SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. This exploit leverages this vulnerability as described in MS17-010.
a8aa061521a024a2681c43faf9e0f6857ab4aabefda62ecf82da7a024aea3165
This archive contains three proof of concepts exploit for multiple Microsoft SharePoint remote code execution vulnerabilities.
d80ffcbe99aa73f58e248f00ca3af5b3281e817bc026be01942991e895b4530a
Microsoft Office OneNote 2007 proof of concept exploit for a OnePKG file parsing remote code execution vulnerability. Upon decompressing files from .ONEPKG archives (using MS CAB format), a failure to sanitize file paths and file contents allows for arbitrary file planting in arbitrary locations on the OS, including the startup folder.
a2e1f0872cb6d8139581f87f3c37e90d1829d74bca8d610a3d0ffadd03dd7e9d
This article discusses the CVE-2021-40444 vulnerability and an alternative path that reduces the lines of JS code to trigger the issue and does not require CAB archives.
78527c30f8b16f6de1e16c3cf93b1aaa4506bde934637509d7046e6e1fd8681b
The way Microsoft Windows implements file security appears to have some significant shortcomings.
1a9d53b83691e86720f4c510191f9bc7a7352b1a697239a933f41958c7ec6982
This post outlines multiple unsafe practices in Microsoft Windows that can allow for local privilege escalation.
4bc0ba08bfeebdf7043e5c7d7060e65bdb0c48ca36fa23fc83ebabb77e5ff80d
Microsoft Windows VCF or Contact file URL manipulation arbitrary code execution proof of concept exploit. Tested on Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. Both x86 and x64 architectures were tested.
4bab944a0b17daf7f0d90da83593812093fe9831c9e83e778ca90dee2aeb3463
Microsoft Windows suffers from an ADODB.Record object file overwrite vulnerability. The password for the proof of concept zip is adorecord.
fa5ba9f3b0a03d61eb7be0c60781151047f183df16df52d8cab904fdcd2cc159
Microsoft FxCop versions 10 through 12 are vulnerable to XML injection attacks allowing local file ex-filtration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both.
529e37622cb8b9a8c7ff1df46c0f23167d4d261569eec1722cd310507eb17b47
Microsoft Windows Game Definition File Editor (GDFMaker) version 6.3.9600.16384 suffers from an XML external entity injection vulnerability.
10f87d3d1b9071caa4665070b4aa0e2d5a5dea176d6602bf53f8a85c7ceff9c0
Microsoft WinDbg LogViewer suffers from a buffer overflow vulnerability.
1c4009ae60cc99ec2786c5b4bb9836307ec62ca9a24d5bf59d16032df030d64d
Microsoft Process Kill Utility version 6.3.9600.17298 suffers from a buffer overflow vulnerability.
fe8956579c433f72dc5914f352073030cad01f6b25eff7ecf0a383053bb2b274
This Metasploit module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This Metasploit module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system.
6dc1df60dff4c2b60d7508a57233b6b3e7f565f218bceb0acc2a53045b172ce0
This Metasploit module exploits a stack oveflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code.
6e374c5188f5608083cbab9fb2401659c976e19fb28d2bb839bd2373dbb1a54e
This Metasploit module exploits a stack overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary code.
56b52c8f83d0a22f5e67d717396bd5fe41cbe970d924fc937c14e7521ff8ee80
This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This Metasploit module has only been tested against Windows 2000 SP1.
0e561c8f11c38a6ebd0de7aa176eab37b866399106f3bb7dd08428cdcb0ccc69
Microsoft Speech API ActiveX control remote buffer overflow exploit for WinXP SP2.
9831ecdc3136c5ebcd838861c5051d81e53598094f8c0de11e0426cf26fe916a
Microsoft Speech API ActiveX control remote buffer overflow exploit for Win2k SP4.
4e8e2cfc8860f5b749fc21be1eb6f974459d23a7bb2b6fe42476964ef495ba24
Microsoft Word exploit that produces a .doc file that demonstrates a memory access violation. Affected are versions 2003, 2002, 2000.
b0cfb3e8375c4af5f551d8e0b66b9c572d830bae8db6cdfa5abad1876a3df85a
The microsoft DNS resolver hardcodes many hostnames such as go.microsoft.com, msdn.microsoft.com, windowsupdate.com, etc preventing the use of a hosts file.
dd72fe4f29bdb774b9ac30c94fc93b5f066aac5c8e15499913337583e477a296
FrontPage Server Extensions 2002 (included in Windows Sever 2003 IIS 6.0 and available as a separate download for Windows 2000 and XP) has a web page /_vti_bin/_vti_adm/fpadmdll.dll that is used for administrative purposes. This web page is vulnerable to cross site scripting attacks allowing an attacker to run client-side script on behalf of an FPSE user. If the victim is an administrator, the attacker could take complete control of a Front Page Server Extensions 2002 server. POC exploit examples included.
481c7a945450e48e78979147b05693402a43777326aca41596449f2f82aa8a32
The FrontPage Server Extensions 2002 (included in Windows Sever 2003 IIS 6.0 and available as a separate download for Windows 2000 and XP) has a web page /_vti_bin/_vti_adm/fpadmdll.dll that is used for administrative purposes. This web page is vulnerable to cross site scripting attacks allowing an attacker to run client-side script on behalf of an FPSE user. If the victim is an administrator, the attacker could take complete control of a Front Page Server Extensions 2002 server.
9bed5d2ecd96d30a7fb28837f16eddf4efa80b59c02584519705acad729cc70d
It is possible to bypass authentication in Microsoft Commerce Server pre SP2
896846e873ec1a1bb9b4e70032331be7942f1231cfd48459e53fb076624b6f45
Mr. Hyan-Lee makes the mistake of printing the entire Windows 2000 bug list.
b3f06990ed4a3b986e1f7899f6fb4218f24999099cd339bf9b6e5b30e3d920cb
Under some circumstances, it seems that when some code is added into a Microsoft Word document and then spell checked, the application will crash.
b3ae1023eb8bb7fc1504b78ead52b1dd1ca967aea41d061f9279d8d88b423b9a
NGSSoftware Security Advisory - Microsoft's SQL Server 2000's BULK INSERT query contains a buffer overflow which allows remote code execution as LOCAL SYSTEM. To be able to use the 'BULK INSERT' query one must have the privileges of the database owner or dbo. Microsoft Security bulletin available here..
beed091eb087b240ade24c710d5e6642ca80b3f180a2cb4baf37c543862b35d4