Proof of concept exploit for an arbitrary folder move issue in the GamingService component of Xbox.
960b90e5dd57b045b10aa005fae3c30c8da6ba69285fea3ec4273f6b126c64fc
This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
a872f68c00626fe384e850bbe5b416e5a094fcbf5639c9f1deb5248fc85413ca