James Forshaw

40 exploits Active since Mar 2012
EIP-2026-117533 EXPLOITDB text WORKING POC
Microsoft Windows - Local XPS Print Spooler Sandbox Escape
CVE-2016-0007 EXPLOITDB HIGH text WORKING POC
Microsoft Windows - Local Privilege Escalation via Reparse Point Mishandling
The sandbox implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandles reparse points, which allows local users to gain privileges via a crafted application, aka "Windows Mount Point Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0006.
CVSS 7.8
CVE-2019-0552 EXPLOITDB HIGH text WRITEUP
Windows COM Desktop Broker - Privilege Escalation
An elevation of privilege exists in Windows COM Desktop Broker, aka "Windows COM Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.
CVSS 8.8
CVE-2017-0211 EXPLOITDB MEDIUM text WORKING POC
Microsoft Windows OLE - Privilege Escalation
An elevation of privilege vulnerability exists in Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 versions of Microsoft Windows OLE when it fails an integrity-level check, aka "Windows OLE Elevation of Privilege Vulnerability."
CVSS 5.5
CVE-2015-2553 EXPLOITDB text WRITEUP
Microsoft Windows - Privilege Escalation via Sandboxed Mount Point Junction Mishandling
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 mishandles junctions during mountpoint creation, which makes it easier for local users to gain privileges by leveraging certain sandbox access, aka "Windows Mount Point Elevation of Privilege Vulnerability."
CVE-2019-0841 EXPLOITDB HIGH ruby WORKING POC
Windows AppX Deployment Service - Privilege Escalation
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.
CVSS 7.8
CVE-2019-1019 EXPLOITDB HIGH text WRITEUP
Windows - Security Feature Bypass via NETLOGON Message Session Key Exposure
A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could access another machine using the original user privileges. The issue has been addressed by changing how NTLM validates network authentication messages.
CVSS 8.5
CVE-2016-0099 EXPLOITDB HIGH ruby WORKING POC
MS16-032 Secondary Logon Handle Privilege Escalation
The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."
CVSS 7.8
CVE-2015-2554 EXPLOITDB text WORKING POC
Microsoft Windows - Local Privilege Escalation via Object Reference
The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Windows Object Reference Elevation of Privilege Vulnerability."
CVE-2017-8708 EXPLOITDB MEDIUM c++ WORKING POC
Windows Kernel - Information Disclosure via Improper Memory Handling
The Windows kernel component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an information disclosure vulnerability when it improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-8679, CVE-2017-8709, and CVE-2017-8719.
CVSS 4.7
CVE-2019-0943 EXPLOITDB HIGH text WORKING POC
Windows - Elevation of Privilege via ALPC Call Handling
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC.
CVSS 7.8
CVE-2018-0966 EXPLOITDB LOW text WORKING POC
Windows 10 and Windows Server 2016 - Device Guard Security Feature Bypass via TOCTOU Race Condition
A security feature bypass exists when Device Guard incorrectly validates an untrusted file, aka "Device Guard Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
CVSS 3.3
EIP-2026-115641 EXPLOITDB text WORKING POC
Microsoft Edge - 'OpenProcess()' ACG Bypass
CVE-2013-1488 EXPLOITDB ruby WORKING POC
Oracle JDK and JRE - Remote Code Execution via Reflection and JDBC Driver Manager
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
CVE-2017-13209 EXPLOITDB HIGH text WORKING POC
Android 8.0-8.1 - Unauthenticated Missing Authorization in ServiceManager::add
In the ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller which could allow an application or service to replace a HAL service with its own service. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-68217907.
CVSS 7.8