This module exploits a vulnerability in the way that Microsoft Windows manages GDI kernel structures in shared memory. An attacker could remap a global shared memory section that is defined to be read-only to read-write allowing them to execute arbitrary code and gain additional privileges on the target system.

When the "vmci.sys" driver processes a crafted call from user an array index out of bound is exploited.

Using the VMWare VMCI Arbitrary Code Execution vulnerability it is possible run code in the host machine. This module sends a malformed message through hardware port to host exploiting the vmware-vmx.exe process and installing an agent. Source agent in guest machine must have administrator/system privileges.

This module takes advantage of this issue to escape the virtualized environment (Guest OS) and install an agent on the on the system that runs it (Host OS). This module searches all user Desktop folders on the host machine and modifies '.lnk' files in each one referencing the '.lnk' file to a new executable program (an agent file). When the user executes this '.lnk' file, an agent is installed and all '.lnk' files are restored to its previous reference.

The vmx86 kext ioctl handler, part of the VMware Fusion application, allow unprivileged process to initialize function pointers. This module exploits the vulnerability via the 0x802E564A ioctl, obtaining root privileges.

The KVMTest method in the com.ubuntu.USBCreator D-Bus service in Ubuntu Linux can invoke the 'kvm' binary with root privileges using an arbitrary environment provided by an unprivileged user. This flaw can be leveraged by a local unprivileged attacker to gain root privileges. The target system must have the 'kvm' binary in the search path (that usually means that the qemu-kvm package must be installed). Also, the system must have at least 768 Mb of free RAM at the moment the exploit is executed; otherwise the vulnerable service will refuse to run.

The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges.

This module exploits a privilege escalation vulnerability in the tmtdi.sys driver of Trend Micro Titanium Maximum Security and OfficeScan products. The vulnerable driver trusts a dword passed from user mode via IOCTL 0x220404, and interprets it as a function pointer without performing validations. This vulnerability allows unprivileged local users to execute code with SYSTEM privileges.

This module exploits a local vulnerability in Trend Micro IWSS to gain elevated privileges on the affected computer.

This module exploits a code execution vulnerability in the Veritas Web Server service by sending a specially crafted authentication request to the 14300/TCP port, allowing local users to gain elevated privileges.