POC详情: 5329c68d8399177318f40a812059c2351cfefbbb

来源
https://github.com/jayesther/KTM_POCS
关联漏洞
标题: Microsoft Windows Kernel Mode Drivers 资源管理错误漏洞 (CVE-2024-43535)
描述:Microsoft Windows Kernel Mode Drivers是美国微软(Microsoft)公司的Windows内核模式驱动。 Microsoft Windows Kernel Mode Drivers存在资源管理错误漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows 11 Version 24H2 for ARM64-based Systems,Windows 11 Version 24H2 for x64-based Systems,Windows 10 Vers
描述
Reports and POCs for CVE 2024-43570 and CVE-2024-43535
介绍
# KTM_POCS

This repo contains reports for [CVE 2024-43570](https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-43570) and [CVE 2024-43535](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43535), two vulnerabilities I found in the Windows Kernel Transaction Manager driver tm.sys.

This repo also contains exploit code I used for the demos in the OffensiveCon25 Presentation: [Hunting for Overlooked Cookies in Windows 11 KTM and Baking Exploits for Them](https://youtu.be/goEb7eKj660?si=DR9TcnJZPicCIhGK) by Cedric Halbronn and Jael Koh.

Slides for the presentation are available [here](https://docs.google.com/presentation/d/1M_ziQt6rZA01ghsv0qo7lhqyOLIZYNnV-qjHWun6A1g/edit?usp=sharing).

*Exploit code was tested on a Windows 11 Pro 23H2 226321.4169 (September Patch Tuesday Update) Virtual Machine*

##  Timeline

24 Apr 2024 - 26 Apr 2024: tm.sys research attempt #1

18 May 2024 - 20 May 2024: tm.sys research attempt #2

14 Jun 2024 - 7 Jul 2024: tm.sys research attempt #3 

24 Jun 2024: Reported CVE 2024-43570 to MSRC

7 Jul 2024 : Reported CVE 2024-43535 to MSRC

18 Jul 2024: US$2000 bounty awarded for CVE 2024-43570

5 Oct 2024 : US$2000 bounty awarded for CVE 2024-43535

8 Oct 2024: Fix for CVE-2024-43570 and CVE-2024-43535
文件快照

 [4.0K]  /data/pocs/5329c68d8399177318f40a812059c2351cfefbbb
├── [4.0K]  dispatch_demo
│   ├── [ 171]  DEMO_WINDBG.txt
│   ├── [ 23K]  dispatch.c
│   └── [ 11K]  helper.h
├── [4.0K]  dispatch_report
│   ├── [4.4K]  freeProtocol.js
│   ├── [ 25K]  ReclaimProtocol.c
│   ├── [ 21K]  windbg_log_WinServer_0ed4_2024-06-24_11-44-15-452_Copy.txt
│   └── [ 16K]  Windows Kernel KTM TmpDispatchPropagateRequest ,leading to UAF.md
├── [4.0K]  migrate_demo
│   ├── [  84]  DEMO_WINDBG_2.txt
│   ├── [ 16K]  helper.h
│   ├── [ 28K]  Migrate.c
│   └── [6.0K]  migratewin.js
├── [4.0K]  migrate_report
│   ├── [6.0K]  freeEnlistmentDuringEM.js
│   ├── [ 35K]  NamedPipeReclaim_CrashPoC.c
│   ├── [ 21K]  NamedPipeReclaim_windbglog.txt
│   ├── [ 16K]  Windows Kernel KTM TmpMigrateEnlistments does not hold the mutex of the destination Transaction, leading to UAF.md
│   ├── [8.5K]  Working_CrashPoC.c
│   └── [ 18K]  Working_CrashPoC_windbglog.txt
└── [1.2K]  README.md

4 directories, 18 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。