The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an integer overflow, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Spray the memory with data queue entries Trigger the vulnerability to overwrite the victim data entry Leak adjacent pool memory and bypass KASLR Forge a data queue entry to get an arbitrary memory read Leak the address of the current process token Leak the address of the SYSTEM process token Create a new data queue entry and leak its IRP Forge an IRP and the data queue entry Read 1 byte to trigger the arbitrary write and get SYSTEM privileges
Afd.sys module present in Microsoft Windows is vulnerable to a race condition during buffer management, where a temporary reference counter increment is improperly handled, leading to use-after-free scenarios. This occurs when accessing registered buffers for send/receive operations. The steps performed by the exploit are: Creates corrupt kernel structures Gets arbitrary read/write primitives Steals token for privilege escalation Restores system state Creates a new agent process running as SYSTEM
This exploit leverages an Information Disclosure vulnerability in Microsoft Office. By sending an email with a specially crafted link, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an HTTP server. When the client opens it in a browser, if the user is on the trusted list, it connects to the HTTP server and obtains the NTLM user hashes. This exploit does not install an agent, it manages to obtain the NTLM hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.
This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER['argv']`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to 'cmd_realtime.php' that sets $_SERVER['argv'] into an os command.
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM
The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read/write operations. Gets the base address of a kernel module (ntoskrnl.exe), necessary for locating functions within kernel space. Computes the address of a gadget in the kernel for use in memory manipulation operations. Writes data to a specific memory address, allowing the system's memory space to be modified. Changes the current process token to gain system privileges Restores the thread mode to avoid BSOD
The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Discover an exploit primitive Perform heap feng shui to come up with a memory layout Allocate enough "GOLD" objects using the GetUIDllName function Free some of them to create some holes using the FreeDiagInstance function Allocate a worker "GOLD" object to trigger the use-after-free vulnerability Delete the "RequestMakeCall" key value and create a REG_BINARY type key with controlled content. Then, I allocate some key value heaps to ensure they occupy the hole left by the worker object XFG mitigation