Windows Storage Elevation of Privilege Vulnerability

Repository is a Windows local privilege-escalation proof-of-concept for CVE-2026-21508. It consists of (1) a batch setup script (SETUP.bat) that stages a malicious DLL and configures per-user COM registry keys under HKCU\Software\Classes\CLSID to influence WUDFHost.exe COM activation, and (2) a Visual Studio C++ DLL project (Session0_CMD) that implements the payload. Key behavior: - SETUP.bat copies a bundled JPG (alps.jpg) to a user-provided USB drive letter to satisfy a condition that at least one .jpg exists on the USB. - It creates C:\ProgramData\CrossDevice and copies the built DLL to C:\ProgramData\CrossDevice\CrossDevice.Streaming.Source.dll (the hijack target name). - It adds/creates specific HKCU CLSID keys to force WUDFHost.exe to instantiate a chosen CLSID and to alter activation flow (per comments: avoid verclsid.exe and call CoCreateInstance directly). - It triggers the vulnerable path by launching Windows Media Player (wmplayer.exe). Payload DLL (Session0_CMD/dllmain.cpp): - On DLL_PROCESS_ATTACH, calls RevertToSelf() to stop impersonation. - Checks token elevation via OpenProcessToken/GetTokenInformation(TokenElevation). - If elevated, spawns C:\Windows\System32\cmd.exe using CreateProcessA, demonstrating code execution in a privileged context (often visible as a WUDFHost.exe child, potentially in Session 0). Repo structure: - Root: README.md (usage steps and links), SETUP.bat (stager/trigger), LICENSE. - Session0_CMD/: Visual Studio solution/project files and minimal C++ source (dllmain.cpp plus precompiled header scaffolding). No network C2 or remote endpoints are present; all observables are local file paths and registry keys used to stage and trigger the hijack.