A vulnerability in Microsoft's implementation of the Kerberos authentication protocol allows to modify a Kerberos ticket to remotely escalate privileges. This module exploits the vulnerability impersonating a user of the domain's Administrators group to install an agent in the domain controller with System privileges.



This update introduces the option to use NTLM hashes for authentication and Network RPT-AP integration.

The specific flaw exists within the PocketNetNVRMediaClientAxCtrl.NVRMediaViewer.1 control. The SaveCurrentImageEx method copies an attacker provided filename into a fixed size buffer.

This module abuses a design flaw in the way Microsoft Windows implements a UAC whitelist. The flaw could allow a process running with Medium Integrity to elevate itself to High Integrity without a UAC prompt when the process is run from an account in the administrators group.

This module exploits a vulnerability in "schannel.dll" by sending a crafted certificate packet to the "Internet Information Services" server via TLS protocol producing a heap overflow in the critical LSASS Windows process.



This update reduces the time of the target exploitation.

Besides, all targets supported are added in the documentation.

A use after free vulnerability exists in Internet Explorer. The vulnerability is due to accessing a freed CInput object in memory.



A remote attacker could exploit this vulnerability by enticing the target user to open a malicious web page. In the case of successful exploitation, arbitrary attacker code would be executed in the security context of the target user.

This module exploits a vulnerability in "schannel.dll" by sending a crafted certificate packet to the "Internet Information Services" server via TLS protocol producing a heap overflow in the critical LSASS Windows process.



WARNING: This is an early release module. This is not the final version of this module. It is a pre-released versionin order to deliver a module as quickly as possible to our customers that may be useful in some situations. Since this module is not the final version it may contain bugs or have limited functionality and may not have complete or accurate documentation.

The specific flaw exists within the Connect method in webeye.ocx module.The control does not check the length of an attacker-supplied string in the Connect method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.

ADAMView is prone to a buffer overflow when handling specially crafted GNI files

An integer overflow in OLE allows remote code execution. This update contains a module exploiting the vulnerability by hosting a web site and epxloiting connecting Internet Explorer browsers.

Eudora Qualcomm WorldMail IMAPd Service is prone to a buffer overflow SEH gets overwritten when using UID command.