This module exploits a vulnerability in win32k.sys by creating special Windows menus with crafted parameters.
This module exploits a design flaw in Microsoft Windows. By spoofing NBNS responses, an unprivileged user can abuse a local HTTP->SMB credentials reflection vulnerability to install an agent. If that approach fails, on supported platforms the exploit falls back to a local WEBDAV->SMB credential reflection (MS16-075).
This module exploits a vulnerability in Microsoft Windows MRXDAV.SYS driver. This vulnerability allows a local attacker to execute arbitrary code with SYSTEM privileges in a vulnerable target.
This module exploits a vulnerability in the Linux kernel related to the netfilter target_offset field. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges.
The ioctl handler in the atkbd keyboard driver in FreeBSD is prone to a signedness error, which can lead to a buffer overflow in the kernel when processing a SETFKEY ioctl message with specially crafted values. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges. In order to reach the vulnerable code in the keyboard driver, the exploit needs a virtual terminal (/dev/ttyv*) allocated for the user under which the initial agent is running. Virtual terminals are allocated when a user logs into the physical machine, as opposed to the pseudo-terminals (/dev/pts/*) which are allocated when accessing a system via a SSH shell, for example. This module can be configured to keep waiting for an accessible virtual terminal, by setting the Advanced/TIME LIMIT parameter to the desired maximum amount of minutes to wait for.
Wireshark is prone to a vulnerability that may allow execution of riched20.dll.dll if this module is located in the same folder than .PCAP file.
The specific flaw exists in the handling of LeviStudio Project files. By providing an overly long HmiSet Type XML attribute, an attacker can overflow a stack-based buffer and execute arbitrary code in the context of the current process. This module runs a malicious web server on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to it.
The vulnerability exists within the AxEditGrid ActiveX control's Insert property. This module runs a web server waiting for vulnerable clients (Internet Explorer 8) to connect to it.
Arbitrary Write in Rockwell Automation Connected Components Workbrench allows remote attackers to execute arbitrary code. This module runs a web server waiting for vulnerable clients (Internet Explorer 11) to connect to it.
When a special NBNS request is received by this module, it starts to answer to the client by flooding responses with the name specified by the "NAME TO BE SPOOFED" parameter and the IP address specified by the "NAME's IP TO BE SPOOFED" parameter. When three NBNS request packets are received from the target, this module answers the request by sending responses to the target during 'n' seconds (parameter "Flooding time per target connection"). After that, if an HTTP request asking for "/lala2.bmp" is received, it means the target was convinced to use the spoofed name sent during the attack. When it happens, this module confirms that the attack was successful.