This Metasploit module exploit BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, notepad.exe is launched as SYSTEM. Then, it writes shellcode in its previous memory space and trigger its execution. As this exploit uses reflective dll injection, it does not write any file on the disk. Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running. Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.
c3736b57f1257197d426a69fdf409d38Backdoor.Win32.Zombam.k malware suffers from a remote string dereference stack buffer overflow vulnerability.
05421fbc3ad7da507f99f68ed1a1e1a0BACKDOOR.WIN32.BNLITE malware suffers from a remote heap corruption vulnerability.
1350fe87125f382e8b464f50e1026574TROJAN.WIN32.JORIK.DMSPAMMER.SZ malware suffers from a remote memory corruption vulnerability.
55fd186c4f2c6e538578030ac38957e3HEUR.RISKTOOL.WIN32.BITMINER.GEN malware suffers from a null pointer vulnerability.
601917f8df7d6350a3eb11666ce5459cBackdoor.Win32.Zombam.j malware suffers from a remote stack buffer overflow vulnerability.
182a0fbbaac8073813086e67cf27b8adBACKDOOR.WIN32.REMOTEMANIPULATOR malware suffers from an insecure permissions vulnerability.
7864c5aeb2b19a8922a5abecf439eba2BACKDOOR.WIN32.ADVERBOT malware suffers from a remote stack corruption vulnerability.
7f28cc1158eba60a0170ed99309f564fTrojan:Win32/Alyak.B malware suffers from a remote stack corruption vulnerability.
06f8543da6c6582b57fde48c8e24b0a6Email-Worm.Win32.Zhelatin.ago malware suffers from a remote stack buffer overflow vulnerability.
8bd0a581f8bc5944d334d3e2733b636fTrojan.Win32.Bayrob.cgau malware suffers from an insecure permissions vulnerability that can allow for privilege escalation.
846139c1b2a63ba6cc03a4216d4531c4Trojan.Win32.Barjac malware suffers from a remote stack buffer overflow vulnerability.
de7ba11ed626c2d3eb52927ed32f9e6bBackdoor.Win32.Infexor.b malware suffers from a remote SEH stack buffer overflow vulnerability.
9660441017edea19845ef376e2a1e070Win32 backdoor 2019-02-ARTRADOWNLOADER suffers from a remote SEH buffer overflow vulnerability.
48de69aab1ed6bfc5fd14563a697a420Trojan.Win32.Antavka.bz malware suffers from an insecure permissions vulnerability that can allow for privilege escalation.
e6caa6b4d13212a574220913e5388693Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.
cf35d1413e7e3b1429ac7f12c823ccd4This Metasploit module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against a fully updated Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows.
a2dcd90d07d8ceca312311ee5cfc7a43Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.
62304df45b3c6b7825a09cbb1793906eThe Microsoft Windows WOF filter driver does not correctly handle the reparse point setting which allows for an arbitrary file to be cached signed leading to a bypass of UMCI.
6ef17e92e2a41526202eea6e0a2e23cbThe Microsoft Windows Cloud Filter HsmOsBlockPlaceholderAccess function allows a user to create arbitrary registry keys in the .DEFAULT users hive leading to elevation of privilege.
1dedadce5dfb6b98c3be28c5271c765bThe Microsoft Windows Cloud Filter access check does not take into account restrictions such as Mandatory Labels allowing a user to bypass security checks.
294319a3f3e1683a3a6a445f71aca87bThe Microsoft Windows Cloud Filter driver can be abused to create arbitrary files and directories leading to elevation of privilege.
f7cc7661ed092a8d29bb9c6c8f666a6eDruva inSync Windows Client version 6.6.3 suffers from a local privilege escalation vulnerability.
ca5c63a167b7f2e6b4df5a18b94a5e30This Metasploit module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. Warning! Multiple sessions may be created by exploiting this vuln.
5405ea15491baee8139d2505e9a04d02There is an out-of bounds read vulnerability in WindowsCodecsRaw.dll while processing a malformed Canon raw image. This can potentially lead to disclosing the memory of the affected process. All applications that use Windows Image Codecs for image parsing are potentially affected. The vulnerability has been confirmed on Windows 10 v2004 with the most recent patches applied.
1ea2260b2783f8f68dc9be4f978b3561
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed