This module takes advantage of an insufficient library path check in spoolsv.exe service to load a dll from an arbitrary directory with System user privileges.

This module exploits a vulnerability in the Microsoft Windows via a specially crafted set of OpenType Postscript fonts.

The On-Screen Keyboard application of Microsoft Windows is prone to a privilege escalation vulnerability when handling mouse input originated from a process running with Low Integrity Level. This vulnerability allows an agent running with Low Integrity Level to escalate privileges in order to install a new agent that will run with Medium Integrity Level, by sending mouse input to the On-Screen Keyboard when its input mode is set to "Hover over keys".

The MQ Access Control Driver (mqac.sys) present in Microsoft Windows is vulnerable to an arbitrary pointer overwrite. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by sending a specially crafted IOCTL (0x1965020F) to the vulnerable driver.

This module exploits a vulnerability in Windows kernel ("ndproxy.sys" driver) by calling to the "DeviceIoControl" function with crafted parameters.

Incorrect assumptions in the support code of legacy 16bit applications in Microsoft Windows operating systems allows local users to gain system privileges via the "NtVdmControl" system call.

When a crafted ".fon" file is loaded by Windows Kernel this produces a kernel heap overflow. This module exploits this vulnerability filling the kernel memory via heap spraying and building a fake chunk header.

This module exploits a stack overflow on kernel mode on win32k.sys via an unspecified desktop parameter.

This exploits sets the command history number in a value greater than 0x7fff. When a new command is sent to "cmd.exe", a CSRSS memory corruption is produced and the CSRSS process control is taken.