Windows Cloud Files Mini Filter Driver Elevation of Privilege

This repository is a real local privilege escalation exploit implementation for CVE-2020-17103, presented as a modified version of MiniPlasma adapted for in-memory/C2-style use. It is not a scanner or detector. The project is a Visual Studio C#/.NET Framework 4.8 solution with two meaningful code components: Program.cs is the main exploit, and MiniRunner.cs is a small helper launcher intended to run as SYSTEM. The rest of the repository is mostly project metadata, package manifests, and bundled NuGet build files for Costura.Fody, Fody, and TaskScheduler. Program.cs performs the exploit chain locally on Windows. It uses NtApiDotNet and direct registry object access to manipulate security descriptors on .DEFAULT registry keys, creates a symbolic link from CloudFiles\BlockedApps to .DEFAULT\Volatile Environment, repeatedly calls CfAbortOperation from cldapi.dll, and coordinates timing with background threads that monitor registry changes and impersonation behavior. After preparing the registry state, it sets the .DEFAULT\Volatile Environment\windir value to an attacker-controlled directory under C:\ProgramData\mp_<id>. It then creates a fake System32 subdirectory there and drops the embedded helper binary as wermgr.exe. Next it runs the scheduled task \Microsoft\Windows\Windows Error Reporting\QueueReporting, which causes Windows Error Reporting to resolve and execute the attacker-controlled wermgr.exe path under SYSTEM. The exploit uses a per-run named pipe and a config file in C:\ProgramData to coordinate between the main process and the helper. MiniRunner.cs is the second-stage helper. It reads C:\ProgramData\mp_*.cfg to obtain the named pipe name and payload path, connects to the named pipe, derives the session ID, duplicates its own SYSTEM token, sets the token session to the interactive user session, and launches the chosen payload with CreateProcessAsUserW. This gives the operator a SYSTEM process on the user desktop. By default the payload path is C:\Windows\System32\conhost.exe, but the README indicates an arbitrary executable path can be supplied on the command line. Repository structure: MiniPlasma.csproj and MiniPlasma.sln define the build; Program.cs is the main exploit entry point; MiniRunner.cs is a separately compiled helper that becomes runner.bin and is embedded as a resource; README.md explains the adaptation for execute-assembly/C2 usage and build steps; packages.config and the packages/ tree provide dependencies and build-time embedding support. Overall purpose: weaponized adaptation of a public Windows LPE PoC into an operational memory-friendly runner that briefly drops only a tiny helper to disk, then cleans up artifacts after spawning a SYSTEM payload.

This repository is a small standalone Visual Studio C# proof-of-concept named MiniPlasma. It contains one executable project targeting .NET Framework 4.7.2 and depends on NtApiDotNet 1.1.28 for low-level NT token, thread, process, and registry operations. The README explicitly references CVE-2020-17103 and suggests the issue may still be exploitable. Repository structure is minimal: a solution file, one C# project, standard assembly metadata, app config, NuGet package metadata, and a single substantive source file (Program.cs). All exploit logic resides in Program.cs. The exploit is a local Windows EoP PoC centered on Cloud Files API behavior. It imports CfAbortOperation and CfGetPlatformInfo from cldapi.dll, verifies platform support, and then executes a staged workflow. Stage0 spawns the same executable multiple times with stage arguments. Stage1 starts a registry change watcher thread and a second thread that continuously toggles an anonymous impersonation token on the current thread, then repeatedly calls CfAbortOperation in a tight loop. This strongly suggests a race/impersonation attack intended to influence how privileged registry operations are performed. Stage2 opens the CloudFiles policy key under \Registry\User\.DEFAULT\Software\Policies\Microsoft\CloudFiles, weakens/modifies its security descriptor, recursively deletes subkeys, and creates a registry symbolic link so that BlockedApps points to \Registry\User\.DEFAULT\DEMODEMO. It then re-enters the Stage1 race loop. Stage3 removes the symbolic link and resets security on the target key. Supporting functions recursively delete registry trees, forcibly reopen keys with different access rights, and set permissive DACL/mandatory label security descriptors. There are no network callbacks, C2 endpoints, or remote targets. The only fingerprintable targets are local Windows registry paths and the Cloud Files DLL. Overall, this is a genuine local privilege-escalation PoC for arbitrary registry key manipulation via Cloud Files abort hydration behavior, not a scanner or detection script.

This repository is a small Visual Studio C# proof-of-concept named MiniPlasma. It contains one executable project targeting .NET Framework 4.7.2 and using the NtApiDotNet library for low-level Windows object, token, thread, process, and registry operations. The README explicitly references CVE-2020-17103 and suggests the technique still works. Repository structure is minimal: a solution file, one C# project, config files, and a single substantive source file (Program.cs). Program.cs implements a staged local exploit flow. Stage0 launches additional instances of the same executable with arguments 1, 2, and 3. Stage1 starts a registry change-monitoring thread and a racing impersonation thread that repeatedly sets and clears an anonymous impersonation token on the current thread while continuously calling CfAbortOperation via cldapi.dll. Stage2 opens the CloudFiles policy registry key under HKU\.DEFAULT, weakens its security descriptor, recursively deletes subkeys, then creates a registry symbolic link from CloudFiles\BlockedApps to \Registry\User\.DEFAULT\DEMODEMO before invoking Stage1 again. Stage3 removes the symbolic link and resets security on the target key. Core capabilities include: opening registry keys with fallback anonymous impersonation, forcibly changing DACL/mandatory label security descriptors, recursively deleting registry trees, creating registry symbolic links, monitoring registry changes, spawning helper stages, and invoking Cloud Files API functions CfGetPlatformInfo and CfAbortOperation. There is also an alternate code path that accepts credentials and impersonates a supplied logon token before calling CfAbortOperation. No network communication, C2, or remote delivery is present. The exploit is strictly local and functions as an elevation-of-privilege/arbitrary registry key manipulation PoC rather than a full weaponized exploit with a post-exploitation payload such as a shell. The most fingerprintable artifacts are the CloudFiles-related registry paths, the target DEMODEMO registry key, and the dependency on cldapi.dll.