This module exploits incorrect access control lists (ACLs) on the Registry keys for the Tracing Feature for Services. By modifying the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc Registry key, it is possible for a limited account with impersonation privileges to force a SYSTEM service (IpHlpSvc) to connect to a controlled named pipe, and then impersonate IpHlpSvc in order to run arbitrary code with SYSTEM privileges. This module allows an agent running under an account with impersonation rights, like NETWORK SERVICE (for example, an agent running with the privileges of IIS 7.0 Worker Process on Windows Server 2008 SP2) to gain SYSTEM privileges.
This module exploits a vulnerability in the way that Microsoft Windows manages the RPCSS service and improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to execute arbitrary code with System privileges.
The TCP/IP Driver (tcpip.sys) present in Microsoft Windows fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x00120028) to the vulnerable driver.
This module exploits a privilege escalation vulnerability in the Microsoft Windows Task Scheduler Service. This vulnerability is currently exploited by the Stuxnet malware.
This module exploits a privilege escalation vulnerability in Microsoft Windows by setting a specially crafted SystemDefaultEUDCFont value in the HKEY_CURRENT_USER\EUDC Registry key, and then calling EnableEUDC() function in GDI32 library. It allows local unprivileged users to execute arbitrary code with SYSTEM privileges.
On Intel CPUs, sysret to non-canonical addresses causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the current privilege level (CPL) is changed. Windows is vulnerable due to the way the Windows User Mode Scheduler handles system requests. This module exploits the vulnerability and installs an agent with system privileges.
This module takes advantage of an insufficient library path check in spoolsv.exe service to load a dll from an arbitrary directory with System user privileges.
The On-Screen Keyboard application of Microsoft Windows is prone to a privilege escalation vulnerability when handling mouse input originated from a process running with Low Integrity Level. This vulnerability allows an agent running with Low Integrity Level to escalate privileges in order to install a new agent that will run with Medium Integrity Level, by sending mouse input to the On-Screen Keyboard when its input mode is set to "Hover over keys".
The MQ Access Control Driver (mqac.sys) present in Microsoft Windows is vulnerable to an arbitrary pointer overwrite. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x1965020F) to the vulnerable driver.