what you don't know can hurt you
Showing 1 - 10 of 10 RSS Feed

Files from Grant Willcox

First Active2020-05-08
Last Active2021-11-10
Win32k NtGdiResetDC Use-After-Free / Local Privilege Escalation
Posted Nov 10, 2021
Authored by Grant Willcox, KaLendsi, ly4k, Costin Raiu, Boris Larin, Red Raindrop Team, IronHusky | Site metasploit.com

A use after free vulnerability exists in the NtGdiResetDC() function of Win32k which can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists due to the fact that this function calls hdcOpenDCW(), which performs a user mode callback. During this callback, attackers can call the NtGdiResetDC() function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original NtGdiResetDC() call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This Metasploit module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work.

tags | exploit, kernel, code execution
systems | windows
advisories | CVE-2021-40449
MD5 | 98ae62353bf31ba68e3677a972b003c7
Linux eBPF ALU32 32-bit Invalid Bounds Tracking Local Privilege Escalation
Posted Sep 1, 2021
Authored by Grant Willcox, chompie1337, Manfred Paul | Site metasploit.com

Linux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37 are vulnerable to a bug in the eBPF verifier's verification of ALU32 operations in the scalar32_min_max_and function when performing AND operations, whereby under certain conditions the bounds of a 32 bit register would not be properly updated. This can be abused by attackers to conduct an out of bounds read and write in the Linux kernel and therefore achieve arbitrary code execution as the root user. The target system must be compiled with eBPF support and not have kernel.unprivileged_bpf_disabled set, which prevents unprivileged users from loading eBPF programs into the kernel. Note that if kernel.unprivileged_bpf_disabled is enabled this module can still be utilized to bypass protections such as SELinux, however the user must already be logged as a privileged user such as root.

tags | exploit, arbitrary, kernel, root, code execution
systems | linux
advisories | CVE-2021-3490
MD5 | 6ead3e5e5296fe145b5eb92da7ae8088
Lexmark Driver Privilege Escalation
Posted Aug 12, 2021
Authored by Jacob Baines, Shelby Pace, Grant Willcox | Site metasploit.com

Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\<driver name>\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.

tags | exploit
systems | windows
advisories | CVE-2021-35449
MD5 | fa589c6c0ea85ac7dbfa21e40d851085
Atlassian Crowd pdkinstall Remote Code Execution
Posted Aug 12, 2021
Authored by Paul, Corben Leo, Grant Willcox | Site metasploit.com

This Metasploit module can be used to upload a plugin on Atlassian Cloud via the pdkinstall development plugin as an unauthenticated attacker. The payload is uploaded as a JAR archive containing a servlet using a POST request to /crowd/admin/uploadplugin.action. The check command will check that the /crowd/admin/uploadplugin.action page exists and that it responds appropriately to determine if the target is vulnerable or not.

tags | exploit
advisories | CVE-2019-11580
MD5 | 16f0e230530e4dfd17370d54fb9b5f33
IPFire 2.25 Remote Code Execution
Posted Jun 15, 2021
Authored by Grant Willcox, Mucahit Saratar | Site metasploit.com

This Metasploit module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.

tags | exploit, web, arbitrary, cgi, root
advisories | CVE-2021-33393
MD5 | 69d36ee1b60ffec6d31a6ebc94e2dc1e
Google Chrome XOR Typer Out-Of-Bounds Access / Remote Code Execution
Posted May 3, 2021
Authored by Niklas Baumstark, Grant Willcox, Rajvardhan Agarwal, Bruno Keith | Site metasploit.com

This Metasploit module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome versions prior to 89.0.4389.128/90.0.4430.72 when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute arbitrary code within the context of the V8 process. As the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, arbitrary, javascript
advisories | CVE-2021-21220
MD5 | 63f07081f5cf627d484d2e1962bd0302
VMware View Planner 4.6 Remote Code Execution
Posted Mar 19, 2021
Authored by wvu, Grant Willcox, Mikhail Klyuchnikov | Site metasploit.com

This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.

tags | exploit, remote, code execution, file upload
advisories | CVE-2021-21978
MD5 | fdf94c86e405a2eb33104f6978f68b72
HPE Systems Insight Manager AMF Deserialization Remote Code Execution
Posted Mar 9, 2021
Authored by Harrison Neal, Grant Willcox, Jang | Site metasploit.com

A remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be leveraged by a remote unauthenticated attacker to execute code within the context of HPE System Insight Manager's hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due to a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page. This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain remote code execution as the administrative user running HPE SIM.

tags | exploit, remote, code execution
advisories | CVE-2020-7200
MD5 | cf8674aaae2451fb617daa09623805e0
Cloud Filter Arbitrary File Creation / Privilege Escalation
Posted Jan 12, 2021
Authored by Grant Willcox, James Foreshaw | Site metasploit.com

This Metasploit module exploits a vulnerability in cldflt.sys. The Cloud Filter driver on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

tags | exploit, code execution
systems | windows
advisories | CVE-2020-1170, CVE-2020-17136
MD5 | a3096153d5abb79b42ddbd4fd922a273
Microsoft Windows NtUserMNDragOver Local Privilege Escalation
Posted May 8, 2020
Authored by Clement LECIGNE, timwr, Grant Willcox | Site metasploit.com

This Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.

tags | exploit, x86
systems | windows, 7
advisories | CVE-2019-0808
MD5 | e65eeb8c736544fe952269396a557f62
Page 1 of 1

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    1 Files
  • 29
    Nov 29th
    11 Files
  • 30
    Nov 30th
    7 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By