mqac.sys) present in Microsoft Windows is vulnerable to an arbitrary pointer overwrite. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x1965020F) to the vulnerable driver.
This module exploits a vulnerability in Windows kernel ("ndproxy.sys" driver) by calling to the "DeviceIoControl" function with crafted parameters.