This Metasploit module exploit BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, notepad.exe is launched as SYSTEM. Then, it writes shellcode in its previous memory space and trigger its execution. As this exploit uses reflective dll injection, it does not write any file on the disk. Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running. Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.
c3736b57f1257197d426a69fdf409d38
Backdoor.Win32.Zombam.k malware suffers from a remote string dereference stack buffer overflow vulnerability.
05421fbc3ad7da507f99f68ed1a1e1a0
BACKDOOR.WIN32.BNLITE malware suffers from a remote heap corruption vulnerability.
1350fe87125f382e8b464f50e1026574
TROJAN.WIN32.JORIK.DMSPAMMER.SZ malware suffers from a remote memory corruption vulnerability.
55fd186c4f2c6e538578030ac38957e3
HEUR.RISKTOOL.WIN32.BITMINER.GEN malware suffers from a null pointer vulnerability.
601917f8df7d6350a3eb11666ce5459c
Backdoor.Win32.Zombam.j malware suffers from a remote stack buffer overflow vulnerability.
182a0fbbaac8073813086e67cf27b8ad
BACKDOOR.WIN32.REMOTEMANIPULATOR malware suffers from an insecure permissions vulnerability.
7864c5aeb2b19a8922a5abecf439eba2
BACKDOOR.WIN32.ADVERBOT malware suffers from a remote stack corruption vulnerability.
7f28cc1158eba60a0170ed99309f564f
Trojan:Win32/Alyak.B malware suffers from a remote stack corruption vulnerability.
06f8543da6c6582b57fde48c8e24b0a6
Email-Worm.Win32.Zhelatin.ago malware suffers from a remote stack buffer overflow vulnerability.
8bd0a581f8bc5944d334d3e2733b636f
Trojan.Win32.Bayrob.cgau malware suffers from an insecure permissions vulnerability that can allow for privilege escalation.
846139c1b2a63ba6cc03a4216d4531c4
Trojan.Win32.Barjac malware suffers from a remote stack buffer overflow vulnerability.
de7ba11ed626c2d3eb52927ed32f9e6b
Backdoor.Win32.Infexor.b malware suffers from a remote SEH stack buffer overflow vulnerability.
9660441017edea19845ef376e2a1e070
Win32 backdoor 2019-02-ARTRADOWNLOADER suffers from a remote SEH buffer overflow vulnerability.
48de69aab1ed6bfc5fd14563a697a420
Trojan.Win32.Antavka.bz malware suffers from an insecure permissions vulnerability that can allow for privilege escalation.
e6caa6b4d13212a574220913e5388693
Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.
cf35d1413e7e3b1429ac7f12c823ccd4
This Metasploit module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx within win32k. The out of bounds write can be used to overwrite the pvbits of a SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against a fully updated Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows.
a2dcd90d07d8ceca312311ee5cfc7a43
Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.
62304df45b3c6b7825a09cbb1793906e
The Microsoft Windows WOF filter driver does not correctly handle the reparse point setting which allows for an arbitrary file to be cached signed leading to a bypass of UMCI.
6ef17e92e2a41526202eea6e0a2e23cb
The Microsoft Windows Cloud Filter HsmOsBlockPlaceholderAccess function allows a user to create arbitrary registry keys in the .DEFAULT users hive leading to elevation of privilege.
1dedadce5dfb6b98c3be28c5271c765b
The Microsoft Windows Cloud Filter access check does not take into account restrictions such as Mandatory Labels allowing a user to bypass security checks.
294319a3f3e1683a3a6a445f71aca87b
The Microsoft Windows Cloud Filter driver can be abused to create arbitrary files and directories leading to elevation of privilege.
f7cc7661ed092a8d29bb9c6c8f666a6e
Druva inSync Windows Client version 6.6.3 suffers from a local privilege escalation vulnerability.
ca5c63a167b7f2e6b4df5a18b94a5e30
This Metasploit module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. Warning! Multiple sessions may be created by exploiting this vuln.
5405ea15491baee8139d2505e9a04d02
There is an out-of bounds read vulnerability in WindowsCodecsRaw.dll while processing a malformed Canon raw image. This can potentially lead to disclosing the memory of the affected process. All applications that use Windows Image Codecs for image parsing are potentially affected. The vulnerability has been confirmed on Windows 10 v2004 with the most recent patches applied.
1ea2260b2783f8f68dc9be4f978b3561