CVE-2020-1170

Related Files

Cloud Filter Arbitrary File Creation / Privilege Escalation

Posted Jan 12, 2021

Authored by Grant Willcox, James Foreshaw | Site metasploit.com

This Metasploit module exploits a vulnerability in cldflt.sys. The Cloud Filter driver on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.

tags | exploit, code execution

systems | windows

advisories | CVE-2020-1170, CVE-2020-17136

SHA-256 | 5bdffeb4ef0091f8099814e9f3a61b1346960497efc651c7566901fb62b98d96

Download | Favorite | View

SpamTitan 7.07 Remote Code Execution

Posted Sep 18, 2020

Authored by Felipe Molina

SpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.

tags | exploit, remote, code execution

advisories | CVE-2020-11699, CVE-2020-11700, CVE-2020-11803, CVE-2020-11804

SHA-256 | 4234f62e0c44c2e3dad423c5cc769129588ffafbed80a16f8610281916cc3da9

Download | Favorite | View