漏洞平台

POC详情： 02150236db78db4e91faa77cc59104c880db0dba

来源

关联漏洞

标题： Microsoft Windows Ancillary Function Driver for WinSock 安全漏洞 (CVE-2023-21768)
描述：Microsoft Windows Ancillary Function Driver for WinSock是美国微软（Microsoft）公司的Winsock 的辅助功能驱动程序。 Microsoft Windows Ancillary Function Driver for WinSock存在安全漏洞。攻击者利用该漏洞可以提升权限。

描述

Using CVE-2023-21768 to manual map kernel mode driver

介绍

# nullmap
A very simple driver manual mapper based on my older [voidmap](https://github.com/SamuelTulach/voidmap) and [CVE-2023-21768 POC](https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768) by [chompie](https://twitter.com/chompie1337) and [b33f](https://twitter.com/FuzzySec). Because the underlying IoRing post-exploitation memory r/w primitive is not handling many consequent reads and writes very well, I've decided to overwrite CR4 to disable SMEP/SMAP to execute the driver mapped in usermode. Tested on Windows 11 22H2 (22621.525). 

Usage:
```
nullmap.exe <path_to_driver>
```

Possible problems:
- Manual mapped driver will be in a pool allocated by ExAllocatePool. If you want to use this for anything more serious you should consider finding a better way of memory allocation so it can't be dumped so easily.
- There is no easy way to read the original cr4 value which means that I had to hardcode the value that was there on my system. While it should be the same for most modern CPUs, you should still double-check that the value is correct.
- I've hard-coded offset to NtGdiGetEmbUFI since there is no easy way to sigscan it, which means that you will have to update this offset for your specific Windows build.
- It was written in one afternoon, it might not be the cleanest code base.

Video:

[![video](https://img.youtube.com/vi/qdAZ8mTsTrc/0.jpg)](https://www.youtube.com/watch?v=qdAZ8mTsTrc)

文件快照


 [4.0K]  /data/pocs/02150236db78db4e91faa77cc59104c880db0dba
├── [4.0K]  nullmap
│   ├── [4.0K]  nullmap
│   │   ├── [1.3K]  console.c
│   │   ├── [ 504]  console.h
│   │   ├── [2.9K]  exploit.c
│   │   ├── [1.6K]  exploit.h
│   │   ├── [ 239]  general.h
│   │   ├── [4.9K]  ioring.c
│   │   ├── [8.1K]  ioring.h
│   │   ├── [6.4K]  main.c
│   │   ├── [5.6K]  mapper.c
│   │   ├── [2.0K]  mapper.h
│   │   ├── [7.0K]  nullmap.vcxproj
│   │   ├── [1.4K]  nullmap.vcxproj.filters
│   │   ├── [5.0K]  utils.c
│   │   └── [3.8K]  utils.h
│   └── [1.4K]  nullmap.sln
└── [1.4K]  README.md

2 directories, 16 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。