Incorrect assumptions in the support code of legacy 16bit applications in Microsoft Windows operating systems allows local users to gain system privileges via the "NtVdmControl" system call.
When a crafted ".fon" file is loaded by Windows Kernel this produces a kernel heap overflow. This module exploits this vulnerability filling the kernel memory via heap spraying and building a fake chunk header.
This module exploits a stack overflow on kernel mode on win32k.sys via an unspecified desktop parameter.
This exploits sets the command history number in a value greater than 0x7fff. When a new command is sent to "cmd.exe", a CSRSS memory corruption is produced and the CSRSS process control is taken.
An error in the way that the Windows kernel handles string atoms when registering a new window class allows unprivileged users to re-register atoms of privileged applications. This vulnerability can be exploited by local unprivileged users to execute arbitrary code with SYSTEM privileges. This exploit will lock the machine screen (similar to pressing Ctrl+Alt+Del and then clicking on 'Lock this computer'), and the windows theming will be disabled until the machine is restarted.
This module exploits a double-free vulnerability in "afd.sys" by calling to "AfdTransmiteFile" function with crafted parameters.
This module exploits a vulnerability in Windows Ancillary function driver when the 0x1203F IOCTL in afd.sys is invoked with a specially crafted parameter. The IOCTL 0x1203F handler in the afd.sys function driver allows local users to overwrite memory and execute arbitrary code via malformed Interrupt Request Packet (Irp) parameters.
The Ancillary Function Driver (AFD.sys) present in Microsoft Windows is vulnerable to an arbitrary pointer overwrite. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x120BB) to the vulnerable driver.
The Ancillary Function Driver (AFD.sys) present in Microsoft Windows is vulnerable to an arbitrary pointer overwrite. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x12007) to the vulnerable driver.
This module uses two different strategies to bypass UAC. The first strategy uses the ICMLuaUtil elevated COM interface to execute a new agent with high integrity level. This method works on 32-bit systems, from Windows 7 up to the latest version. The second one leverages on the Program Compatibility Assistant (PCA) and environment variables expansion to perform a Dll hijack and run a new agent with high integrity level. This method works on 64-bit systems, from Windows 7 up to the latest version, and it is compatible with the highest UAC level (Always Notify).