This exploit leverages an information disclosure vulnerability in Microsoft Windows. By crafting a malicious .library-ms file, an attacker can coerce authentication to an untrusted server and steal NTLMv2 hashes. This exploit does not install an agent, it manages to obtain the NTLMv2 hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This module exploits an arbitrary file deletion vulnerability that allows an unprivileged user to delete files in protected folders. Before deleting the file, the module backs up the file to the user's temporary folder.

This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.

This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line. The module will create a new identity with these credentials. Then, with the main administrator credentials, the module will login in the application and then use the authenticated OS command injection via the /API.jsp endpoint to execute system commands to deploy the agent.

The vulnerability in vkrnlintvsp.sys (VkiRootAdjustSecurityDescriptorForVmwp()) stems from insufficient validation of the Dacl AclSize field in a Security Descriptor. Since this value is user-controlled, an attacker can trigger an integer overflow in the ExAllocatePool2() size calculation, leading to a heap-based buffer overflow , allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Sprays WNF objects to control heap layout. Calls NtCreateCrossVmEvent with a malicious Security Descriptor to overflow a heap buffer. Frees corrupted WNF objects and replaces them with IORING RegBuffers and PipeAttribute objects. Uses IORING RegBuffers to hijack pointers and gain arbitrary kernel R/W. Locates system EPROCESS and copies its token to the target process. Overwrites the current process token to gain SYSTEM privileges. Restores corrupted objects to avoid crashes.

This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. The module will trigger the vulnerability by crafting a Veeam.Backup.EsxManager.xmlFrameworkDs .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will execute system commands to deploy the agent.

This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin. This user is automatically suggested during the initial setup, but administrators may choose a different name. The exploit will only succeed if the username provided exists on the system. Successful exploitation provides full administrative access to the CrushFTP WebInterface. This exploit performs the following steps: 1. Authentication Bypass - Sends a request to the 'getUserList' endpoint (typically at /WebInterface/function/) using a crafted 'CrushAuth' cookie and 'Authorization' header. - If the server returns the list of users, the target is confirmed vulnerable. 2. User Enumeration - Parses the XML response to extract usernames and displays them in the module output. 3. Optional User Creation - If parameters new_username and new_userpass are provided, a new user is created via the setUserItem endpoint.

This module uses a message header injection vulnerability to deploy an agent in Apache Camel that will run with the same privileges as the webapp. First, this module will use the vulnerability to determine the underlying OS system and check if the target is vulnerable. If the underlying OS can be determined, then the target is assumed to be vulnerable and the vulnerability will be used again to deploy an agent.

The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Register a sync root and set its reparse point data Spray memory using WNF and ALPC Trigger the vulnerability to get an arbitrary write Overwrite the token privileges of current process Inject a new agent into an elevated process to run as SYSTEM

The Windows Error Reporting (WER) service, which runs with SYSTEM privileges, interacts with registry keys to store and process crash reports. The vulnerability stems from weak access controls on these registry keys, allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Initializes Native APIs by loading necessary Windows APIs for low-level operations Modifies the Registry to hijack WerFault.exe by setting a malicious Debugger key Locks Resources by creating lock files and manipulating registry keys to ensure uninterrupted execution Triggers the Vulnerability by calling ReportFault, forcing the Windows Error Reporting service to execute the malicious payload Escalates Privileges by executing arbitrary code with SYSTEM-level privileges through the hijacked WerFault.exe Cleans Up by removing traces like the Debugger key and temporary files to avoid detection.