This tool bypasses Mark of the Web and Smart Screen in order to execute blocked files which usually have been downloaded from internet. It involves crafting LNK files that have non-standard target paths or internal structures. When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed, this results in the execution of the locked file bypassing the warnings.

This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. First, the module will register an endpoint in the local webserver that will be used in the attack to send a serialized gadget to the target that will execute system commands to deploy the agent. Finally, it will trigger the vulnerability by crafting a System.Runtime.Remoting.ObjRef .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will force a POST HTTP request to the local webserver, which will, in turn, deliver the serialized gadget that will deploy the agent.

This exploit leverages an Information Disclosure vulnerability in Microsoft Outlook. By sending a mail crafting a malicious path and using the "img src" tag, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an SMB server. When the client opens Outlook, if the user is on the trusted list, without clicking, it connects to the SMB server and obtains the NTLM user hashes. In case the user is not on the trusted user list, in order to exploit the vulnerability, the client must click on the attached link. This exploit does not install an agent, it manages to obtain the NTML hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This module uses a directory traversal vulnerability to deploy an agent in Progress WhatsUp Gold that will run with the IIS APPPOOL\NmConsole user privileges. The module will launch a local webserver that will be used in the attack to send poisoned responses and to upload a webshell to the target. Then it will trigger the vulnerability via the /NmAPI/RecurringReport endpoint. Finally, it will buteforce a webshell name trying to find the one uploaded by the server, that will deploy an agent. The webshell will be saved in the "C:\Program Files (x86)\Ipswitch\WhatsUp\html\NmConsole\Data\ExportedReports" directory of the target.

The vulnerability exists due to a size miscalculation error in a integer division within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow in CCommandBuffer::Initialize method in dwmcore.dll and execute arbitrary code to install a Core Impact agent with user DWM with Integrity System privileges.This exploit checks if the target is supported and not patched. If the build is greater or equal than 22631.3593 it means the target is patched. Otherwise it proceeds to exploitation. It loads 3 files with random names in \Users\Public\Documents, the file names can be seen in the Module Log panel. It then performs two exploitation attempts by starting to copy these files into the mentioned public documents folder, after that the exploit will perform a Heap Spray on the DWM process to prepare the memory to finally trigger the Heap Overflow on DWMCORE.DLL Once the exploitation is successful the DWM process will load our DLL that executes our Core Impact agent.When the exploit finishes the files mentioned above will be deleted.

The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get the kernel address of the current process token Get the security information contained in the token using NtQueryInformationToken Calculate the value address of the first token security attribute Create a thread to win the race condition and enable privileges of the current process Deploy an agent via creating a new elevated process using winlogon.exe as parent process

A directory traversal vulnerability in SolarWinds Serv-U FTP Server allows unauthenticated remote attackers to download system files. To take advantage of this vulnerability, we need to make a request using the InternalDir and InternalFile parameters, this will allow us to trigger a directory traversal and thus be able to read an arbitrary file. This module exploits the directory traversal to download the file specified and to save it locally in the location specified in the "OUTPUT PATH" parameter.

A vulnerability in the RecordGoodApp method allows to unauthenticated remote attackers to execute commands. This function is potentially vulnerable to an SQL injection because it uses string.Format to insert a value into the SQL query.

This module chains 2 vulnerabilities to deploy an agent in Progress Telerik Report Server that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in Telerik.ReportServer.Web.Controllers.StartupController.Register class. The second vulnerability a .NET deserialization vulnerability in Telerik.Reporting.XmlSerialization.XmlSerializer class. This module will use first vulnerability to create a random user with "System Administrator" role against the "/Startup/Register" endpoint and then login into the application. Then, a report with our payload will be uploaded via the "/api/reportserver/report" endpoint. Finally, the second vulnerability will be used to deploy an agent using the "/api/reports/clients" and "/api/reports/clients/clientID/parameters" endpoints. The deployed agent will run with the privileges of the "w3wp" process (TelerikReportServer instance - NT AUTHORITY\\SYSTEM).

This module chains 2 vulnerabilities to deploy an agent in Progress Telerik Report Server that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in Telerik.ReportServer.Web.Controllers.StartupController.Register class. The second vulnerability a .NET deserialization vulnerability in Telerik.Reporting.XmlSerialization.XmlSerializer class. This module will use first vulnerability to create a random user with "System Administrator" role against the "/Startup/Register" endpoint and then login into the application. Then, a report with our payload will be uploaded via the "/api/reportserver/report" endpoint. Finally, the second vulnerability will be used to deploy an agent using the "/api/reports/clients" and "/api/reports/clients/clientID/parameters" endpoints. The deployed agent will run with the privileges of the "w3wp" process (TelerikReportServer instance - NT AUTHORITY\\SYSTEM).