Notes about Windows Privilege Escalation

I need to research and understand windows privilege escalation better so this is the beginning of the journey.

Links to a couple of web pages that I have found to be great:

accesschk.exe from the SYS Internals Suite

Evaluating closer the Windows Privilege Escalation python script I was curious how the latest windows patches were discovered and scrubbed against metasploit.  Found that the following link takes you to an Excel spreadsheet containing all of the windows security bulletins:

From I extracted some of the privilege escalation KB numbers…
KiTrap0D – KB979682
MS10-021 – KB979683
MS10-059 – KB982799
MS11-011 – KB2393802
MS11-080 – KB2592799

Pulled from metasploit the local exploits that can be run:

exploit/windows/local/always_install_elevated – excellent  Windows AlwaysInstallElevated MSI

exploit/windows/local/bypassuac_injection – excellent  Windows Escalate UAC Protection Bypass (In Memory Injection)

exploit/windows/local/ms10_015_kitrap0d – great Windows SYSTEM Escalation via KiTrap0D

exploit/windows/local/ms10_092_schelevator – excellent  Windows Escalate Task Scheduler XML Privilege Escalation

exploit/windows/local/ms11_080_afdjoinleaf – average    MS11-080 AfdJoinLeaf Privilege Escalation

exploit/windows/local/ms13_005_hwnd_broadcast – excellent  MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

exploit/windows/local/ms13_053_schlamperei – average Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

exploit/windows/local/ms13_081_track_popup_menu – average    Windows TrackPopupMenuEx Win32k NULL Page

exploit/windows/local/ms13_097_ie_registry_symlink – great MS13-097 Registry Symlink IE Sandbox Escape

exploit/windows/local/ms14_009_ie_dfsvc – great MS14-009 .NET Deployment Service IE Sandbox Escape

exploit/windows/local/ms_ndproxy – average    MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

exploit/windows/local/ppr_flatten_rec – average    Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation

exploit/windows/local/trusted_service_path – excellent  Windows Service Trusted Path Privilege Escalation

exploit/windows/local/virtual_box_guest_additions – average    VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation

post/windows/escalate – Also look at these post exploitation modules…

Pulled from the exploitdb files.csv list on Kali Linux the following:
root@p9jer5:/usr/share/exploitdb# cat files.csv | grep -e “MS0” -e “MS1” | grep -i -e “escala” -e “elevation”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s