A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi. It creates a task named SilentCleanup to trigger content cleanup and delete Config.msi. After deletion it creates a third thread to run second stage of FolderOrFileDeleteToSystem to drop HID.dll. Run osk.exe, then in another thread run mmc.exe.
CVE Link
Exploit Platform
Exploit Type
Product Name