all things security
Showing 1 - 9 of 9 RSS Feed

Files from OJ Reeves

First Active2013-11-14
Last Active2017-08-22
Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
Posted Aug 22, 2017
Authored by b33f, OJ Reeves, Matt Nelson | Site

This Metasploit module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This Metasploit module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This Metasploit module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

tags | exploit, registry
systems | windows
MD5 | 73fea9d04345bcd15b0dc980da1ce0e1
Microsoft SQL Server Clr Stored Procedure Payload Execution
Posted Feb 18, 2017
Authored by OJ Reeves, Lee Christensen, Nathan Kirk | Site

This Metasploit module executes an arbitrary native payload on a Microsoft SQL server by loading a custom SQL CLR Assembly into the target SQL installation, and calling it directly with a base64-encoded payload. The module requires working credentials in order to connect directly to the MSSQL Server. This method requires the user to have sufficient privileges to install a custom SQL CRL DLL, and invoke the custom stored procedure that comes with it. This exploit does not leave any binaries on disk. Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).

tags | exploit, arbitrary
MD5 | 7d355ecabdfa09d1d996db5144b1f183
Windows Escalate UAC Protection Bypass
Posted Dec 2, 2016
Authored by Matt Graeber, OJ Reeves, Matt Nelson | Site

This Metasploit module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

tags | exploit, shell, registry
systems | windows
MD5 | e6e7b2e95e14423e3c1de3ad6c4d3284
Windows Capcom.sys Kernel Execution Exploit (x64 only)
Posted Oct 3, 2016
Authored by OJ Reeves, TheWack0lian | Site

This Metasploit module abuses the Capcom.sys kernel driver's function that allows for an arbitrary function to be executed in the kernel from user land. This function purposely disables SMEP prior to invoking a function given by the caller. This has been tested on Windows 7 x64.

tags | exploit, arbitrary, kernel
systems | windows, 7
MD5 | 2fe53284a42eaf97cc8143bd7230cf49
AppLocker Execution Prevention Bypass
Posted Mar 3, 2016
Authored by OJ Reeves, Casey Smith | Site

This Metasploit module will generate a .NET service executable on the target and utilise InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be added easily.

tags | exploit
MD5 | 7f55b4106a8b20e51087a5effc89a0c3
Microsoft Windows ClientCopyImage Improper Object Handling
Posted Jun 22, 2015
Authored by temp66, OJ Reeves, hfirefox | Site

This Metasploit module exploits improper object handling in the win32k.sys kernel mode driver. This Metasploit module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

tags | exploit, x86, kernel
systems | windows, 7
advisories | CVE-2015-1701
MD5 | 2f0aec917a34229f17599d68939b21dc
Seagate Business NAS Unauthenticated Remote Command Execution
Posted Mar 2, 2015
Authored by OJ Reeves | Site

Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This Metasploit module has been tested on the STBN300 device.

tags | exploit, local, php
advisories | CVE-2014-8684, CVE-2014-8686, CVE-2014-8687
MD5 | d6d14184d0e621b49bae1f4a02d3abe9
Seagate Business NAS 2014.00319 Remote Code Execution
Posted Mar 1, 2015
Authored by OJ Reeves

Seagate Business NAS versions 2014.00319 and below suffer from a pre-authentication remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2014-8687
MD5 | e35f6f3a56acd35bddcaaae52d7922da
Windows SYSTEM Escalation Via KiTrap0D
Posted Nov 14, 2013
Authored by H D Moore, Pusscat, Tavis Ormandy, OJ Reeves | Site

This Metasploit module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll and is not supported on x64 editions of Windows.

tags | exploit, x86
systems | windows
advisories | CVE-2010-0232, OSVDB-61854
MD5 | 684211c5a525c2bc561700bd9d39783b
Page 1 of 1

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2016 Packet Storm. All rights reserved.

Security Services
Hosting By