This module abuses insufficient validation in the unauthenticated JCE profiles.import endpoint to upload a crafted profile file with a PHP extension. When the file is written under the Joomla tmp directory and executed by the web server, it provides a command execution primitive. 1. Fingerprints the JCE Editor component and checks the detected version. 2. Extracts a Joomla CSRF token from the site root. 3. Uploads a PHP command runner through the vulnerable profiles.import task. 4. Verifies code execution from the Joomla tmp directory. 5. Detects the target operating system through the command runner. 6. Uses the resulting command primitive to commit an OSCI agent or deploy a network agent.
This module exploits the RoguePlanet local privilege escalation vulnerability in Microsoft Defender to execute a Core Impact agent with SYSTEM privileges. The exploit abuses Defender's privileged remediation workflow. RoguePlanet first prepares an attacker-controlled Windows Error Reporting path under a writable temporary directory and forces Defender to scan it. While Defender is cleaning the detected content, the trigger uses file-system synchronization primitives to redirect operations that started in the temporary tree so they later resolve inside the native Windows directory. After the Windows Error Reporting executable is reached through that redirected path, the module triggers the Windows Error Reporting scheduled task. When the executable starts as SYSTEM, RoguePlanet uses its named-pipe handoff to duplicate the SYSTEM token into the interactive session and launch the staged Core Impact agent. Because the primitive depends on race timing, the module records trigger output, retries failed attempts, verifies the returned agent privileges, and restores the original Windows Error Reporting executable. The public RoguePlanet proof of concept reports reliable exploitation on some systems and intermittent failures on others due to race timing. The exploit has been reported as tested against Windows 10 and Windows 11 systems with June 2026 patches installed. The steps performed by the exploit are: Resolves the native Windows and temporary paths, backs up the Windows Error Reporting executable, and stages the Core Impact agent with the RoguePlanet trigger. Starts the trigger as the current non-SYSTEM user. The trigger creates the RoguePlanet named pipe, mounts its embedded ISO, and creates a controlled temporary System32\\wermgr.exe path. Calls Defender through MpClient.dll so MpScanStart detects the staged content and MpCleanStart begins privileged remediation against the controlled path. Coordinates the race by watching for the new shadow-copy device, opening the staged file's alternate data stream, using oplocks and ReadDirectoryChangesW for timing, and repeatedly swapping directories with junctions. Turns the parent temporary directory into a junction to the native Windows directory so Defender cleanup and Windows Error Reporting file operations resolve to the real Windows Error Reporting executable. Triggers the \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting scheduled task, causing Windows Error Reporting to start as SYSTEM. Completes the SYSTEM handoff over the RoguePlanet named pipe, duplicates the SYSTEM token into the pipe server's session, and launches the staged Core Impact agent with CreateProcessAsUserA. Captures trigger output, retries timing-dependent failures, verifies SYSTEM privileges, and restores the backed-up executable.
This module performs profile-driven HTTP/2 HPACK bomb denial-of-service attacks against vulnerable servers. The module selects the requested profile and applies its default attack parameters unless PORT, CONNECTIONS or STREAMS are overridden. It verifies target reachability and, when required, records a pre-attack TCP or TLS latency baseline. It then establishes HTTP/2 sessions by negotiating h2, sending the client preface, and completing the initial SETTINGS exchange. After setup, it sends profile-specific HPACK bomb payloads through HEADERS and CONTINUATION frames across multiple streams. These payloads force the server to expand small compressed header blocks into much larger in-memory header state or repeated header reconstruction work. The attacked streams are held open for a profile-specific interval, optionally using WINDOW_UPDATE drips to keep server-side state active. Finally, the module determines success from post-attack liveness, latency degradation, or recovery behavior, depending on the selected profile. Blank parameters inherit the selected profile defaults. Most profiles require TLS plus ALPN h2 support in the runtime SSL stack. Pingora can be used over cleartext h2c by disabling USE TLS.
This module exploits an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve arbitrary code execution with SYSTEM privileges. The vulnerability resides in the HsmOsBlockPlaceholderAccess routine and abuses the Cloud Files abort hydration path to create attacker-controlled registry keys in the .DEFAULT user hive without proper access checks. MiniPlasma is the same issue previously tracked as CVE-2020-17103, which was reported by Google Project Zero and later claimed to be patched, but it remains exploitable on current Windows builds. The steps performed by the exploit are: Creates a controlled Cloud Files synchronization root and uses the abort hydration path to trigger the race condition. Redirects privileged registry key creation into the .DEFAULT user hive. Abuses the writable .DEFAULT Volatile Environment registry key to control the windir environment used by a SYSTEM process. Triggers the elevated process to launch a CORE Impact agent with SYSTEM privileges in the target user's interactive session.
This module abuses Jolokia access to invoke the ActiveMQ Broker MBean addNetworkConnector operation. The crafted connector uses the VM transport brokerConfig option to load a Spring XML document from the IMPACT web server. The XML instantiates java.lang.ProcessBuilder and executes the agent deployment command sequence. The exploitation process performs the following steps: Starts the IMPACT web server and registers a randomized Spring XML payload path. Checks that the target Jolokia endpoint is reachable with the configured credentials. Discovers the ActiveMQ broker name through Jolokia, or uses the configured broker name when provided. Builds a malicious network connector URI using vm:// and brokerConfig=xbean to reference the Spring XML payload hosted by IMPACT. Sends a Jolokia exec request to call addNetworkConnector(java.lang.String) on the ActiveMQ Broker MBean. Waits for the target to fetch the Spring XML payload and execute the generated agent deployment command sequence. The deployed agent will run with the same privileges as the Apache ActiveMQ service.
This module exploits CVE-2026-33017 by abusing Langflow's public temporary flow build endpoint to inject and execute a custom component. The component runs operating system commands through the Langflow Python process. If AUTO_LOGIN is enabled on the target, the module can automatically create a public flow. Otherwise, provide a known public FLOW ID. If no FLOW ID is provided, the module can use AUTO_LOGIN to obtain an access token and create a public Langflow flow. The module then submits a crafted temporary custom component to the /api/v1/build_public_tmp/{flow_id}/flow endpoint. That component executes operating system commands through the Langflow Python process and returns command output through Langflow build events. When DEPLOY OSCI AGENT is enabled, the module commits an OSCI agent that reuses the same Langflow primitive to relaunch commands later. When DEPLOY NETWORK AGENT is enabled, the module stages an Impact payload from the embedded web server and launches it through the vulnerable Langflow service. The module polls Langflow job events to track execution and confirm whether command execution or agent deployment succeeded. The deployed agent will run with the privileges of the Langflow service account.
This module exploits a Time-Of-Check Time-Of-Use (TOCTOU) race condition within the Windows Defender remediation process to achieve arbitrary code execution with SYSTEM privileges. The exploit chain leverages the Windows Cloud Files API (cfapi) and an EICAR test string to purposely pause the antivirus engine's remediation thread using a Batch Oplock. During this suspended state, the module uses NTFS mount points (directory junctions) to redirect the highly privileged antivirus file operations from a temporary directory to a protected system folder (C:\Windows\System32). When the oplock is released, the antivirus mistakenly overwrites a legitimate system binary (TieringEngineService.exe) during its cleanup routine. The module then replaces this corrupted binary with a malicious payload and triggers a specific COM object to start the service, yielding a SYSTEM agent. The steps performed by the exploit are: Creates a decoy executable containing a dynamically generated EICAR test string within a temporary directory to trigger an immediate antimalware response. Registers the temporary directory as a Cloud Sync Root and converts the decoy file into a cloud placeholder to intercept system interactions. Freezes the highly privileged antivirus remediation thread at a precise moment by requesting a Batch Oplock that trips when the engine scans the placeholder file. Executes a TOCTOU race condition by renaming the original directory and replacing it with an NTFS mount point targeting C:\Windows\System32. Releases the oplock, tricking the antivirus engine into blindly overwriting the target service binary (TieringEngineService.exe) as part of its automated threat remediation. Replaces the overwritten service binary with the exploit payload and invokes the Tiering Management Engine COM object to start the service as NT AUTHORITY\SYSTEM. Creates a named pipe to get the current session id and executes an interactive CORE Impact agent directly into the target user's desktop session.
This module exploits a Time-Of-Check Time-Of-Use (TOCTOU) race condition within the Windows Defender signature update mechanism to achieve arbitrary code execution with SYSTEM privileges. The exploit chain leverages Cloud Files oplocks and an EICAR synchronization trigger to purposefully freeze Windows Defender's I/O operations. During this paused state, the module uses NTFS directory junctions and Object Manager symbolic links to redirect Defender's file access from a legitimate signature update file to the locked SAM database within a Volume Shadow Copy (VSS). After reading the SAM hive into memory, the module performs offline AES/DES decryption to harvest local NTLM hashes. Finally, it uses the pass-the-hash technique to temporarily reset an administrator's password, creates a self-deleting Windows service, and injects an interactive SYSTEM-level agent directly into the target user's desktop session. The steps performed by the exploit are: Downloads the Windows Defender signature update and extracts the required files directly into memory to evade disk-based detection. Freezes Windows Defender's file input/output operations at a precise moment by chaining an EICAR test file trigger with Cloud Files oplocks. Captures the exact object namespace path of the temporary Volume Shadow Copy (VSS) generated during Defender's remediation workflow. Executes a TOCTOU race condition using an NTFS junction and Object Manager symlink to trick Defender into opening the locked SAM database instead of the signature file. Reads the SAM database contents into memory and utilizes offline AES and DES decryption to extract local NTLM hashes. Employs a pass-the-hash technique to temporarily alter an administrator password, registers a self-deleting service to achieve SYSTEM privileges, and injects a CORE Impact agent into the active user's desktop session.
ATBroker.exe (Windows Accessibility Infrastructure) resolves AT configuration from the per-user ATConfig path but performs unsafe file/registry operations. A registry symlink race condition in the ATConfig handling lets a local attacker write arbitrary values into protected HKLM keys and redirect the configuration load to a malicious AT entry, leading to arbitrary code execution as SYSTEM. The steps performed by the exploit are: Write target value to ATConfig registry path Set oplock on oskmenu.xml Lock workstation Wait for oplock (user interaction) Start target service (run agent as SYSTEM)
This vulnerability involves the improper neutralization of special elements used in a command ('command injection') in Windows MSHTML, allowing an unauthorized attacker to execute a crafted DLL file located in a shared folder and bypass Mark of the Web. The steps performed by the exploit are: Creates a DLL containing an Impact agent and places it in an SMB file share. It also creates an .lnk file for direct access. Using the provided link, download the .lnk file in the browser. Because some browsers may change the .lnk extension, you can set ATTACH_FILE_NAME to end with .zip to send the .lnk inside a ZIP file. If necessary, unzip the file and run the .lnk file. Alternatively, run the .lnk directly from the SMB share using the direct link. If the target can access the SMB share on the Impact machine, the agent will be deployed without Mark of the Web or popup warnings.