PwnKit: Local Privilege Escalation Vulnerability in Polkit’s Pkexec (CVE-2021-4034)

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Research:
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

PoC:
https://github.com/arthepsy/CVE-2021-4034

Exploit:
https://github.com/berdav/CVE-2021-4034

#linux #lpe #polkit #cve

Windows Win32k — Local Privilege Escalation (CVE-2022-21882)

https://github.com/KaLendsi/CVE-2022-21882

#windows #lpe #cve

SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718)

Research:
https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81

Exploit:
https://github.com/ly4k/SpoolFool

#windows #print #spooler #lpe #exploit

CVE-2022-0995

This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.

It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.

The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.

https://github.com/Bonfee/CVE-2022-0995

#linux #lpe #exploit #cve

CVE-2022-27666

This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.

Research:
https://etenal.me/archives/1825

Exploit:
https://github.com/plummm/CVE-2022-27666

#ubuntu #lpe #linux

И ещё одна новая картошка! RasMan service for privilege escalation

https://github.com/crisprss/RasmanPotato

#git #lpe #soft #pentest #redteam

🔧 Windows LPE via StorSvc Service

StorSvc is a service which runs as NT AUTHORITY\SYSTEM and tries to load the missing SprintCSP.dll DLL when triggering the SvcRebootToFlashingMode RPC method locally.

PoC:
https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc

#windows #lpe #storsvc #service

В семействе картошек пополнение - GodPotato. Windows LPE:
* Windows Server 2012 - Windows Server 2022 ;
* Windows8 - Windows 11

https://github.com/BeichenDream/GodPotato

#git #soft #lpe

#ad #relay #webdav #ldap

[ DavRelayUp ]

A  port of #KrbRelayUp with modifications to allow for NTLM relay from WebDAV to LDAP and abuse #RBCD in order achieve #LPE in domain-joined windows workstations where LDAP signing is not enforced.

Thanks to: Руслан

https://github.com/Dec0ne/DavRelayUp

⚙️ Windows LPE in driver MSKSSRV.SYS

CVE-2023-29360 is a Local Privilege Escalation (LPE) vulnerability found in the mskssrv driver. It allows attackers to gain direct access to kernel memory by exploiting improper validation of a user-supplied value.

🌐 PoC:
https://github.com/Nero22k/cve-2023-29360

📝 Research:
https://big5-sec.github.io/posts/CVE-2023-29360-analysis/

#windows #lpe #driver #mskssrv