NT Internals

10 exploits Active since Sep 2008
CVE-2008-5725 EXPLOITDB text WORKING POC
EnTech Taiwan PowerStrip <3.84 - Privilege Escalation
The NT kernel-mode driver (aka pstrip.sys) 5.0.1.1 and earlier in EnTech Taiwan PowerStrip 3.84 and earlier allows local users to gain privileges via certain IRP parameters in an IOCTL request to \Device\Powerstrip1 that overwrites portions of memory.
CVE-2009-2450 EXPLOITDB text WORKING POC
Online Armor Personal Firewall < 3.5.0.14 - Privilege Escalation via OAmon.sys IOCTL
The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online Armor Personal Firewall AV+ before 3.5.0.12, and Personal Firewall 3.5 before 3.5.0.14, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\OAmon containing arbitrary kernel addresses, as demonstrated using the 0x830020C3 IOCTL.
CVE-2009-2653 EXPLOITDB text SUSPICIOUS
Microsoft Windows XP SP2-SP3 & Server 2003 - Privilege Escalation
The NtUserConsoleControl function in win32k.sys in Microsoft Windows XP SP2 and SP3, and Server 2003 before SP1, allows local administrators to bypass unspecified "security software" and gain privileges via a crafted call that triggers an overwrite of an arbitrary memory location. NOTE: the vendor disputes the significance of this report, stating that 'the Administrator to SYSTEM "escalation" is not a security boundary we defend.
EIP-2026-117621 EXPLOITDB text SUSPICIOUS
mks_vir 9b < 1.2.0.0b297 - 'mksmonen.sys' Local Privilege Escalation
CVE-2008-5724 EXPLOITDB text WORKING POC
ESET Smart Security <3.0.672 - Privilege Escalation
The Personal Firewall driver (aka epfw.sys) 3.0.672.0 and earlier in ESET Smart Security 3.0.672 and earlier allows local users to gain privileges via a crafted IRP in a certain METHOD_NEITHER IOCTL request to \Device\Epfw that overwrites portions of memory.
CVE-2008-5049 EXPLOITDB text WORKING POC
ISecSoft Anti-Keylogger Elite < 3.3.0 - Local Privilege Escalation via AKEProtect.sys IOCTL Buffer Overflow
Buffer overflow in AKEProtect.sys 3.3.3.0 in ISecSoft Anti-Keylogger Elite 3.3.0 and earlier, and possibly other versions including 3.3.3, allows local users to gain privileges via long inputs to the (1) 0x002224A4, (2) 0x002224C0, and (3) 0x002224CC IOCTL.
CVE-2009-1824 EXPLOITDB text WRITEUP
ArcaBit ArcaVir 2009 - Local Privilege Escalation via ps_drv.sys IOCTL Requests
The ps_drv.sys kernel driver in ArcaBit ArcaVir 2009 Antivirus Protection 9.4.3201.9 and earlier, ArcaVir 2009 Internet Security 9.4.3202.9 and earlier, ArcaVir 2009 System Protection 9.4.3203.9 and earlier, and ArcaBit 2009 Home Protection 9.4.3204.9 and earlier, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\ps_drv containing arbitrary kernel addresses, as demonstrated using the (1) 0x2A7B802B and possibly (2) 0x2A7B8004 and (3) 0x2A7B802F IOCTLs.
EIP-2026-116964 EXPLOITDB text WORKING POC
CloneCD/DVD 'ElbyCDIO.sys' < 6.0.3.2 - Local Privilege Escalation
CVE-2008-4362 EXPLOITDB c WORKING POC
DESlock+ 3.2.7 - Denial of Service via Crafted IOCTL Request
The Virtual Token driver (vdlptokn.sys) 1.0.2.43 in DESlock+ 3.2.7 allows local users to cause a denial of service (system crash) via a crafted IOCTL request to \Device\DLPTokenWalter0.
CVE-2008-4451 EXPLOITDB c WORKING POC
ESET System Analyzer Tool 1.1.1.0 - Local Privilege Escalation via IOCTL Request
The SysInspector AntiStealth driver (esiasdrv.sys) 3.0.65535.0 in ESET System Analyzer Tool 1.1.1.0 allows local users to execute arbitrary code via a certain METHOD_NEITHER IOCTL request to \Device\esiasdrv that overwrites a pointer.