Skip to content

Yuri08loveElaina/CVE-2025-49667

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

14 Commits
README.md
README.md
Β 
Β 
exploit.cpp
exploit.cpp
Β 
Β 

Repository files navigation

CVE-2025-49667 β€” Win32k Privilege Escalation Exploit

Exploit Status
βœ” Tested: Windows 10
✘ Not Working: Windows 11

🧭 Table of Contents

  1. Vulnerability Details
  2. Affected Systems
  3. Exploit Workflow
  4. Compilation Instructions
  5. Exploit Output Example
  6. Exploit Flow Diagram
  7. Notes
  8. Disclaimer

πŸ”₯ Vulnerability Details

  • CVE ID: CVE-2025-49667 | MITRE
  • Type: Double Free (CWE-415)
  • Component: Windows Win32 Kernel Subsystem (win32k.sys)
  • Impact: Local Privilege Escalation (LPE β†’ SYSTEM)
  • CVSS Score: 7.8 (High)
  • Attack Vector: Local, low-complexity exploit

πŸ’» Affected Systems

  • βœ” Windows 10 (1909 β†’ 22H2)
  • ✘ Windows 11 (patched by default)
  • ✘ Windows Server (partially mitigated)

⚑ Exploit Workflow

  1. Trigger vulnerable syscall in win32k.sys.
  2. Force a double free on kernel memory object.
  3. Reallocate freed memory with controlled data.
  4. Overwrite kernel function pointer.
  5. Escalate to NT AUTHORITY\SYSTEM.

πŸ›  Compilation Instructions

  • with Visual Studio Command Prompt:
cl.exe /EHsc /O2 /std:c++17 /DWIN32 /D_WINDOWS /DNDEBUG exploit.cpp /link ntdll.lib winhttp.lib psapi.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /MACHINE:X64 /SUBSYSTEM:CONSOLE
  • with MinGW-w64:
g++ -O2 -std=c++17 -m64 -DWIN32 -D_WINDOWS -DNDEBUG -o exploit.exe exploit.cpp -lntdll -lwinhttp -lpsapi -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32 -ladvapi32 -lshell32 -lole32 -loleaut32 -luuid -lodbc32 -lodbccp32
  • Run with:
exploit.exe

πŸ“Ÿ Exploit Output Example

C:\Users\yuri08> whoami
yuri08

C:\Users\yuri08> exploit.exe
[*] Triggering double free...
[*] Overwriting function pointer...
[*] Gaining SYSTEM privileges...
[+] Exploit successful!

C:\Windows\system32> whoami
nt authority\system

πŸ“œExploit Flow Diagram

+-----------------------+
| Userland Process      |
+----------+------------+
           |
           v
+-----------------------+
| Call vulnerable API   |
| (win32k.sys)          |
+----------+------------+
           |
   Double Free Trigger
           |
           v
+-----------------------+
| Kernel Object Freed   |
+----------+------------+
           |
   Fake Object Spray
           |
           v
+-----------------------+
| Overwrite Func Ptr    |
+----------+------------+
           |
   SYSTEM Privileges
           |
           v
+-----------------------+
| NT AUTHORITY\SYSTEM   |
+-----------------------+

πŸ“ Notes

  • Requires local access (no remote vector).

  • Works reliably on Windows 10 pre-patch.

  • May cause BSOD if heap spray fails.

  • Debug with WinDbg: !analyze -v

⚠ Disclaimer

  • This exploit code and documentation are provided strictly for educational and research purposes only.
  • Do not use on systems without explicit authorization.
  • You are fully responsible for your actions.

πŸ•Ά Stay safe, hack the planet responsibly.

About

Windows Win32 Kernel Subsystem

yuri08loveelaina.github.io

Topics

cve-2025 cve-2025-poc yuri08 yuri08loveelaina cve-2025-49667 cve-2025-49667-poc windows-cve-2025-49667

Resources

Readme
Activity

Stars

30 stars

Watchers

1 watching

Forks

9 forks
Report repository

Languages