The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a Use After Free, which can result in an arbitrary write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Create target directory Perform a pool spray using pipes Creates two threads to win the race condition and trigger the UAF Use the RtlSetAllBits function to enable all privileges in the current process Inject a new agent into an elevated process to run as SYSTEM Successful exploitation is probabilistic and depends critically on two factors: CLFS internal state: The log container lifecycle must be coerced into the precise sequence that releases a vulnerable structure while references remain accessible. Interruptions (other CLFS activity, antivirus hooks, or system load) can alter timing and invalidate the race window. Pool spray: The density, timing, and size-class alignment of sprayed pipe allocations must closely match the freed allocation slot. Memory fragmentation, other kernel consumers, or spray volume reduce the odds of landing a controlled object in the target slot.
This module exploits a Server-Side Request Forgery via the getUiType parameter in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints. Finally, it will use the Server-Side Request Forgery vulnerability combined with a Carriage Return/Line Feed (CRLF) injection to smuggle a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint that will trigger a GET HTTP request to the local webserver, which will, in turn, deliver the xsl file that will deploy the agent. The deployed agent will run with the oracle user account privileges.
This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.
The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as "LOCAL SERVICE" to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Leak the address of the ExpProfileDelete kernel function Trigger the vulnerability to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value
This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created. Since this modules uses a race condition to exploit the vulnerability, the MAX_TRIES parameter can be used to limit the amount of requests that will be sent to the target system.
A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets. Exploitation requires no authentication or user interaction. Attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10). This exploit performs the following steps: Obtains the data needed to launch the attack, such as local device ID and target MAC address. sets the IPv6 headers. Builds specially crafted packets affecting the IPv6 stack (tcpip.sys driver) Sends packets to the target causing a denial of service. Check if the remote machine is down due to Blue Screen of Death (BSOD)
This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. This module may also abuse CVE-2024-1403: an authentication bypass vulnerability that allow access to the adminServer classes. This module will perform the following steps: If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. Then, it will use the getPlugins method of the previous class to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin. Then, use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added. Finally, it will use again the doRemoteToolCmd method to start a process that will use the parameters added in the previous step. All requests to target will be made using Java RMI requests
This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim's NTLM hash being sent to the attacker. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
This module triggers a denial-of-service flaw in the Windows Local Session Manager (LSM). It was found to exist in Windows 11 but not in Windows 10. The vulnerability allows an authenticated, low-privileged user to crash the LSM service by making a simple Remote Procedure Call (RPC) to the RpcGetSessionIds function. The impact of this vulnerability is significant, as a crash of the LSM service can prevent users from logging in or out and affects services that depend on LSM, such as Remote Desktop Protocol (RDP) and Microsoft Defender. The vulnerability can be exploited remotely by an authenticated user with low privileges, especially on a domain controller.
Subscribe to Impact