The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted BLF file. The steps performed by the exploit are: Create a crafted BLF file Trigger the vulnerability to get an arbitrary read/write primitive Get SYSTEM privileges by replacing the current process token
CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF. Create a fake CClfsContainer object with a fake vtable that points to the address of nt!PoFxProcessorNotification. Write additional data in the allocated memory region such as the address of nt!DbgkpTriageDumpRestoreState and the address of _KTHREAD.PreviousMode of the current thread. Call again CreateLogFile(). When the PoC invokes CreateLogFile() on the malicious BLF the driver does the following at kernel level: Dereference the malicious CClfsContainer object at address 0x0000000002100000. Call nt!PoFxProcessorNotification. nt!PoFxProcessorNotification redirects the execution flow to nt!DbgkpTriageDumpRestoreState. nt!DbgkpTriageDumpRestoreState is used to obtain an arbitrary write of 8 bytes (already discussed here). In this case it is exploited to overwrite the _KTHREAD.PreviousMode to 0 of the current thread, granting us arbitrary read/write primitives. Issue a series of calls to NtReadVirtualMemory()/NtWriteVirtualMemory() to replace the _EPROCESS.Token of the parent process with that of the system process (PID 4). Restore _KTHREAD.PreviousMode to 1 with a final NtWriteVirtualMemory()
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an integer overflow, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Spray the memory with data queue entries Trigger the vulnerability to overwrite the victim data entry Leak adjacent pool memory and bypass KASLR Forge a data queue entry to get an arbitrary memory read Leak the address of the current process token Leak the address of the SYSTEM process token Create a new data queue entry and leak its IRP Forge an IRP and the data queue entry Read 1 byte to trigger the arbitrary write and get SYSTEM privileges
Afd.sys module present in Microsoft Windows is vulnerable to a race condition during buffer management, where a temporary reference counter increment is improperly handled, leading to use-after-free scenarios. This occurs when accessing registered buffers for send/receive operations. The steps performed by the exploit are: Creates corrupt kernel structures Gets arbitrary read/write primitives Steals token for privilege escalation Restores system state Creates a new agent process running as SYSTEM
This exploit leverages an Information Disclosure vulnerability in Microsoft Office. By sending an email with a specially crafted link, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an HTTP server. When the client opens it in a browser, if the user is on the trusted list, it connects to the HTTP server and obtains the NTLM user hashes. This exploit does not install an agent, it manages to obtain the NTLM hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.
This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM
The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read/write operations. Gets the base address of a kernel module (ntoskrnl.exe), necessary for locating functions within kernel space. Computes the address of a gadget in the kernel for use in memory manipulation operations. Writes data to a specific memory address, allowing the system's memory space to be modified. Changes the current process token to gain system privileges Restores the thread mode to avoid BSOD
Subscribe to Windows