The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as "LOCAL SERVICE" to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Leak the address of the current thread Leak the address of the current process token Leak the address of the SYSTEM process token Leak the address of the ExpProfileDelete kernel function Trigger the vulnerability to overwrite PreviousMode Replace the current process token with the SYSTEM token Restore original PreviousMode value

This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created. Since this modules uses a race condition to exploit the vulnerability, the MAX_TRIES parameter can be used to limit the amount of requests that will be sent to the target system.

A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets. Exploitation requires no authentication or user interaction. Attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10). This exploit performs the following steps: Obtains the data needed to launch the attack, such as local device ID and target MAC address. sets the IPv6 headers. Builds specially crafted packets affecting the IPv6 stack (tcpip.sys driver) Sends packets to the target causing a denial of service. Check if the remote machine is down due to Blue Screen of Death (BSOD)

This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. This module may also abuse CVE-2024-1403: an authentication bypass vulnerability that allow access to the adminServer classes. This module will perform the following steps: If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. Then, it will use the getPlugins method of the previous class to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin. Then, use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added. Finally, it will use again the doRemoteToolCmd method to start a process that will use the parameters added in the previous step. All requests to target will be made using Java RMI requests

This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim's NTLM hash being sent to the attacker. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This module triggers a denial-of-service flaw in the Windows Local Session Manager (LSM). It was found to exist in Windows 11 but not in Windows 10. The vulnerability allows an authenticated, low-privileged user to crash the LSM service by making a simple Remote Procedure Call (RPC) to the RpcGetSessionIds function. The impact of this vulnerability is significant, as a crash of the LSM service can prevent users from logging in or out and affects services that depend on LSM, such as Remote Desktop Protocol (RDP) and Microsoft Defender. The vulnerability can be exploited remotely by an authenticated user with low privileges, especially on a domain controller.

A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.

An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID). The server responds with a UID cookie in Set-Cookie. Uses the extracted UID cookie to access dir.html. Requests and execute the necessary files to install an agent.

This vulnerability (CVE-2024-28987) is caused by the presence of hardcoded credentials in the application, allowing unauthenticated attackers to remotely read and modify all help desk ticket details. It enables authentication with a predefined account (helpdeskIntegrationUser/dev-C4F8025E7) Affected versions include SolarWinds Web Help Desk 12.8.3 Hotfix 1 and all previous versions. An attacker exploiting this vulnerability can: - Access the REST API without requiring valid credentials. - Retrieve sensitive information from support tickets. - Read private ticket details, including internal comments. - Access confidential data, such as shared account credentials or passwords from reset requests. - Modify existing tickets, altering their content or status. - Create new tickets with false or malicious information. This exploit leverages hardcoded credentials to authenticate via Basic Authentication and interact with the SolarWinds Web Help Desk API. Steps performed by the exploit: 1 Authentication to the API - Sends a Basic Authentication request to the /OrionTickets endpoint. - If the request returns ticket data, the target is confirmed to be vulnerable. 2 Retrieving help desk tickets - Fetches all available tickets from the system. 3 Creating a new ticket (optional) - If specified as a parameter, the exploit creates a new ticket in the system. - The ticket is generated with user-defined subject and details. 4 Saving tickets to a file (optional) - The retrieved tickets can be saved to a file if a path is provided. 5 Fetching additional ticket details (optional) - The exploit can request detailed information for each ticket.

An authentication bypass vulnerability in Progress OpenEdge allows unauthenticated remote attackers to authenticate in the target application as NT AUTHORITY/SYSTEM. The vulnerability is present in the native system library auth.dll, and is reached via the authorizeUser function. This module performs the vulnerability verification by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. All requests to target will be made using Java RMI requests.