My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

Related tags

Miscellaneous cve-2021-40449
Overview

CVE-2021-40449

My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

short wu

along with the UAF vulnerabilty other primitives are being used to make this exploit possible:

  • leaking the exploit's access token address in ring0 via NtQuerySystemInformation() function with the SystemHandleInformation parameter.
  • using rtlSetAllBits() as a gadget to overwrite the exploit's access_token.privileges with 0xFFs.
  • leaking rtlSetAllBits() address on ring0 by leaking the base address of ntoskrnl.exe module via EnumDeviceDrivers() function.
  • crafting the gadget's parameter BitMapHeader in such a way that will allow us to overwrite the access_token.privileges of the exploit.
  • allocating the crafted BitMapHeader via NtSetInformationThread() primitive and leaking the allocation address in the big pool via NtQuerySystemInformation() function with SystemBigPoolInformation parameter.
  • to interact with the vulnerable function we first enum printers on the system via EnumPrinters() load the driver of one of them one of them then hook the calls to the usermode callback function DrvEnablePDEV().
  • in the hook we proxy the call to the original DrvEnablePDEV() function, do the exploit stuff then return whats returned from the proxied call to the GDI.
  • triggering the UAF via a second call to ResetDC() in the hooked DrvEnablePDEV().
  • reclaim the freed PDC object via spraying a crafted object of the same size using the CreatePalette() primitive.
  • abusing the new aquired SeDebugPrivilege privilege to get NT AUTHORITY\SYSTEM via injecting shellcode to winlogon.exe process.

More information can be found on this article by Kaspersky.

PoC

PoC tested on Win10 Redstone (build 14393).

You might also like...
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.7k Jan 3, 2023
An exploit for CVE-2021-4034 aka Pwnkit: Local Privilege Escalation in polkit's pkexec

CVE-2021-4034 Exploit Usage $ git clone https://github.com/whokilleddb/CVE-2021-4034 $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By whokilledd

whokilleddb 3 Jun 30, 2022
desc_race exploit for iOS 15.0 - 15.1.1 (with stable kernel r/w primitives) (CVE-2021-30955)

desc_race "desc_race" (CVE-2021-30955) exploit for iOS 15.0 - 15.1.1 (with stable kernel r/w primitives) Tested to work on iPhone13,2 running iOS 15.1

Dylan Elmbark Sandström 8 Nov 15, 2022
Hiding the window from screenshots using the function win32kfull::ChangeWindowTreeProtection
Hiding the window from screenshots using the function win32kfull::ChangeWindowTreeProtection

NoScreen This function is used in setwindowaffinity, but unlike the original API function, this function does not create detection vectors, for exampl

null 297 Dec 11, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 85 Dec 28, 2022
Windows LPE 0-day

shakeitoff A smaller, minimized, and cleaner version of InstallerFileTakeOver aka the zero-day exploit that is a "variation" of CVE-2021-41379. This v

Jake Baines 71 Nov 16, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 130 Nov 18, 2022
Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

null 64 Nov 9, 2022
Make CVE-2020-0668 exploit work for version < win10 v1903 and version >= win10 v1903
Make CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903

CVE-2020-0668 Made CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903 Diaghub Exploit ( v1903) powershell exploit works

null 12 Nov 9, 2022
Owner
hakivvi
i like computers :)
hakivvi
GitHub
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 437 Dec 31, 2022
Exploit for CVE-2021-40449

CVE-2021-40449 More info here: https://kristal-g.github.io/2021/11/05/CVE-2021-40449_POC.html Compiling I did a bit of a hack with the MinHook library

null 49 Dec 23, 2022
win32k LPE bypass CVE-2021-1732

CVE-2022-21882 win32k LPE bypass CVE-2021-1732 Test only tested on windows 20h2 19042.1415 tested on windows 21H1 (not working) Download https://raw.g

null 7 Dec 14, 2022
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

null 237 Dec 14, 2022
a reliable C based exploit for CVE-2021-3560.

CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln

hakivvi 34 Jun 21, 2022
Exploit for CVE-2021-30807

Write up is here: https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html Exploit for CVE-2021-30807. If you really want to build a jai

Justin Sherman 125 Dec 25, 2022
Gex is an iOS 14.7 jailbreak using CVE-2021-30807 IOMFB exploit

Gex is an iOS 14.7 jailbreak using CVE-2021-30807 IOMFB exploit rest of this readme is from jsherman212's exploit repo and probably stuff that is abou

Connor 5 Apr 19, 2022
Linux system service bug gives root on all major distros, exploit published A vulnerability in the pkexec component of Polkit identified as CVE-2021-4034 PwnKit is present in the default configuration of all major Linux distributions and can be exploited to gain privileges over the compj researchers.

CVE-2021-4034 Exploit Usage $ git clone https://github.com/Anonymous-Family/CVE-2021-4034.git $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By w

Anonymous Family 2 Jan 26, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 29 Dec 20, 2022
Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on U

Oliver Lyak 702 Dec 28, 2022