A vulnerability exists in the Windows Ancillary Function Driver for Winsock (afd.sys) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates).
d5a189a643f3c07d66a853b96018a65f135901780840ff23dc17f6a405330ebb
This Metasploit module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This Metasploit module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This Metasploit module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.
5643c9d59dd3082682db29197c72dec6efcfecef92c481633dd466d8973ffddb
This Metasploit module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This Metasploit module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
26f03a91eb8c8dde8874f73e8d5a247d4da47b1e8ea13cc74ba383ffcb0b25c5
Microsoft Internet Explorer OLE Pre-IE11 automation array remote code execution / powershell VirtualAlloc MS14-064 exploit.
d3053b664458c408fee9df099a23f568d9bd4a2935dc2bc5f92cc1ab8dda07aa
This Metasploit module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine. When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA(), and then copies whatever the return value is on the stack by using an inline strcpy. As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user.
ab34370a5debea1b2a8db24c582834304ee72c0e5a992dbbbcfedc31867011f6
Microsoft Windows Pro SP3 full ROP calc.exe shellcode.
289f3c1bf7939844f15a89531a486537d36030fca3be043135f9d4ec1f1d3550
This Metasploit module exploits a vulnerability found in Aladdin Knowledge System's ActiveX component. By supplying a long string of data to the ChooseFilePath() function, a buffer overflow occurs, which may result in remote code execution under the context of the user.
52766c2b3fde61f7b666e4b1325dcd3fd7b5e615f7cb3ac20c90295ebd3f492b
Aladdin Knowledge System Ltd PrivAgent.ocx ChooseFilePath buffer overflow proof of concept exploit.
6b0e1f5b8ce0b43f6fe89b5aefc2eb998856bca69d78c4825813a7b9d9459d3d
NCMedia Sound Editor Pro version 7.5.1 buffer overflow exploit with SEH and DEP.
4195ae37fdb252cffc6ea369a4e3f28b378fc74c86697f3ab2e437a9b9fbd9c1
Lattice Semiconductor PAC-Designer version 6.21 suffers from a stack-based buffer overflow.
520230c976f66176275e60d6714d34242413e22d709e7dd05023f8285270adbe
This Metasploit module creates a buffer overflow condition by sending a Read Request (RRQ) packet to TFTP server version 1.4.
fa9a0be38e83a3162d8474b2cb10cba8e6ec243cb4cbcc36423fedb3d72656ab
BlazeVideo HDTV Player version 6.6 Professional buffer overflow exploit with SEH + DEP + ASLR bypass.
f5b576d7baf1601664d205e9e05ca99f4fbeb993a5658b7404fac8d5620e1548
Blade API Monitor unicode bypass exploit that leverages a serial number buffer overflow vulnerability.
c109d660b442ebc03a56a50cd730ba3d2d076545a02df2184c4d3368a7dd25c8
TFTP Server version 1.4 read request packet buffer overflow exploit that spawns a reverse shell to port 9988.
a201aaa089a6bcd7806a570bb387706be9f0b4e2056e93422d3b8acf44b2a9c1
Microsoft Office 2003 Home/Pro buffer overflow exploit with a magic payload download.
a5df7f790abb9961479c3b3d997d64657f4eb426c3b9605dd2ffa79bf09958af
ActFax Server FTP post authentication remote buffer overflow exploit.
4be2f3a68350281866ccffc27102dc7ca96ae58300eeb928a65f39b7f23e1fea
Easy FTP Server version 1.7.0.2 post authentication buffer overflow exploit.
2a6596bad306c2f92f31a99a5af952a2ecb1fa44c6c4f1578665dd5c22713689