what you don't know can hurt you
Showing 1 - 11 of 11 RSS Feed

Files from bwatters-r7

First Active2018-07-13
Last Active2020-09-28
Microsoft Windows Update Orchestrator Unchecked ScheduleWork Call
Posted Sep 28, 2020
Authored by Imre Rad, bwatters-r7 | Site metasploit.com

This Metasploit module exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours.

tags | exploit
advisories | CVE-2020-1313
MD5 | 58a0c7691e25387d090e181d07ae360d
Microsoft Spooler Local Privilege Elevation
Posted Sep 17, 2020
Authored by bwatters-r7, shubham0d, Yarden Shafir, Alex Ionescu | Site metasploit.com

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.

tags | exploit
advisories | CVE-2020-1048
MD5 | dfa46dafd7f5bbc3e8f526a18d5976b2
Service Tracing Privilege Escalation
Posted May 8, 2020
Authored by bwatters-r7, itm4n | Site metasploit.com

This Metasploit module leverages a trusted file overwrite with a dll hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets.

tags | exploit
systems | windows
advisories | CVE-2020-0668
MD5 | 516baab41d9288815d39cc0f80df1826
Docker-Credential-Wincred.exe Privilege Escalation
Posted Apr 27, 2020
Authored by bwatters-r7, Morgan Roman | Site metasploit.com

This Metasploit module exploit leverages a vulnerability in Docker Desktop Community Edition versions prior to where an attacker can write a payload to a lower-privileged area to be executed automatically by the docker user at login.

tags | exploit
advisories | CVE-2019-15752
MD5 | 73cfc43671ac78dd1408929cc81132f0
Microsoft UPnP Local Privilege Elevation
Posted Dec 18, 2019
Authored by bwatters-r7, hoangprod, NCC Group | Site metasploit.com

This Metasploit module exploits two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE. The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.

tags | exploit, local, vulnerability
advisories | CVE-2019-1322, CVE-2019-1405
MD5 | 8771710762dc8716de0e038c77c98625
Windows Escalate UAC Protection Bypass Via Dot Net Profiler
Posted Nov 19, 2019
Authored by Stefan Kanthak, Casey Smith, bwatters-r7 | Site metasploit.com

Microsoft Windows allows for the automatic loading of a profiling COM object during the launch of a CLR process based on certain environment variables ostensibly to monitor execution. In this case, the authors abuse the profiler by pointing to a payload DLL that will be launched as the profiling thread. This thread will run at the permission level of the calling process, so an auto-elevating process will launch the DLL with elevated permissions. In this case, they use gpedit.msc as the auto-elevated CLR process, but others would work, too.

tags | exploit
systems | windows
MD5 | 465589077d4444936024dfe8a99d25c1
Windows Escalate UAC Protection Bypass
Posted Nov 18, 2019
Authored by enigma0x3, bwatters-r7 | Site metasploit.com

This Metasploit module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when Windows backup and restore is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked.

tags | exploit, shell, registry
systems | windows
MD5 | 4f1cab9439a2a2fee0bb0c73a655df7d
Microsoft Windows Silent Process Exit Persistence
Posted Oct 5, 2019
Authored by bwatters-r7, Mithun Shanbhag | Site metasploit.com

This Metasploit module uploads a payload and declares that it is the debug process to launch when a specified process exits.

tags | exploit
MD5 | f082809fe67aa161ddba42a5e4eda1db
Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) And Registry
Posted Sep 5, 2019
Authored by bwatters-r7, sailay1996, ACTIVELabs | Site metasploit.com

This Metasploit module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a privileged user.

tags | exploit, registry
systems | windows
MD5 | d470c356d7562ece1d5652e2d264a075
Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
Posted Sep 22, 2018
Authored by Jacob Robles, bwatters-r7, SandboxEscaper, asoto-r7 | Site metasploit.com

On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to .job files located in c:\windows\tasks because the scheduler does not use impersonation when checking this location. Since users can create files in the c:\windows\tasks folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. WARNING: The PrintConfig.dll (%windir%\system32\driverstor\filerepository\prnms003*) on the target host will be overwritten when the exploit runs. This Metasploit module has been tested against Windows 10 Pro x64.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-8440
MD5 | 75182edcb972e293d73fef17dd332fcc
Microsoft Windows POP/MOV SS Local Privilege Elevation
Posted Jul 13, 2018
Authored by Nick Peterson, can1357, bwatters-r7, Nemanja Mulasmajic | Site metasploit.com

This Metasploit module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS. This Metasploit module will upload the pre-compiled exploit and use it to execute the final payload in order to gain remote code execution.

tags | exploit, remote, kernel, code execution
advisories | CVE-2018-8897
MD5 | b8b99ed8f1e3a142c6687c6ea9be2219
Page 1 of 1

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By