An elevation of privilege vulnerability exists when the Windows kernel improperly handles window broadcast messages. This module exploits the vulnerability, and installs an agent running as a medium integrity level process.
When the "DisplayConfigGetDeviceInfo" function is called with crafted parameters a heap overflow is produced into Windows kernel.
When a crafted ".TTF" file is loaded by Windows Kernel this produces a kernel heap overflow. This module exploits this vulnerability filling the kernel memory via heap spraying and building a fake chunk header.
This module exploits incorrect access control lists (ACLs) on the Registry keys for the Tracing Feature for Services. By modifying the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc Registry key, it is possible for a limited account with impersonation privileges to force a SYSTEM service (IpHlpSvc) to connect to a controlled named pipe, and then impersonate IpHlpSvc in order to run arbitrary code with SYSTEM privileges. This module allows an agent running under an account with impersonation rights, like NETWORK SERVICE (for example, an agent running with the privileges of IIS 7.0 Worker Process on Windows Server 2008 SP2) to gain SYSTEM privileges.
This module exploits a vulnerability in the way that Microsoft Windows manages the RPCSS service and improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to execute arbitrary code with System privileges.
The TCP/IP Driver (tcpip.sys) present in Microsoft Windows fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x00120028) to the vulnerable driver.
This module exploits a privilege escalation vulnerability in the Microsoft Windows Task Scheduler Service. This vulnerability is currently exploited by the Stuxnet malware.
This module exploits a privilege escalation vulnerability in Microsoft Windows by setting a specially crafted SystemDefaultEUDCFont value in the HKEY_CURRENT_USER\EUDC Registry key, and then calling EnableEUDC() function in GDI32 library. It allows local unprivileged users to execute arbitrary code with SYSTEM privileges.
On Intel CPUs, sysret to non-canonical addresses causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the current privilege level (CPL) is changed. Windows is vulnerable due to the way the Windows User Mode Scheduler handles system requests. This module exploits the vulnerability and installs an agent with system privileges.