This Metasploit module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSODing before subsequently rebooting. Note that the target IIS server may or may not come back up, this depends on the targets settings as to whether IIS is configured to start on reboot.
97a44dc1fe6ca954dc341018f61c578a60177d84f6f32df13fcea55667e3fca9
This is a full browser compromise exploit chain targeting Mozilla Firefox on Windows 64-bit. It uses CVE-2019-9810 for getting code execution in both the content process as well as the parent process and CVE-2019-11708 to trick the parent process into browsing to an arbitrary URL.
9b6b4e57729b361dc8c968a497ed828d4104708a0de054bdc98f0d4df499c7d5
The Windows kernel does not properly isolate broadcast messages from low integrity applications from medium or high integrity applications. This allows commands to be broadcasted to an open medium or high integrity command prompts allowing escalation of privileges. We can spawn a medium integrity command prompt, after spawning a low integrity command prompt, by using the Win+Shift+# combination to specify the position of the command prompt on the taskbar. We can then broadcast our command and hope that the user is away and doesn't corrupt it by interacting with the UI. Broadcast issue affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT. But Spawning a command prompt with the shortcut key does not work in Vista so you will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line but it may take some time to complete.
ec4132f8b9ac70f158c3461e225396c2635aeb7d0ad1f9877329265b9fd215b8