<# .SYNOPSIS CVE-2025-49744 PoC Validator - Checks patch status and runs a safe GDI API test. .DESCRIPTION This script verifies if the system is patched against CVE-2025-49744 by: - Checking Windows build number. - Listing July 2025 hotfixes including KB5039302. - Validating timestamps of patched binaries. - Running a safe GDI32 API call test. .NOTES Author: nu11secur1ty Tested on: Windows 11 Pro Build 26100+ Date: July 2025 .LINK https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49744 .EXAMPLE Run in an elevated PowerShell prompt: .\Validate-CVE-2025-49744-PoC.ps1 #> Write-Host "`n[CVE-2025-49744 PoC Validator] by nu11secur1ty" -ForegroundColor Cyan # --- 1. Build check --- try { $build = [System.Environment]::OSVersion.Version.Build Write-Host "`n[*] Windows Build Number: $build" } catch { Write-Host "[!] Unable to determine Windows build." -ForegroundColor Red exit 1 } # --- 2. Hotfix check --- $vulnerable = $false try { $hotfixes = Get-HotFix | Where-Object { $_.InstalledOn -ge (Get-Date "2025-07-08") -and $_.HotFixID -match "KB" } Write-Host "`n[*] July 2025 Hotfixes installed:" if ($hotfixes) { $hotfixes | ForEach-Object { Write-Host " -> $($_.HotFixID) (Installed: $($_.InstalledOn.ToShortDateString()))" } } else { Write-Host " [!] No July 2025 hotfixes found." -ForegroundColor Yellow $vulnerable = $true } if (-not ($hotfixes | Where-Object { $_.HotFixID -eq "KB5039302" })) { Write-Host "`n[!] KB5039302 not found – system is likely VULNERABLE to CVE-2025-49744!" -ForegroundColor Red Write-Host " >> Please apply the official Microsoft patch immediately." -ForegroundColor Red $vulnerable = $true } else { Write-Host "`n[✓] KB5039302 found – patch appears installed." } } catch { Write-Host "[!] Failed to retrieve hotfix information." -ForegroundColor Red $vulnerable = $true } # --- 3. Binary timestamp check --- Write-Host "`n[*] Checking critical system binary timestamps:" $modules = @( "C:\Windows\System32\gdi32.dll", "C:\Windows\System32\win32kfull.sys" ) foreach ($m in $modules) { if (Test-Path $m) { $file = Get-Item $m $ver = $file.VersionInfo.FileVersion $stamp = $file.LastWriteTime Write-Host " $($file.Name): Version $ver, Last Write Time: $stamp" if ($stamp -lt (Get-Date "2025-07-08")) { Write-Host " [!] WARNING: Binary may be vulnerable. Timestamp is BEFORE patch date." -ForegroundColor Red $vulnerable = $true } else { Write-Host " [✓] Binary appears patched." -ForegroundColor Green } } else { Write-Host " [!] $m missing – cannot verify!" -ForegroundColor Yellow $vulnerable = $true } } # --- 4. Optional PoC: Load Windows API (safe test only) --- Write-Host "`n[*] Running safe GDI32 API interaction test..." Add-Type -TypeDefinition @" using System; using System.Runtime.InteropServices; public class Gdi32Test { [DllImport("gdi32.dll")] public static extern IntPtr CreateSolidBrush(int color); [DllImport("gdi32.dll")] public static extern bool DeleteObject(IntPtr hObject); } "@ try { for ($i = 0; $i -lt 3; $i++) { $color = Get-Random -Minimum 0 -Maximum 0xFFFFFF $brush = [Gdi32Test]::CreateSolidBrush($color) if ($brush -eq [IntPtr]::Zero) { Write-Host " [!] GDI32 returned null brush handle!" -ForegroundColor Red $vulnerable = $true } else { Write-Host " [+] GDI32 CreateSolidBrush succeeded (handle: $brush)" [Gdi32Test]::DeleteObject($brush) | Out-Null } } } catch { Write-Host " [X] Exception during GDI32 test: $_" -ForegroundColor Red $vulnerable = $true } # --- Final Status --- Write-Host "`n==============================" if ($vulnerable) { Write-Host "[!!!] SYSTEM STATUS: VULNERABLE to CVE-2025-49744!" -ForegroundColor Red -BackgroundColor Black Write-Host " Immediate patching is highly recommended." -ForegroundColor Red } else { Write-Host "[✓] SYSTEM STATUS: Patched against CVE-2025-49744." -ForegroundColor Green Write-Host " Keep your system updated to maintain security." -ForegroundColor Green } Write-Host "==============================`n"