what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Windows LSA Service LsapGetClientInfo Impersonation Level Check Privilege Escalation
Posted Jul 15, 2022
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LsapGetClientInfo API in LSASRV will fallback and directly capture a caller's impersonation token if it fails to impersonate, leading to elevation of privilege if the impersonation level is not checked.

tags | exploit
systems | windows
advisories | CVE-2022-30166
SHA-256 | 4f77530c88d7c141599b603fabccbde4f773bc1697a54702749961ba91a1346a

Related Files

Microsoft Windows Contact File Remote Code Execution
Posted Feb 20, 2023
Authored by hyp3rlinx, j00sean | Site hyp3rlinx.altervista.org

This advisory ties together older research on a contact file handling flaw on Microsoft Windows as well as recent research discovered that uses the same methodologies.

tags | advisory
systems | windows
advisories | CVE-2022-44666
SHA-256 | bd483c57b86b3adc56157efdf3dd779e6e9b6a498c944d78ee46fe9d56a01c00
Microsoft Windows EFSRPC Arbitrary File Upload / Privilege Escalation
Posted Jan 13, 2022
Authored by James Forshaw, Google Security Research

The EFSRPC service on Microsoft Windows Server versions 2019 and 2022 does not prevent a caller specifying a local device path allowing any authenticated user to upload arbitrary files to a server.

tags | exploit, arbitrary, local
systems | windows
advisories | CVE-2021-43893
SHA-256 | 69dcaa165fe62179a42fd16409e133c7034c05be0577fdf672a5a01f4c88b8f8
Microsoft Windows AppContainer Enterprise Authentication Capability Bypass
Posted Aug 13, 2020
Authored by James Forshaw, Google Security Research

On Microsoft Windows 10 1909, LSASS does not correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.

tags | exploit
systems | windows
advisories | CVE-2020-1509
SHA-256 | add2a6155569229eb72c46617e93a9349d033f14467cf27d02c0e25d3f347e94
Microsoft Windows RPCSS Activation Kernel Security Callback Privilege Escalation
Posted Jul 18, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the RPCSS Activation Kernel RPC server's security callback can be bypassed resulting in elevation of privilege.

tags | exploit, kernel
systems | windows
advisories | CVE-2019-1089
SHA-256 | 8798d39be121b1ca424688b64bf7499391b79aa9b2b31c8a56654a285be15b2e
Microsoft Windows LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0836
SHA-256 | 1e8cd54d3c2d772976524e371c95b1d714210d40f0a02d7fb49facede63a5c9e
Microsoft Windows LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0805
SHA-256 | 2f0783d66d46e920f1e358cb270db27803dfe9308027b531f607dbab38974980
Microsoft Windows LUAFV NtSetCachedSigningLevel Device Guard Bypass
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0732
SHA-256 | 5e11646fa10b0479415382c2a97eb9d01f2462f9f48431fe8f465de293d45f36
Microsoft Windows LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2019-0796
SHA-256 | 72c0e2e26c794f1e484bea3169422e90d36accc9e727f3f347fdeb0418dabcbc
Microsoft Windows LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver doesn't take into account a virtualized handle being duplicated to a more privileged process resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0731
SHA-256 | aa83f4bf9c9d7ac15d9c50d8e2eb520ebe906895d7841085259cbda854780e60
Microsoft Windows LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LUAFV driver reuses the file's create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0730
SHA-256 | c6698b041f1966005a9d6cd5b1e2888b8cb194d1fd4f68b6863494c7a26ab4e6
Microsoft Windows CSRSS SxSSrv Cached Manifest Privilege Escalation
Posted Apr 16, 2019
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2019-0735
SHA-256 | ad66ed46b7b1347ea52c8af3e54cce2e72fd812fa5124a8d4ad94efa3452229c
Microsoft Windows Arbitrary File Read
Posted Dec 21, 2018
Authored by evil_polar_bear

Proof of concept zero day exploit that demonstrates being able to read any file on Microsoft Windows.

tags | exploit, proof of concept
systems | windows
SHA-256 | 0d21dea6b52ca43506fffddb7e706515d706e0ea959580f677916db5f3af774c
Cisco Immunet / Cisco AMP For Endpoints Scanning Denial Of Service
Posted Nov 9, 2018
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on Microsoft Windows could allow a local attacker to disable the scanning functionality of the product. This could allow executable files to be launched on the system without being analyzed for threats. The vulnerability is due to improper process resource handling. Cisco Immunet versions prior to 6.2.0 and Cisco AMP For Endpoints version 6.2.0 are affected.

tags | exploit, local
systems | cisco, windows
advisories | CVE-2018-15437
SHA-256 | 5017f9c736285c4def48333e34e95f0cc85a4c481b2df3b3524424ab4b0de654
Microsoft Windows FSCTL_FIND_FILES_BY_SID Information Disclosure
Posted Oct 16, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the FSCTL_FIND_FILES_BY_SID control code does not check for permissions to list a directory leading to disclosure of file names when a user is not granted FILE_LIST_DIRECTORY access.

tags | exploit
systems | windows
advisories | CVE-2018-8411
SHA-256 | be5f41f514a5827a0f821f666b99bf1814733a5f65b5368d166452c4a0dca392
Microsoft Windows 10 scrrun.dll Active-X Creation / Deletion Issues
Posted Jun 6, 2018
Authored by Nassim Asrir

scrrun.dll on Microsoft Windows 10 suffers from file creation, folder creation, and folder deletion vulnerabilities.

tags | exploit, vulnerability, activex
systems | windows
SHA-256 | 49d89dc88ed2402a8520c7ee5184247e2f4e65960a730130ea9da0661c4a4a8a
Microsoft Windows SMB Server Mount Point Privilege Escalation
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the SMB server drivers (srv.sys and srv2.sys) do not check the destination of a NTFS mount point when manually handling a reparse operation leading to being able to locally open an arbitrary device via an SMB client which can result in privilege escalation.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-0749
SHA-256 | 18c5e8b69488f509de251342dd3e47d18e57b85a83a80396d794f1f67e9b08c0
Microsoft Windows NtImpersonateAnonymousToken LPAC To Non-LPAC Privilege Escalation
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, when impersonating the anonymous token in an LPAC the WIN://NOAPPALLPKG security attribute is ignored leading to impersonating a non-LPAC token leading to privilege escalation.

tags | exploit
systems | windows
advisories | CVE-2018-0752
SHA-256 | ea9947419e769dd9e18edeb304390de5704daee25ebd8b4d342bdc9bfc87ebea
Microsoft Windows NtImpersonateAnonymousToken AC To Non-AC Privilege Escalation
Posted Jan 11, 2018
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the check for an AC token when impersonating the anonymous token does not check impersonation token's security level leading to impersonating a non-AC anonymous token leading to privilege escalation.

tags | exploit
systems | windows
advisories | CVE-2018-0751
SHA-256 | 25a65ee6cfd0f1fa9da6eec73313f59622aaad24e48dd564fccff23fab03b387
EternalBlue Exploit Analysis And Port To Microsoft Windows 10
Posted Jun 7, 2017
Authored by Sean Dillon, Dylan Davis

On April 14, 2017, the Shadow Brokers Group released the FUZZBUNCH framework, an exploitation toolkit for Microsoft Windows. The toolkit was allegedly written by the Equation Group, a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). The framework included ETERNALBLUE, a remote kernel exploit originally targeting the Server Message Block (SMB) service on Microsoft Windows XP (Server 2003) and Microsoft Windows 7 (Server 2008 R2). In this paper, the RiskSense Cyber Security Research team analyzes how using wrong-sized CPU registers leads to a seemingly innocuous mathematical miscalculation. This causes a chain reaction domino effect ultimately culminating in code execution, making ETERNALBLUE one of the most complex exploits ever written. They will discuss what was necessary to port the exploit to Microsoft Windows 10, and future mitigations Microsoft has already deployed, which can prevent vulnerabilities of this class from being exploited in the future. The FUZZBUNCH version of the exploit contains an Address Space Layout Randomization (ASLR) bypass, and the Microsoft Windows 10 version required an additional Data Execution Prevention (DEP) bypass not needed in the original exploit.

tags | paper, remote, kernel, vulnerability, code execution
systems | windows
SHA-256 | fa13189f37eae3318ce25b3bd600e5e83270e401b53f1a2fd4a6340b7b1a8803
Microsoft Windows Kernel nt!NtTraceControl Memory Disclosure
Posted May 16, 2017
Authored by Google Security Research, mjurczyk

The handler of the nt!NtTraceControl system call (specifically the EtwpSetProviderTraitsUm functionality, opcode 0x1E) discloses portions of uninitialized pool memory to user-mode clients on Microsoft Windows 10 systems.

tags | exploit
systems | windows
advisories | CVE-2017-0259
SHA-256 | e4b83ed0279f0bf7126f660bff80c3238477bad783d8653366676ce865e7a606
Firefox nsSMILTimeContainer::NotifyTimeChange() Remote Code Execution
Posted Jan 24, 2017
Authored by Anonymous Gaijin | Site metasploit.com

This Metasploit module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows.

tags | exploit
systems | windows
advisories | CVE-2016-9079
SHA-256 | af960164b10f4978888d3c2dcdca0041f4f8d2e33bf4bb4404e345fe8ea3e6b9
Windows Null-Free WinExec Shellcode
Posted Dec 11, 2015
Authored by B3mB4m

This is a tool written in python to generate shellcode to use on Microsoft Windows.

tags | shellcode, python
systems | windows
SHA-256 | 9d065a62ed93f7dd05b3cec4122bdafed6c4c329cba2f1483ffa7f10c8ed93d2
Microsoft Windows Hardlink Permission Issue
Posted Nov 17, 2015
Authored by Google Security Research, forshaw

On Microsoft Windows you can create NTFS hardlinks without needing write permissions on the target file.

tags | advisory
systems | linux, windows
advisories | CVE-2015-6113
SHA-256 | 760348b2c259a8688b4643226d703dcb86c3811fe54ead7f25e0acc81110138d
Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated TTF File Embedded In SWF
Posted Aug 21, 2015
Authored by Google Security Research, hawkes

An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.

tags | exploit
systems | linux
advisories | CVE-2015-5133
SHA-256 | 3e2118575612a001e7d4cabff18c63bc1b2734d53f9b701a601c82011bcff5be
Flash AS2 Use After Free In TextField.filters (Again)
Posted Aug 21, 2015
Authored by Google Security Research, external

There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.

tags | exploit
systems | linux
SHA-256 | c8c4ddb8248e3234cb7f686b990e44c2c471253c71a58e09d477456af6b8c3b9
Page 1 of 4
Back1234Next

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close