what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 10 of 10 RSS Feed

Files from OJ Reeves

First Active2013-11-14
Last Active2019-09-23
BlueKeep RDP Remote Windows Kernel Use-After-Free
Posted Sep 23, 2019
Authored by OJ Reeves, Sean Dillon, Brent Cook, Ryan Hanson | Site metasploit.com

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause a use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2019-0708
SHA-256 | 1aecbe52ce929c3de3a4cf90e7b8a03dc74a2a1edd4797fbc7bf61bee611bb3c
Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
Posted Aug 22, 2017
Authored by b33f, OJ Reeves, Matt Nelson | Site metasploit.com

This Metasploit module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This Metasploit module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This Metasploit module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

tags | exploit, registry
systems | windows
SHA-256 | 5643c9d59dd3082682db29197c72dec6efcfecef92c481633dd466d8973ffddb
Microsoft SQL Server Clr Stored Procedure Payload Execution
Posted Feb 18, 2017
Authored by OJ Reeves, Lee Christensen, Nathan Kirk | Site metasploit.com

This Metasploit module executes an arbitrary native payload on a Microsoft SQL server by loading a custom SQL CLR Assembly into the target SQL installation, and calling it directly with a base64-encoded payload. The module requires working credentials in order to connect directly to the MSSQL Server. This method requires the user to have sufficient privileges to install a custom SQL CRL DLL, and invoke the custom stored procedure that comes with it. This exploit does not leave any binaries on disk. Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).

tags | exploit, arbitrary
SHA-256 | fe2d879dbdd0c10aa7ac5b9f21f78eea25748d38856209e0eae44eec747be7d8
Windows Escalate UAC Protection Bypass
Posted Dec 2, 2016
Authored by Matt Graeber, OJ Reeves, Matt Nelson | Site metasploit.com

This Metasploit module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

tags | exploit, shell, registry
systems | windows
SHA-256 | 9f324275d7747e6056b99457eba72507d809e7fdc4d2bbdb300c55c482595517
Windows Capcom.sys Kernel Execution Exploit (x64 only)
Posted Oct 3, 2016
Authored by OJ Reeves, TheWack0lian | Site metasploit.com

This Metasploit module abuses the Capcom.sys kernel driver's function that allows for an arbitrary function to be executed in the kernel from user land. This function purposely disables SMEP prior to invoking a function given by the caller. This has been tested on Windows 7 x64.

tags | exploit, arbitrary, kernel
systems | windows
SHA-256 | 1cee469e5e571383c0f9e5e97edee2bf63d77321f66855763160c9ef70f4275d
AppLocker Execution Prevention Bypass
Posted Mar 3, 2016
Authored by OJ Reeves, Casey Smith | Site metasploit.com

This Metasploit module will generate a .NET service executable on the target and utilise InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be added easily.

tags | exploit
SHA-256 | 9e35d2c51bee68e833236242c3adb8dc69a463ea689029ae6f66814719a27cca
Microsoft Windows ClientCopyImage Improper Object Handling
Posted Jun 22, 2015
Authored by temp66, OJ Reeves, hfirefox | Site metasploit.com

This Metasploit module exploits improper object handling in the win32k.sys kernel mode driver. This Metasploit module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

tags | exploit, x86, kernel
systems | windows
advisories | CVE-2015-1701
SHA-256 | 1b4009bd1a5cf1594526be1c3c92cca6c5d12b793c2e559d0e4e7218d3be8242
Seagate Business NAS Unauthenticated Remote Command Execution
Posted Mar 2, 2015
Authored by OJ Reeves | Site metasploit.com

Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This Metasploit module has been tested on the STBN300 device.

tags | exploit, local, php
advisories | CVE-2014-8684, CVE-2014-8686, CVE-2014-8687
SHA-256 | 0487fb38d28fb3a16f1e6da5666a62aa264281d650c6fa4c8f45c8249d44e294
Seagate Business NAS 2014.00319 Remote Code Execution
Posted Mar 1, 2015
Authored by OJ Reeves

Seagate Business NAS versions 2014.00319 and below suffer from a pre-authentication remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2014-8687
SHA-256 | 04e4ec1dd7006778a46d2aa1f5a5ce11de00768fdac6d7d4e4a193fa3100d616
Windows SYSTEM Escalation Via KiTrap0D
Posted Nov 14, 2013
Authored by H D Moore, Pusscat, Tavis Ormandy, OJ Reeves | Site metasploit.com

This Metasploit module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll and is not supported on x64 editions of Windows.

tags | exploit, x86
systems | windows
advisories | CVE-2010-0232, OSVDB-61854
SHA-256 | b61f14f2873aa1c647ab01600db74d813ae4c68913ed531266fd588ac8aff25a
Page 1 of 1

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By