The IESetProtectedModeRegKeyOnly() function in the ieframe.dll library of Microsoft Internet Explorer calls the RegCreateKeyEx registry function when running with Medium Integrity Level over a registry key that is writable by a sandboxed IE instance. This can be abused to overwrite IE's Elevation Policy by creating symbolic links in the Windows Registry in order to escape from the Internet Explorer Protected Mode sandbox. This module allows an agent running in the context of iexplore.exe with Low Integrity Level/AppContainer Integrity Level to escalate privileges in order to install a new agent that will run with Medium Integrity Level.
The Protected Mode of Microsoft Internet Explorer can be bypassed by exploiting a logical flaw when checking the Integrity Level of a file. This vulnerability allows an agent running in the context of iexplore.exe with Low Integrity Level to install a new agent that will run with Medium Integrity Level, by launching the browser against an HTML file having Untrusted Integrity Level. This module needs to re-exploit Internet Explorer with any web browser exploit that has been proved successful against the target (i.e an exploit that was able to install an agent on the target). The user must specify the URL of any web browser exploit (typically the same one used to install the Low Integrity agent) which is already running in Core Impact through the BROWSER EXPLOIT URL parameter.
Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows to execute arbitrary code via crafted inputs to ASP pages.
When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is seted with the pseudo-handle 0xfffffffe or 0xffffffff by the callback function, the bug is triggered.
When the "CreateWindow" function is called, the Windows kernel calls to user through callbacks pushing in the stack many arguments to be used for the callback function. One argument of these is the hParent Window. After that, the windows kernel re-uses this argument. If this argument is modified by the callback function, the bug is triggered.
There is an exploitable buffer overflow in the SSINC.DLL file used by Microsoft IIS 5.0. The problem is triggered while including long enough filenames in any ASP file. After successful exploitation an agent will be installed. The process being exploited is usually run as an IUSR or IWAM user, specially created for IIS to answer anonymous requests. If this condition is present, the newly deployed agent will run with an unprivileged user. In most cases, the RevertToSelf Win32 API call can be used, available with the RevertToSelf module (see "RevertToSelf") to replace the current process access token with the saved one, usually SYSTEM, thus, effectively gaining full control of the target host.
IBM Director is prone to a privilege-escalation vulnerability that affects the CIM server. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of the CIM server process.
This module exploits a vulnerability in ESET Smart Security EPFW.SYS driver when handling a specially crafted IOCTL request. The vulnerability allows local users to overwrite memory and execute arbitrary code via malformed Interrupt Request Packet (Irp) parameters.
This module exploits a vulnerability in ElbyCDIO.SYS driver when handling a specially crafted IOCTL request. The vulnerability allows local users to overwrite memory and execute arbitrary code via malformed Interrupt Request Packet (Irp) parameters.
Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.