An attacker who successfully exploited the vulnerability could elevate the integrity level from medium to high with Administrator privileges in two stages. First Stage: The first stage bug is a DLL Hijacking caused by the Drive Remapping of ROOT drive, allowing a MEDIUM INTEGRITY process to be elevated to limited HIGH PRIVILEGES, but without reach the complete privileges to be full Administrator. if the user belongs to the Local Administrators Group, it continues copying the necessary files to perform the exploitation, MsCtfMonitor.dll to the same folder when the agent runs, TAPI32.Manifest and imm32.dll containing the Impact agent to be deployed, are copied to system32\Tasks too. After that, It executes in memory the file sploit.obj that is the executable BOF to perform the first stage, which remaps the ROOT Drive using the NtCreateSymbolicLinkObject function, with that some Services are affected and will attempt to load libraries from the new fake user-controlled system32, in our case CTFMON tries to load the crafted MsCtfMonitor.dll from our fake controlled system32 folder, created by the BOF after remap, next, its DoMsCtfMonitor function is called and executes our code with HIGH INTEGRITY LEVEL with non Administrator privileges. Second Stage: MsCtfMonitor.dll, has the code to perform the Second Stage, it performs Activation Cache Poisoning registering the crafted TAPI32.Manifest placed in system32\Tasks for TAPI32.dll, After that executing tcmsetup.exe it loads tapi32.dll, and the fake manifest added to the Activation Cache loads the imm32.dll with the second phase Impact Agent to elevate to HIGH with full Administrator privileges. Additionally, a module to elevate from Administrator to System can be run as a post-exploitation module (disabled by default in Options).

This module exploits an improper privilege management in the AMD Radeon Graphics driver that allows an authenticated attacker to craft an IOCTL request to gain I/O control over virtual addresses resulting in a potential arbitrary code execution.

Oracle WebLogic Server is prone to a remote vulnerability that allows attackers to take advantage of a Java deserialization vulnerability. By exploiting known methods, the module establishes a remote connection to the RMI Registry and loads a UnicastRef Object. This manipulation allows for the execution of system commands, enabling remote code execution on the targeted host. The bypass technique involves changing the RMI interface type to java.rmi.activation.Activator.

This module exploits a path traversal vulnerability present in the accountID parameter of the doPost method of com.ilient.server.UserEntry class to deploy an agent. The vulnerability is used to upload a WAR file inside a subdirectory of the web server's root directory to deploy an agent. The deployed agent will run with the same privileges than the SysAid webapp.

This module exploits a path traversal vulnerability present in the accountID parameter of the doPost method of com.ilient.server.UserEntry class to deploy an agent. The vulnerability is used to upload a WAR file inside a subdirectory of the web server's root directory to deploy an agent. The deployed agent will run with the same privileges than the SysAid webapp.

This module exploits an elevation of privilege vulnerability exists due to the MS KS Server kernel module allow accessing memory out of bounds. The vulnerability could allows an attacker to run code with elevated privileges.

This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable or not to CVE-2023-22518 based on the inspection of the target's response.

This module exploits a Java deserialization vulnerability via Openwire protocol by sending a crafted payload as a throwable class type. The deployed agent will run with the same user account privileges as the Apache ActiveMQ application.

The mskssrv.sys driver before 10.0.22621.1 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted IOCTL requests and elevate system privileges.

This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the requestPreHandlingAllowed function, which doesn't enforce authentication in HTTP requests with a path that ends with /RPC2.