CVE-2024-20656: Windows LPE in the VSStandardCollectorService150 service

Blog: https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/

PoC: https://github.com/Wh04m1001/CVE-2024-20656

#lpe #exploit #redteam #pentest

CVE-2024-1086: Linux LPE

https://github.com/notselwyn/cve-2024-1086

The exploit affects versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>. The patch for these versions were released in feb 2024. The underlying vulnerability affects all versions (excluding patched stable branches) from v3.15 to v6.8-rc1.

#pentest #redteam #exploit #lpe

CVE-2024-21338: Windows Admin-to-Kernel LPE

Уязвимы Windows 10 & 11

PoC: https://github.com/hakaioffsec/CVE-2024-21338

Blog: https://hakaisecurity.io/cve-2024-21338-from-admin-to-kernel-through-token-manipulation-and-windows-kernel-exploitation/research-blog/

#lpe #windows #exploit #redteam

Windows Admin to Kernel (KSecDD driver)

https://github.com/floesen/KExecDD

#lpe #kernel #redteam

CVE-2024-26229: Windows LPE

PATCHED: Apr 9, 2024

https://github.com/RalfHacker/CVE-2024-26229-exploit

P.S. Чуть поправил оригинальный эксплоит

#git #exploit #lpe #pentest #redteam

CVE-2024-30088: Windows LPE

PATCHED: June 11, 2024

https://github.com/tykawaii98/CVE-2024-30088

P.S. Протестил на Win11, работает

P.P.S. @Acrono: Протестил на Win10 22H2 (19045) и на Win Server 2019, полет нормальный!

#git #exploit #lpe #pentest #redteam

Еще одна картошка)) Абузит RPCSS в DCOM при обработке OXID

https://github.com/lypd0/DeadPotato

#lpe #potato #ad #pentest #redteam

FakePotato зарегестрировано как CVE-2024-38100. Опять DCOM для обхода контекста безопасности...

https://decoder.cloud/2024/08/02/the-fake-potato/

Помечено как "Important LPE", но запатчено в июле... MS такой MS 😅😂

#pentest #redteam #lpe #ad

CVE-2024-7479 & CVE-2024-7481: TeamViewer User to Kernel LPE

PoC: https://youtu.be/lUkAMAK-TPI

exploit: https://github.com/PeterGabaldon/CVE-2024-7479_CVE-2024-7481

Affected:
* from 15.0.0 before 15.58.4 
* from 14.0.0 before 14.7.48796 
* from 13.0.0 before 13.2.36225 
* from 12.0.0 before 12.0.259312 
* from 11.0.0 before 11.0.259311 

#lpe #pentest #redteam #exploit

CVE-2024-48990: Linux LPE via needrestart

PATCHED: Nov 19, 2024

PoC: https://github.com/makuga01/CVE-2024-48990-PoC

Info: https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

P.S. Хоть для привеска и нужно дожидаться запуска needrestart (который стартует, например, при apt upgrade), патчу всего три дня, и он еще не добавлен во все репы Debian)

#exploit #pentest #redteam #lpe #linux

CVE-2024-38193: Windows LPE

PATCHED: August 13, 2024

https://github.com/Nephster/CVE-2024-38193

Upd.: https://github.com/killvxk/CVE-2024-38193-Nephster

P.S. Протестил на Win11, работает

#git #exploit #lpe #pentest #redteam

CVE-2024-49138: Windows LPE in CLFS.sys

PATCHED: Dec 10, 2024

https://github.com/MrAle98/CVE-2024-49138-POC

Tested on Windows 11 23h2

UPD. Ждем ресерч...

#git #exploit #lpe #pentest #redteam

🖼 AnyDesk — Local Privilege Escalation (CVE-2024-12754)

A vulnerability in AnyDesk allows low-privileged users to perform arbitrary file read and copy operations with NT AUTHORITY\SYSTEM privileges. Exploitation is possible by manipulating the background image, creating symbolic links, and leveraging ShadowCopy, granting access to SAM, SYSTEM, and SECURITY files, ultimately leading to privilege escalation to administrator.

🔗 Source:
https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754

#windows #anydesk #lpe #cve

CVE-2025-21420: Windows LPE (cleanmgr.exe DLL sideload)

PoC: https://github.com/Network-Sec/CVE-2025-21420-PoC

P.S. LPE такая себе конечно, но sideload отметим)

#lpe #git #exploit #pentest #redteam

Abusing IDispatch for Trapped COM Object Access & Injecting into PPL Processes

Blog: https://mohamed-fakroud.gitbook.io/red-teamings-dojo/abusing-idispatch-for-trapped-com-object-access-and-injecting-into-ppl-processes

PoC: https://github.com/T3nb3w/ComDotNetExploit

#pentest #redteam #bypass #lpe

CVE-2025-21204: LPE in Windows Update Stack

Exploit: https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1

Blog: https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/

Patched: Apr 10, 2025

#ad #pentest #redteam #lpe

CVE-2025-33073: Reflective Kerberos Relay (LPE)

Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/

Patched: June 10, 2025

Интересная LPE с релеем на себя... Даже CVE есть)

#lpe #ad #relay #pentest #redteam

В продолжение все той же темы CVE-2025-33073...

https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025

Еще один ресерч, на это раз от Synactiv. Вот только у них не LPE, а Auth RCE от имени SYSTEM (если подпись SMB на машине не требуется).

Even though CVE-2025-33073 is referred by Microsoft as an elevation of privilege, it is actually an authenticated remote command execution as SYSTEM on any machine which does not enforce SMB signing.

#rce #lpe #ad #relay #pentest #redteam

CVE-2025-32463: sudo 1.9.14-1.9.17 LPE

Blog + exploit: https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

Patched: June 28, 2025

#lpe #linux #pentest #redteam

CVE-2025-48799: Windows Update Service LPE

PoC: https://github.com/Wh04m1001/CVE-2025-48799

Patched: July 8, 2025

This vulnability affects windows clients (win11/win10) with at least 2 hard drives.

#lpe #windows #pentest #redteam