Aladdin - Payload Generation Technique That Allows The Deseriallization Of A .NET Payload And Execution In Memory

Aladdin is a payload generation technique based on the work of James Forshaw @tiraniddo that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html. By spawning the...

Dropping Files on a Domain Controller Using CVE-2021-43893

On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System EFS. The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere,...

Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft

PoC exploit for CVE-2020-1048. It is an exploit targeting a bina...

Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'AppXSvc Hard Link Privilege Escalation', 'Description' = %q There exists a privilege escalation vulnerability for Windows 10 builds prior to buil...

Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption

Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Content Dim ar1&h3000000 Dim ar21000 Dim gremlin addressOfGremlin = &h28281000 Class MyClass Private mValue Public Property Let Valuev mValue = v End Property Public Default Property Get P P = mValue ' Wher...

Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption

Content Dim ar1&h3000000 Dim ar21000 Dim gremlin addressOfGremlin = &h28281000 Class MyClass Private mValue Public Property Let Valuev mValue = v End Property Public Default Property Get P P = mValue ' Where to write End Property End Class Sub TriggerWritewhere, val Dim v1 Set v1 =...

Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Exploit

Content Dim ar1&h3000000 Dim ar21000 Dim gremlin addressOfGremlin = &h28281000 Class MyClass Private mValue Public Property Let Valuev mValue = v End Property Public Default Property Get P P = mValue ' Where to write End Property End Class Sub TriggerWritewhere, val Dim v1 Set v1 =...

One of my first sandbox escapes and bugs (CVE-2015-1743)

Advisory link: http://www.zerodayinitiative.com/advisories/ZDI-15-377/ CVE-2015-1743 Demo: https://www.youtube.com/watch?v=6Vtl8kh6keQ Below is one of my first sandbox escapes, and my entry into vulnerability research. My first bugs relied heavily on the work that Forshaw did my later ones deviat...

Windows 10 Realtek Audio Driver 6.0.1.7898 - Dolby Audio X2 Service Privilege Escalation Vulnerabili

The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges. Windows: Dolby Audio X2 Service EoP CVE-2017-7293 Windows: Dolby Audio X2 Service Elevation of...

Symbolic Link vulnerability simple background introduction-vulnerability warning-the black bar safety net

! Symbolic Link is the Microsoft Windows System on one of the key mechanisms, from Windows NT3. 1 Introduction objects, and registry Symbolic Link, Microsoft from the Windows 2000 start also introduced the NTFS Mount Point and Directory Juntions, these mechanisms for familiar with the Windows...

Windows10 Mount Point Mitigation & MS15-0 9 0 bypass-vulnerability warning-the black bar safety net

Symbolic Link vulnerability simple background description Symbolic Link is the Microsoft Windows System on one of the key mechanisms, from Windows NT3. 1 Introduction objects, and registry Symbolic Link, Microsoft from the Windows 2000 start also introduced the NTFS Mount Point and Directory...

MS15-0 7 6(CVE-2 0 1 5-2 3 7 0 vulnerability) the use of analysis-vulnerability warning-the black bar safety net

2 0 1 5 year 7 month 1 4 day,that is,a month ago, on that busy Tuesday,Microsoft fixes exist on the Windows platform in a number of Privilege escalation vulnerabilities. In these vulnerabilities,there is a presence in the DCOM/RPC vulnerability,this vulnerability allows an attacker to initiate a...

Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076) Exploit

Exploit for windows platform in category local exploits Source: https://github.com/monoxgas/Trebuchet Trebuchet MS15-076 CVE-2015-2370 Privilege Escalation Copies a file to any privileged location on disk Compiled with VS2015, precompiled exe in Binary directory Usage: trebuchet.exe...

Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)

Source: https://github.com/monoxgas/Trebuchet Trebuchet MS15-076 CVE-2015-2370 Privilege Escalation Copies a file to any privileged location on disk Compiled with VS2015, precompiled exe in Binary directory Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll This is a lightly...

Microsoft Windows 8.1 - DCOM DCERPC Local NTLM Reflection Privilege Escalation (MS15-076)

Microsoft Windows 8.1 - DCOM DCERPC Local NTLM Reflection Privilege Escalation MS15-076 Source: https://github.com/monoxgas/Trebuchet Trebuchet MS15-076 CVE-2015-2370 Privilege Escalation Copies a file to any privileged location on disk Compiled with VS2015, precompiled exe in Binary directory...

MS13-097 Registry Symlink IE Sandbox Escape

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'rex' require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class Metasploit3...

Microsoft Mitigation Bypass Bug Bounty Winner Yang Yu

Yang Yu is no stranger to writing mitigation bypasses for Microsoft Windows products. A year ago at the CanSecWest conference in Vancouver, the 35-year-old security researcher from Beijing did an extensive presentation on bypassing Address Space Layout Randomization ASLR and Data Execution...

Updated xml-security package fixes security vulnerability

James Forshaw discovered that Apache XML Security for Java incorrectly validated CanonicalizationMethod parameters. An attacker could use this flaw to spoof XML signatures CVE-2013-2172...

Microsoft Mitigation Bypass Bounty Winner James Forshaw

Give James Forshaw a good logic bug over a memory-corruption vulnerability any day of the week. The British researcher says he would rather manipulate weaknesses in code to climb out of an application sandbox than turn a fuzzer against a piece of software and spot a memory leak. But incentivized ...

Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!

Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re...