The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted BLF file. The steps performed by the exploit are: Create a crafted BLF file Trigger the vulnerability to get an arbitrary read/write primitive Get SYSTEM privileges by replacing the current process token

CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF. Create a fake CClfsContainer object with a fake vtable that points to the address of nt!PoFxProcessorNotification. Write additional data in the allocated memory region such as the address of nt!DbgkpTriageDumpRestoreState and the address of _KTHREAD.PreviousMode of the current thread. Call again CreateLogFile(). When the PoC invokes CreateLogFile() on the malicious BLF the driver does the following at kernel level: Dereference the malicious CClfsContainer object at address 0x0000000002100000. Call nt!PoFxProcessorNotification. nt!PoFxProcessorNotification redirects the execution flow to nt!DbgkpTriageDumpRestoreState. nt!DbgkpTriageDumpRestoreState is used to obtain an arbitrary write of 8 bytes (already discussed here). In this case it is exploited to overwrite the _KTHREAD.PreviousMode to 0 of the current thread, granting us arbitrary read/write primitives. Issue a series of calls to NtReadVirtualMemory()/NtWriteVirtualMemory() to replace the _EPROCESS.Token of the parent process with that of the system process (PID 4). Restore _KTHREAD.PreviousMode to 1 with a final NtWriteVirtualMemory()

The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an integer overflow, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Spray the memory with data queue entries Trigger the vulnerability to overwrite the victim data entry Leak adjacent pool memory and bypass KASLR Forge a data queue entry to get an arbitrary memory read Leak the address of the current process token Leak the address of the SYSTEM process token Create a new data queue entry and leak its IRP Forge an IRP and the data queue entry Read 1 byte to trigger the arbitrary write and get SYSTEM privileges

Afd.sys module present in Microsoft Windows is vulnerable to a race condition during buffer management, where a temporary reference counter increment is improperly handled, leading to use-after-free scenarios. This occurs when accessing registered buffers for send/receive operations. The steps performed by the exploit are: Creates corrupt kernel structures Gets arbitrary read/write primitives Steals token for privilege escalation Restores system state Creates a new agent process running as SYSTEM

The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM

The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read/write operations. Gets the base address of a kernel module (ntoskrnl.exe), necessary for locating functions within kernel space. Computes the address of a gadget in the kernel for use in memory manipulation operations. Writes data to a specific memory address, allowing the system's memory space to be modified. Changes the current process token to gain system privileges Restores the thread mode to avoid BSOD

The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Discover an exploit primitive Perform heap feng shui to come up with a memory layout Allocate enough "GOLD" objects using the GetUIDllName function Free some of them to create some holes using the FreeDiagInstance function Allocate a worker "GOLD" object to trigger the use-after-free vulnerability Delete the "RequestMakeCall" key value and create a REG_BINARY type key with controlled content. Then, I allocate some key value heaps to ensure they occupy the hole left by the worker object XFG mitigation

The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an out-of-bounds write, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Spray the memory with data queue entries Trigger the OOB write to overwrite the victim entry Leak adjacent pool memory and bypass KASLR Forge a data queue entry to get an arbitrary memory read Leak the address of the current process token Leak the address of the SYSTEM process token Create a new data queue entry and leak its IRP Forge an IRP and the data queue entry Read 1 byte to trigger the arbitrary write and get SYSTEM privileges

The vulnerability exists due to a size miscalculation error in a integer division within the Windows DWM Core Library. A local user can trigger a heap-based buffer overflow in CCommandBuffer::Initialize method in dwmcore.dll and execute arbitrary code to install a Core Impact agent with user DWM with Integrity System privileges.This exploit checks if the target is supported and not patched. If the build is greater or equal than 22631.3593 it means the target is patched. Otherwise it proceeds to exploitation. It loads 3 files with random names in \Users\Public\Documents, the file names can be seen in the Module Log panel. It then performs two exploitation attempts by starting to copy these files into the mentioned public documents folder, after that the exploit will perform a Heap Spray on the DWM process to prepare the memory to finally trigger the Heap Overflow on DWMCORE.DLL Once the exploitation is successful the DWM process will load our DLL that executes our Core Impact agent.When the exploit finishes the files mentioned above will be deleted.

The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get the kernel address of the current process token Get the security information contained in the token using NtQueryInformationToken Calculate the value address of the first token security attribute Create a thread to win the race condition and enable privileges of the current process Deploy an agent via creating a new elevated process using winlogon.exe as parent process