This module exploits a design flaw in Microsoft Windows. By spoofing NBNS responses, an unprivileged user can abuse a local HTTP->SMB credentials reflection vulnerability to install an agent. If that approach fails, on supported platforms the exploit falls back to a local WEBDAV->SMB credential reflection (MS16-075).
The ioctl handler in the atkbd keyboard driver in FreeBSD is prone to a signedness error, which can lead to a buffer overflow in the kernel when processing a SETFKEY ioctl message with specially crafted values. This vulnerability can be exploited by a local unprivileged attacker to gain root privileges. In order to reach the vulnerable code in the keyboard driver, the exploit needs a virtual terminal (/dev/ttyv*) allocated for the user under which the initial agent is running. Virtual terminals are allocated when a user logs into the physical machine, as opposed to the pseudo-terminals (/dev/pts/*) which are allocated when accessing a system via a SSH shell, for example. This module can be configured to keep waiting for an accessible virtual terminal, by setting the Advanced/TIME LIMIT parameter to the desired maximum amount of minutes to wait for.
This module exploits a user-after-free vulnerability in the Linux Kernel. When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user.
Subscribe to Privilege Escalation