CVE-2022-0995

This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.

It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.

The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.

https://github.com/Bonfee/CVE-2022-0995

#linux #lpe #exploit #cve

CVE-2022-27666

This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.

Research:
https://etenal.me/archives/1825

Exploit:
https://github.com/plummm/CVE-2022-27666

#ubuntu #lpe #linux

И ещё одна новая картошка! RasMan service for privilege escalation

https://github.com/crisprss/RasmanPotato

#git #lpe #soft #pentest #redteam

🔧 Windows LPE via StorSvc Service

StorSvc is a service which runs as NT AUTHORITY\SYSTEM and tries to load the missing SprintCSP.dll DLL when triggering the SvcRebootToFlashingMode RPC method locally.

PoC:
https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc

#windows #lpe #storsvc #service

В семействе картошек пополнение - GodPotato. Windows LPE:
* Windows Server 2012 - Windows Server 2022 ;
* Windows8 - Windows 11

https://github.com/BeichenDream/GodPotato

#git #soft #lpe

#ad #relay #webdav #ldap

[ DavRelayUp ]

A  port of #KrbRelayUp with modifications to allow for NTLM relay from WebDAV to LDAP and abuse #RBCD in order achieve #LPE in domain-joined windows workstations where LDAP signing is not enforced.

Thanks to: Руслан

https://github.com/Dec0ne/DavRelayUp

⚙️ Windows LPE in driver MSKSSRV.SYS

CVE-2023-29360 is a Local Privilege Escalation (LPE) vulnerability found in the mskssrv driver. It allows attackers to gain direct access to kernel memory by exploiting improper validation of a user-supplied value.

🌐 PoC:
https://github.com/Nero22k/cve-2023-29360

📝 Research:
https://big5-sec.github.io/posts/CVE-2023-29360-analysis/

#windows #lpe #driver #mskssrv

Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911)

https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

POC: https://github.com/leesh3288/CVE-2023-4911

#expdev #linux #lpe #Alexs3y

🍀 MSIFortune - Local Privilege Escalation with MSI Installers

MSI installers are still pretty alive today. It is a lesser known feature, that a low privileged user can start the repair function of an installation which will run with SYSTEM privileges. What could go wrong? Quite a lot!

The repair function often triggers CustomActions, which can lead to several potential issues:

— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner

🌐 Details:
https://badoption.eu/blog/2023/10/03/MSIFortune.html

#windows #msi #lpe

🥔 Coerced Potato

New tool for local privilege escalation on a Windows machine, from a service account to NT SYSTEM. Should work on any recent versions of Windows.

⚙️ Tool:
https://github.com/hackvens/CoercedPotato

📝 Research:
https://blog.hackvens.fr/articles/CoercedPotato.html

#windows #lpe #seimpersonateprivilege #potato

CVE-2024-26229: Windows LPE

PATCHED: Apr 9, 2024

https://github.com/RalfHacker/CVE-2024-26229-exploit

P.S. Чуть поправил оригинальный эксплоит

#git #exploit #lpe #pentest #redteam

🔥 VMware vCenter Server RCE + PrivEsc

Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol. They could allow a bad actor with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet.

— CVE-2024-37079: A heap-overflow vulnerability in the DCERPC protocol implementation of vCenter Server that allows a malicious actor with network access to send specially crafted packets, potentially leading to remote code execution. (CVSS v3.1 score: 9.8 "critical");

— CVE-2024-37080: Another heap overflow vulnerability in the DCERPC protocol of vCenter Server. Similar to CVE-2024-37079, it allows an attacker with network access to exploit heap overflow by sending crafted packets, potentially resulting in remote code execution. (CVSS v3.1 score: 9.8 "critical");

— CVE-2024-37081: This vulnerability arises from a misconfiguration of sudo in vCenter Server, permitting an authenticated local user to exploit this flaw to elevate their privileges to root on the vCenter Server Appliance. (CVSS v3.1 score: 7.8 "high").

Nuclei Template (PoC):
🔗 https://gist.github.com/tothi/0ff034b254aca527c3a1283ff854592a

Shodan

product:"VMware vCenter Server"

FOFA

app="vmware-vCenter"

#vmware #vcenter #rce #lpe #cve

CVE-2024-30088: Windows LPE

PATCHED: June 11, 2024

https://github.com/tykawaii98/CVE-2024-30088

P.S. Протестил на Win11, работает

#git #exploit #lpe #pentest #redteam

🥔 DeadPotato

This is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.

🔗 Source:
https://github.com/lypd0/DeadPotato

#windows #lpe #potato #seimpersonate

🖼 AnyDesk — Local Privilege Escalation (CVE-2024-12754)

A vulnerability in AnyDesk allows low-privileged users to perform arbitrary file read and copy operations with NT AUTHORITY\SYSTEM privileges. Exploitation is possible by manipulating the background image, creating symbolic links, and leveraging ShadowCopy, granting access to SAM, SYSTEM, and SECURITY files, ultimately leading to privilege escalation to administrator.

🔗 Source:
https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754

#windows #anydesk #lpe #cve

CVE-2025-33073: Reflective Kerberos Relay (LPE)

Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/

Patched: June 10, 2025

Интересная LPE с релеем на себя... Даже CVE есть)

#lpe #ad #relay #pentest #redteam