Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

This module allow to set a short name 8.3 of a file when you don't have write privileges to the directory where the file is located.The vulnerability exists due to NtfsSetShortNameInfo does not properly impose security restrictions in NTFS Set Short Name, which leads to security restrictions bypass and privilege escalation. SETTING THE STAGE. Log in as a normal user in the target machine, and create a txt file in root accepting the UAC prompts for the administrator, verify that you can write to this file, next pass the path to the file to the checker's TARGET_FILE_PATH argument, create the agent as normal user and use the checker, if the machine is vulnerable the ShortName of the file will be changed and displayed albeit you has no permission to do it in this folder

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. It must be executed on an agent with root privileges only for linux system.

Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet. The "Mark Of The Web" is not transferred from the Zipped File into the Unzipped File if the target is vulnerable.

This module executes a program designed to check for a buffer overflow in glibc's getaddrinfo function. Multiple stack-based buffer overflows in the send_dg and send_vc functions in the libresolv library in the GNU C Library allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family.

This module executes a program designed to test a buffer overflow in glibc's __nss_hostname_digits_dots function. The function is used by the gethostbyname*() functions family used for name resolution. Under some circumstances, the use of those functions when the vulnerable underlying function is present, may lead to remote code execution, privilege escalation, or information disclosure.

The vulnerability relates to the use of Windows .URL files to execute a remote binary via a UNC path. When the targeted user opens or previews the .URL file (for example, from an email), the system attempts to access the specified path (for example, a WebDAV or SMB share), resulting in the execution of arbitrary code.

An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.

This module exploits a vulnerability in Microsoft Management Console (MMC). This module runs a malicious web server on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web server. The Microsoft Management Console contains a security flaw that allows remote code execution via malicious .msc files with embedded ActiveX control. An attacker sends a crafted .msc file with embedded ActiveX containing a link to a malicious server. The server executes a script to fetch a PowerShell file ultimately deploying an agent.

This module uses an authenticated PHP object deserialization vulnerability to deploy an agent in Roundcube Webmail that will run with the same privileges as the webapp. The module will use the given credentials to authenticate against Roundcube Webmail in the target. Then, it will generate a payload for agent deployment and abuse the _from parameter defined in the upload.php file to inject it in the $_SESSION variable. This variable will be processed by the unserialize function in the rcube_session class. Finally, the module will proceed to logout from the webapp to trigger the PHP object deserialization vulnerability and deploy the agent.