Hold tight, this may blow your mind…
A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly—thanks to a newly discovered vulnerability.
The reported vulnerability actually resides in PolicyKit (also known as polkit)—an application-level toolkit for Unix-like operating systems that defines
But there was an additionnal 11kb payload call for which i could not find sample on drive
Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign
It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.
Friends (who don't want to be mentioned) figured a privilege escalation was in use there :
According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )
I did not got to see the privilege escalation in live condition.
Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )
Files :Fiddler and Dll here(password is malware - XOR key : 56774347426F664767 then 213404052d09212031) Thanks : Kaspersky, Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness on this.