CVE-1999-0376

Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs...

EUVD-1999-0376

Malware in sbrugna...

AtomLdr - A DLL Loader With Advanced Evasive Features

A DLL Loader With Advanced Evasive Features Features: CRT library independent. The final DLL file, can run the payload by loading the DLL executing its entry point, or by executing the exported "Atom" function via the command line. DLL unhooking from \KnwonDlls\ directory, with no RWX sections. T...

DLLHSC - DLL Hijack SCanner A Tool To Assist With The Discovery Of Suitable Candidates For DLL Hijacking

DLL Hijack SCanner - A tool to generate leads and automate the discovery of candidates for DLL Search Order Hijacking Contents of this repository This repository hosts the Visual Studio project file for the tool DLLHSC, the project file for the API hooking functionality detour, the project file f...

Injecting Code into Windows Protected Processes using COM - Part 2

Posted by James Forshaw, Project Zero In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process. The techniques presented don’t work for exploiting the older, stronger Protected Processes...

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

Posted by James Forshaw, Project Zero And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged...

CVE-1999-0376

Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs...

CVE-1999-0376

CVE-1999-0376 involves a local privilege-escalation in Windows NT where an attacker can obtain administrator privileges by modifying the KnownDLLs list to reference malicious programs. The linked sources (Red Hat, NVD, CVE list) all describe the same vulnerability: local user access can be abused...

CVE-1999-0376

Local users in Windows NT can obtain administrator privileges by changing the KnownDLLs list to reference malicious programs...

Microsoft Windows NT 4.0 SP4 - Known DLL Cache

source: https://www.securityfocus.com/bid/234/info The names and mappings of kernel objects in NT are cached in the "object namespace". In this area, DLL mappings are kept in a section called KnownDlls. By manipulating the namespace, it is possible to redirect calls to arbitrary dlls...

Microsoft Windows NT 4.0 SP4 - Known DLL Cache

Microsoft Windows NT 4.0 SP4 - Known DLL Cache source: https://www.securityfocus.com/bid/234/info The names and mappings of kernel objects in NT are cached in the "object namespace". In this area, DLL mappings are kept in a section called KnownDlls. By manipulating the namespace, it is possible t...