Menu

Improved exploit search engine. Try it out

"Microsoft Windows - AppX Deployment Service Privilege Escalation"

Author

"Nabeel Ahmed"

Platform

windows

Release date

2019-04-09

Release Date Title Type Platform Author
2019-04-22 "LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)" local windows "Dino Covotsos"
2019-04-22 "Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)" dos windows Achilles
2019-04-19 "Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection" webapps windows "Vahagn Vardanyan"
2019-04-19 "Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal" webapps windows "Vahagn Vardanyan"
2019-04-18 "ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)" remote windows AkkuS
2019-04-17 "MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-17 "DHCP Server 2.5.2 - Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation" local windows "Digital Interruption"
2019-04-16 "AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)" dos windows "Mücahit İsmail Aktaş"
2019-04-16 "PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-04-16 "PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-04-15 "MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "MailCarrier 2.51 - POP3 'USER' Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "RemoteMouse 3.008 - Arbitrary Remote Command Execution" remote windows 0rphon
2019-04-15 "MailCarrier 2.51 - 'RCPT TO' Buffer Overflow" remote windows "Dino Covotsos"
2019-04-15 "UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-15 "UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-12 "Microsoft Internet Explorer 11 - XML External Entity Injection" local windows hyp3rlinx
2019-04-12 "CyberArk EPM 10.2.1.603 - Security Restrictions Bypass" local windows "Alpcan Onaran"
2019-04-10 "FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer" local windows "Dino Covotsos"
2019-04-10 "FTPShell Server 6.83 - 'Account name to ban' Local Buffer" local windows "Dino Covotsos"
Release Date Title Type Platform Author
2019-04-09 "Microsoft Windows - AppX Deployment Service Privilege Escalation" local windows "Nabeel Ahmed"
2018-03-28 "Microsoft Windows Remote Assistance - XML External Entity Injection" webapps windows "Nabeel Ahmed"
2016-08-08 "Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)" local windows "Nabeel Ahmed"
2016-02-15 "Microsoft Windows - Kerberos Security Feature Bypass (MS16-014)" local windows "Nabeel Ahmed"
2016-09-22 "Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)" local windows "Nabeel Ahmed"
2018-02-27 "Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service" dos windows "Nabeel Ahmed"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46683/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46683/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46683/41123/microsoft-windows-appx-deployment-service-privilege-escalation/download/", "exploit_id": "46683", "exploit_description": "\"Microsoft Windows - AppX Deployment Service Privilege Escalation\"", "exploit_date": "2019-04-09", "exploit_author": "\"Nabeel Ahmed\"", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

1
2
3
4
5
6
7
8
9
This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user. 

1. The exploit first checks if the targeted file exists, if it does it will check its permissions. Since we are using Microsoft Edge for this exploit it will kill Microsoft Edge in order to get access to the settings.dat file. 
2. After Microsoft Edge is killed it will check for the "setting.dat" file and delete it in order to create a hardlink to the requested targeted file (in our case that was the HOSTS file) 
3. Once a hardlink is created Microsoft Edge is fired up again to trigger the vulnerability. Concluding with a final check if indeed "Full Control" permissions have been set for the current user.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46683.zip