Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-16098 PoC — Micro Star MSI Afterburner 安全漏洞

Source
https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE
Associated Vulnerability
Title:Micro Star MSI Afterburner 安全漏洞 (CVE-2019-16098)
Description:Micro Star MSI Afterburner是中国台湾微星科技(Micro Star)公司的一款显卡超频实用程序。 Micro Star MSI Afterburner 4.6.2.15658版本中存在安全漏洞。攻击者可利用该漏洞向任意内存、I/O端口和MSRs执行读取和写入操作,进而提升权限,执行代码,泄露信息并可能绕过Microsoft驱动程序签名策略,部署恶意代码。
Description
This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and also calculated all offsets.
Readme
# NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE
This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and recalculated all offsets for new version of windows. EPROCESS structure is an opaque structure that serves as the process object for a process and the PsInitialSystemProcess global variable points to the process object for the system process. So for calculate the offsetPsInitialSystemProcess address we need Ntoskrnl.exe base address which we calculated dynamically and after that calculated all fields within EPROCESS structure needed to steal system token and escalate priviliges. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.


https://github.com/user-attachments/assets/64295738-987a-4309-811a-c8805d788e05



## Flow of code
* Define required structure needed for RTCORE64 read and write operations.
* Calculated the base address of Ntoskrnl.exe
* Calculated the offset and address of PsInitialSystemProcess
* Calculated the offsets for required fields under EPROCESS Structure (Token, UniqueProcessId, ActiveProcessLinks)
* Use the device object to steal and write the token of System process.
* Elevated with System Context.

## Usage 
* Build and compile the program with visual studio 2019
* Start service before execution of compiled binary.
* Run command to create service (sc create RTCORE64 binPath="Path of Driver File" type=kernel)
* Start the service (sc start RTCORE64
* Run the compiled binary and get NT-AUTHORITY\SYSTEM

## NOTE
* Tested on windows 11 23H2 with releaseID 2009, Build Number 22621.3447 and major version 10.
* New releases and build numbers can have different offsets.
* This code is utilizing the technique of PPLKiller to get based address of Ntoskrnl.exe.

### Disclaimer
Only for educational purposes.

### References
* https://github.com/Barakat/CVE-2019-16098
* https://github.com/RedCursorSecurityConsulting/PPLKiller
File Snapshot

 [4.0K]  /data/pocs/19adecaf97b75cec0ee03bcc31ddc4bdf685e045
├── [1.0K]  LICENSE
├── [2.1K]  README.md
└── [4.0K]  SYSTEM_CONTEXT_RTCORE
    ├── [4.0K]  Driver
    │   └── [ 14K]  RTCore64.sys
    ├── [4.0K]  SYSTEM_CONTEXT_RTCORE
    │   ├── [6.7K]  SYSTEM_CONTEXT_RTCORE.cpp
    │   ├── [6.4K]  SYSTEM_CONTEXT_RTCORE.vcxproj
    │   ├── [ 973]  SYSTEM_CONTEXT_RTCORE.vcxproj.filters
    │   ├── [ 165]  SYSTEM_CONTEXT_RTCORE.vcxproj.user
    │   └── [4.0K]  x64
    │       ├── [4.0K]  Debug
    │       │   ├── [4.0K]  SYSTEM_C.325995fb.tlog
    │       │   │   ├── [ 922]  CL.command.1.tlog
    │       │   │   ├── [ 26K]  CL.read.1.tlog
    │       │   │   ├── [ 808]  CL.write.1.tlog
    │       │   │   ├── [1.5K]  link.command.1.tlog
    │       │   │   ├── [3.5K]  link.read.1.tlog
    │       │   │   ├── [ 804]  link.write.1.tlog
    │       │   │   └── [ 179]  SYSTEM_CONTEXT_RTCORE.lastbuildstate
    │       │   ├── [ 975]  SYSTEM_CONTEXT_RTCORE.Build.CppClean.log
    │       │   ├── [ 320]  SYSTEM_CONTEXT_RTCORE.exe.recipe
    │       │   ├── [668K]  SYSTEM_CONTEXT_RTCORE.ilk
    │       │   ├── [ 154]  SYSTEM_CONTEXT_RTCORE.log
    │       │   ├── [ 80K]  SYSTEM_CONTEXT_RTCORE.obj
    │       │   ├── [   0]  SYSTEM_CONTEXT_RTCORE.vcxproj.FileListAbsolute.txt
    │       │   ├── [251K]  vc143.idb
    │       │   └── [156K]  vc143.pdb
    │       └── [4.0K]  Release
    │           ├── [4.0K]  SYSTEM_C.325995fb.tlog
    │           │   ├── [ 930]  CL.command.1.tlog
    │           │   ├── [ 26K]  CL.read.1.tlog
    │           │   ├── [ 626]  CL.write.1.tlog
    │           │   ├── [1.6K]  link.command.1.tlog
    │           │   ├── [4.0K]  link.read.1.tlog
    │           │   ├── [1.0K]  link.write.1.tlog
    │           │   └── [ 181]  SYSTEM_CONTEXT_RTCORE.lastbuildstate
    │           ├── [1.3K]  SYSTEM_CONTEXT_RTCORE.Build.CppClean.log
    │           ├── [ 322]  SYSTEM_CONTEXT_RTCORE.exe.recipe
    │           ├── [ 66K]  SYSTEM_CONTEXT_RTCORE.iobj
    │           ├── [ 20K]  SYSTEM_CONTEXT_RTCORE.ipdb
    │           ├── [ 357]  SYSTEM_CONTEXT_RTCORE.log
    │           ├── [222K]  SYSTEM_CONTEXT_RTCORE.obj
    │           ├── [   0]  SYSTEM_CONTEXT_RTCORE.vcxproj.FileListAbsolute.txt
    │           └── [140K]  vc143.pdb
    └── [1.4K]  SYSTEM_CONTEXT_RTCORE.sln

8 directories, 38 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.