Windows DWM Core Library Elevation of Privilege Vulnerability

This repository is a real local privilege escalation exploit for CVE-2024-30051, a heap-based buffer overflow in Microsoft Windows Desktop Window Manager (dwmcore.dll). It is not part of a larger exploit framework; it is a standalone Visual Studio solution containing two main code components: (1) exploit/exploit_src/main.cpp, the primary exploit executable, and (2) exploit/payload/dllmain.cpp, a DLL payload intended to be loaded by dwm.exe after successful exploitation. Supporting files include Visual Studio project/solution metadata, a setup.bat helper that copies the built DLL to the required hardcoded location, and markdown documentation describing root cause, heap-spray reliability, and disclosure timeline. The exploit’s main capability is local EoP from an unprivileged user to SYSTEM integrity by abusing DirectComposition/DWM internals. Based on the README and visible code, main.cpp performs heap spraying and hole creation, hooks/interposes on DirectComposition-related behavior, triggers the vulnerable path in CCommandBuffer::Initialize, and detects success by monitoring for a new cmd.exe process spawned as a child of dwm.exe. It also logs detailed session activity to %TEMP%\cve_30051_log.txt and supports automatic retries up to MAX_ATTEMPTS. The exploit is operational rather than just a PoC because it includes a working payload chain and automation, but the payload path and behavior are largely hardcoded. The payload DLL is straightforward and clearly malicious in exploit terms: when loaded into dwm.exe, DllMain writes a temporary batch script to %TEMP%\cve30051_shell.bat, launches it via cmd.exe on the interactive desktop WinSta0\Default, displays privilege context using whoami commands, opens an interactive shell, and then schedules cleanup to delete both the dropped DLL at C:\Users\Public\Documents\s11.dll and the temporary batch file. This confirms the exploit’s end goal is arbitrary code execution with elevated privileges, specifically an interactive SYSTEM shell. Fingerprintable artifacts are mostly local file paths and process names rather than network indicators. The most important are the hardcoded DLL path C:\Users\Public\Documents\s11.dll, the log file %TEMP%\cve_30051_log.txt, the temporary script %TEMP%\cve30051_shell.bat, and the target process dwm.exe. No C2, remote callback, or external network endpoint is present in the exploit logic shown. Overall, the repository is a well-documented standalone Windows local exploit with an included payload and academic analysis material.

This repository is a standalone Visual Studio exploit project for CVE-2024-30051, a local Windows Desktop Window Manager heap overflow leading to elevation of privilege. It is not part of a framework. The repository contains: (1) a main exploit project in exploit/exploit_src/main.cpp, (2) a payload DLL project in exploit/payload/dllmain.cpp, (3) a helper deployment script setup.bat, and (4) markdown analysis documents describing root cause, heap-spray reliability, and disclosure timeline. The main exploit is a local EoP against DWM/dwmcore.dll. Based on the README and code comments, it uses DirectComposition/D3D/D2D-related APIs, heap spraying, hole creation, and in-process hooking around DWM composition commit/batch processing to reach the vulnerable CCommandBuffer::Initialize path. The exploit includes operational features rather than being a minimal PoC: configurable spray parameters, automatic retry up to 10 attempts, session logging to %TEMP%\cve_30051_log.txt, success detection by enumerating processes and checking for a new cmd.exe associated with DWM activity, and a completion MessageBox summary. The payload is a separate DLL compiled as s11.dll. Successful exploitation causes dwm.exe to load this DLL from the hardcoded path C:\Users\Public\Documents\s11.dll. In DllMain, the payload writes a temporary batch file to %TEMP%\cve30051_shell.bat, launches it via cmd.exe on the interactive desktop WinSta0\Default, displays identity/integrity/privilege information, opens an interactive command shell, and then schedules deletion of both the DLL and the batch file. This makes the repository an operational local privilege-escalation exploit with a bundled post-exploitation payload. Repository structure is small and focused: 16 files total, primarily C++, Visual Studio project metadata, one batch helper, and three analysis markdown documents. The likely execution flow is: build payload -> copy s11.dll to the hardcoded public documents path via setup.bat -> build/run C26f.exe as a standard user -> exploit attempts heap manipulation and overflow -> DWM loads the DLL -> payload spawns a visible elevated shell. No external C2 or network beacons are present; the attack vector is purely local.

This repository contains a detailed technical write-up and a functional proof-of-concept (PoC) exploit for CVE-2024-30051, a heap-based buffer overflow in the Windows DWM Core library (dwmcore.dll). The vulnerability allows a local, unprivileged attacker to escalate privileges to SYSTEM by exploiting a flaw in the CCommandBuffer::Initialize method. The repository is structured as a Visual Studio C++ project, with the main exploit logic implemented in 'main.cpp' under the 'Introduccion_C1_C2' directory. Build artifacts and logs are present in the x64/Debug and x64/Release subdirectories, with the compiled exploit outputting as C26f.exe. The README.md provides an in-depth analysis of the vulnerability, reverse engineering steps, and exploitation methodology, including heap spraying, triggering the overflow, and redirecting execution to LoadLibraryA to load a crafted DLL or spawn a SYSTEM-level CMD process. The exploit targets unpatched Windows 10/11 systems (pre-KB5037771) and requires local execution. No network endpoints are involved; all actions are performed locally on the target system. The PoC demonstrates successful privilege escalation by executing a command prompt as the DWM user with SYSTEM integrity.