Windows BITS Elevation of Privilege via Improper Symlink Handling

This repository contains a C++ exploit for CVE-2020-0787, a vulnerability in the Microsoft Windows Background Intelligent Transfer Service (BITS) that allows for arbitrary file move operations with SYSTEM privileges. The exploit is structured as a Visual Studio solution with three main projects: BitsArbitraryFileMove (core logic), BitsArbitraryFileMoveExploit (exploit entry point), and CommonUtils (utility functions for file and symlink manipulation). The exploit works by creating a workspace with specific directories and files, setting up mount points and symlinks, and abusing BITS jobs to move an attacker-controlled file (such as a DLL) into a protected system directory (e.g., C:\Windows\System32). This can be used for privilege escalation or arbitrary code execution as SYSTEM. The README provides usage examples, including executing arbitrary commands via named pipes and running a payload executable. The code is operational and provides a working exploit chain for local privilege escalation on Windows systems vulnerable to CVE-2020-0787.

This repository implements a local privilege escalation exploit for CVE-2020-0787, targeting all supported versions of Microsoft Windows. The exploit leverages the Background Intelligent Transfer Service (BITS) and a series of mount point and symbolic link manipulations to move an attacker-controlled file (such as a DLL) into a protected directory (e.g., C:\Windows\System32) with SYSTEM privileges. The repository is structured as a Visual Studio solution with three main projects: the core exploit logic (BitsArbitraryFileMove), a utility library (CommonUtils), and an exploit runner (BitsArbitraryFileMoveExploit). The exploit works by preparing a workspace, creating mount points and symlinks, setting oplocks, and manipulating BITS jobs to achieve the file move as SYSTEM. The code is written in C++ and is operational, providing a working exploit chain rather than just a proof of concept. The main entry points are BitsArbitraryFileMove.cpp and BitsArbitraryFileMoveExploit.cpp. The exploit requires local access and sufficient privileges to create directories and symlinks, and it targets the Windows platform broadly. No network endpoints are involved; all actions are performed locally on the filesystem and via Windows internal object manager paths.