Microsoft Windows Tracing Registry Key ACL Privilege Escalation Exploit (MS10-059)

This module exploits incorrect access control lists (ACLs) on the Registry keys for the Tracing Feature for Services. By modifying the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc Registry key, it is possible for a limited account with impersonation privileges to force a SYSTEM service (IpHlpSvc) to connect to a controlled named pipe, and then impersonate IpHlpSvc in order to run arbitrary code with SYSTEM privileges. This module allows an agent running under an account with impersonation rights, like NETWORK SERVICE (for example, an agent running with the privileges of IIS 7.0 Worker Process on Windows Server 2008 SP2) to gain SYSTEM privileges.