Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-38604 PoC — Wacom Driver 后置链接漏洞

Source
https://github.com/LucaBarile/CVE-2022-38604
Associated Vulnerability
Title:Wacom Driver 后置链接漏洞 (CVE-2022-38604)
Description:Wacom driver是一款用于连接和管理平台电脑的驱动程序。 Wacom Driver 6.3.46-1及之前版本存在安全漏洞,该漏洞源于存在任意文件删除漏洞。
Description
Exploits and reports for CVE-2022-38604
Readme
# Exploits for CVE-2022-38604
<p align="center">
  <img src="POC_AFD.gif" title="Arbitrary File Deletion POC">
</p>
<hr>
<p align="center">
  <img src="POC_WDOS.gif" title="Windows Denial of Service POC">
</p>
<hr>
<a href="https://github.com/LucaBarile/CVE-2022-38604/tree/main/FilesystemEoPs" target="_blank" rel="noopener noreferrer">FilesystemEoPs</a> is a copy of <a href="https://github.com/thezdi/PoC/tree/master/FilesystemEoPs" target="_blank" rel="noopener noreferrer">this</a> repository with the addition of the <a href="https://github.com/LucaBarile/CVE-2022-38604/tree/main/FilesystemEoPs/x64/Release" target="_blank" rel="noopener noreferrer">x64 compiled projects</a>.<br>
<a href="https://lucabarile.github.io/Blog/CVE-2022-38604/index.html" target="_blank" rel="noopener noreferrer">Here</a> you can find my <b>Arbitrary File Deletion Vulnerability</b> report.<br>
<a href="https://lucabarile.github.io/Blog/CVE-2022-38604/index.html#par7" target="_blank" rel="noopener noreferrer">Here</a> you can understand how to use an <b>Arbitrary File Deletion</b> primitive <b>to</b> achieve a <b>Local Privilege Escalation</b>.<br>
<a href="https://lucabarile.github.io/Blog/CVE-2022-38604/index.html#par8" target="_blank" rel="noopener noreferrer">Here</a> you can understand how to use an <b>Arbitrary File Deletion</b> primitive <b>to</b> achieve a <b>Windows Denial of Service</b>.<br>
<hr>
<a href="https://www.buymeacoffee.com/LucaBarile" target="_blank" rel="noopener noreferrer">Here</a> you can buy me a unicorn &#129412;
<hr>
<h5 align="right">Share the Knowledge!</h5>
File Snapshot

 [4.0K]  /data/pocs/a853f1e2bba0d9dda6ac64d050ad598bcaf73d1d
├── [4.0K]  Exploits
│   ├── [4.0K]  AFD
│   │   ├── [116K]  CreateMountPoint.exe
│   │   ├── [128K]  CreateSymlink.exe
│   │   └── [ 564]  Exploit.bat
│   ├── [4.0K]  AFD2LPE
│   │   ├── [116K]  CreateMountPoint.exe
│   │   ├── [128K]  CreateSymlink.exe
│   │   ├── [ 646]  Exploit.bat
│   │   └── [546K]  FolderOrFileDeleteToSystem.exe
│   └── [4.0K]  AFD2WDOS
│       ├── [116K]  CreateMountPoint.exe
│       ├── [128K]  CreateSymlink.exe
│       └── [1.1K]  Exploit.bat
├── [4.0K]  FilesystemEoPs
│   ├── [3.2K]  FilesystemEoPs.sln
│   ├── [4.0K]  FolderContentsDeleteToFolderDelete
│   │   ├── [5.0K]  FolderContentsDeleteToFolderDelete.cpp
│   │   ├── [8.4K]  FolderContentsDeleteToFolderDelete.vcxproj
│   │   ├── [1.3K]  FolderContentsDeleteToFolderDelete.vcxproj.filters
│   │   ├── [ 168]  FolderContentsDeleteToFolderDelete.vcxproj.user
│   │   ├── [ 22K]  NtDefine.h
│   │   ├── [4.0K]  Release
│   │   │   ├── [4.0K]  FolderCo.DF80717A.tlog
│   │   │   │   ├── [1.8K]  CL.command.1.tlog
│   │   │   │   ├── [ 83K]  CL.read.1.tlog
│   │   │   │   ├── [1.8K]  CL.write.1.tlog
│   │   │   │   ├── [ 172]  FolderContentsDeleteToFolderDelete.lastbuildstate
│   │   │   │   ├── [ 592]  FolderContentsDeleteToFolderDelete.write.1u.tlog
│   │   │   │   ├── [2.2K]  link.command.1.tlog
│   │   │   │   ├── [4.8K]  link.read.1.tlog
│   │   │   │   └── [ 798]  link.write.1.tlog
│   │   │   ├── [ 328]  FolderContentsDeleteToFolderDelete.exe.recipe
│   │   │   ├── [4.6K]  FolderContentsDeleteToFolderDelete.log
│   │   │   ├── [904K]  FolderContentsDeleteToFolderDelete.obj
│   │   │   ├── [500K]  vc142.pdb
│   │   │   └── [1.0M]  Win-Ops-Master.obj
│   │   ├── [ 38K]  Win-Ops-Master.cpp
│   │   ├── [ 27K]  Win-Ops-Master.h
│   │   └── [4.0K]  x64
│   │       ├── [4.0K]  Debug
│   │       │   ├── [4.0K]  FolderCo.DF80717A.tlog
│   │       │   │   ├── [1.8K]  CL.command.1.tlog
│   │       │   │   ├── [ 83K]  CL.read.1.tlog
│   │       │   │   ├── [2.1K]  CL.write.1.tlog
│   │       │   │   ├── [ 175]  FolderContentsDeleteToFolderDelete.lastbuildstate
│   │       │   │   ├── [2.2K]  link.command.1.tlog
│   │       │   │   ├── [4.7K]  link.read.1.tlog
│   │       │   │   └── [1.0K]  link.write.1.tlog
│   │       │   ├── [ 337]  FolderContentsDeleteToFolderDelete.exe.recipe
│   │       │   ├── [7.0K]  FolderContentsDeleteToFolderDelete.log
│   │       │   ├── [585K]  FolderContentsDeleteToFolderDelete.obj
│   │       │   ├── [619K]  vc142.idb
│   │       │   ├── [500K]  vc142.pdb
│   │       │   └── [862K]  Win-Ops-Master.obj
│   │       └── [4.0K]  Release
│   │           ├── [4.0K]  FolderCo.DF80717A.tlog
│   │           │   ├── [3.6K]  CL.command.1.tlog
│   │           │   ├── [ 83K]  CL.read.1.tlog
│   │           │   ├── [1.8K]  CL.write.1.tlog
│   │           │   ├── [ 170]  FolderContentsDeleteToFolderDelete.lastbuildstate
│   │           │   ├── [1.2K]  FolderContentsDeleteToFolderDelete.write.1u.tlog
│   │           │   ├── [4.5K]  link.command.1.tlog
│   │           │   ├── [4.8K]  link.read.1.tlog
│   │           │   └── [1.7K]  link.write.1.tlog
│   │           ├── [ 332]  FolderContentsDeleteToFolderDelete.exe.recipe
│   │           ├── [ 142]  FolderContentsDeleteToFolderDelete.log
│   │           ├── [895K]  FolderContentsDeleteToFolderDelete.obj
│   │           ├── [516K]  vc142.pdb
│   │           └── [1.0M]  Win-Ops-Master.obj
│   ├── [4.0K]  FolderOrFileDeleteToSystem
│   │   ├── [7.5K]  5eeabb3.rbs
│   │   ├── [7.9K]  FolderOrFileDeleteToSystem.cpp
│   │   ├── [2.2K]  FolderOrFileDeleteToSystem.rc
│   │   ├── [8.3K]  FolderOrFileDeleteToSystem.vcxproj
│   │   ├── [1.8K]  FolderOrFileDeleteToSystem.vcxproj.filters
│   │   ├── [184K]  Msi_Rollback.msi
│   │   ├── [ 20K]  NtDefine.h
│   │   ├── [4.0K]  Release
│   │   │   ├── [4.0K]  FolderOr.615da1d1.tlog
│   │   │   │   ├── [1.8K]  CL.command.1.tlog
│   │   │   │   ├── [ 83K]  CL.read.1.tlog
│   │   │   │   ├── [1.6K]  CL.write.1.tlog
│   │   │   │   ├── [ 172]  FolderOrFileDeleteToSystem.lastbuildstate
│   │   │   │   ├── [ 528]  FolderOrFileDeleteToSystem.write.1u.tlog
│   │   │   │   ├── [2.0K]  link.command.1.tlog
│   │   │   │   ├── [5.3K]  link.read.1.tlog
│   │   │   │   ├── [ 928]  link.write.1.tlog
│   │   │   │   ├── [ 760]  rc.command.1.tlog
│   │   │   │   ├── [3.3K]  rc.read.1.tlog
│   │   │   │   └── [ 410]  rc.write.1.tlog
│   │   │   ├── [ 320]  FolderOrFileDeleteToSystem.exe.recipe
│   │   │   ├── [4.4K]  FolderOrFileDeleteToSystem.log
│   │   │   ├── [936K]  FolderOrFileDeleteToSystem.obj
│   │   │   ├── [268K]  FolderOrFileDeleteToSystem.res
│   │   │   ├── [492K]  vc142.pdb
│   │   │   └── [1001K]  Win-Ops-Master.obj
│   │   ├── [ 559]  resource.h
│   │   ├── [ 28K]  Win-Ops-Master.cpp
│   │   ├── [ 22K]  Win-Ops-Master.h
│   │   └── [4.0K]  x64
│   │       ├── [4.0K]  Debug
│   │       │   ├── [4.0K]  FolderOr.615da1d1.tlog
│   │       │   │   ├── [1.7K]  CL.command.1.tlog
│   │       │   │   ├── [ 83K]  CL.read.1.tlog
│   │       │   │   ├── [1.9K]  CL.write.1.tlog
│   │       │   │   ├── [ 175]  FolderOrFileDeleteToSystem.lastbuildstate
│   │       │   │   ├── [2.1K]  link.command.1.tlog
│   │       │   │   ├── [4.9K]  link.read.1.tlog
│   │       │   │   ├── [1.2K]  link.write.1.tlog
│   │       │   │   ├── [ 810]  rc.command.1.tlog
│   │       │   │   ├── [3.4K]  rc.read.1.tlog
│   │       │   │   └── [ 442]  rc.write.1.tlog
│   │       │   ├── [ 329]  FolderOrFileDeleteToSystem.exe.recipe
│   │       │   ├── [5.8K]  FolderOrFileDeleteToSystem.log
│   │       │   ├── [633K]  FolderOrFileDeleteToSystem.obj
│   │       │   ├── [1.1M]  FolderOrFileDeleteToSystem.res
│   │       │   ├── [619K]  vc142.idb
│   │       │   ├── [492K]  vc142.pdb
│   │       │   └── [708K]  Win-Ops-Master.obj
│   │       └── [4.0K]  Release
│   │           ├── [4.0K]  FolderOr.615da1d1.tlog
│   │           │   ├── [3.4K]  CL.command.1.tlog
│   │           │   ├── [ 83K]  CL.read.1.tlog
│   │           │   ├── [1.7K]  CL.write.1.tlog
│   │           │   ├── [ 170]  FolderOrFileDeleteToSystem.lastbuildstate
│   │           │   ├── [1.1K]  FolderOrFileDeleteToSystem.write.1u.tlog
│   │           │   ├── [4.2K]  link.command.1.tlog
│   │           │   ├── [5.3K]  link.read.1.tlog
│   │           │   ├── [1.9K]  link.write.1.tlog
│   │           │   ├── [1.5K]  rc.command.1.tlog
│   │           │   ├── [3.3K]  rc.read.1.tlog
│   │           │   └── [ 418]  rc.write.1.tlog
│   │           ├── [ 324]  FolderOrFileDeleteToSystem.exe.recipe
│   │           ├── [ 126]  FolderOrFileDeleteToSystem.log
│   │           ├── [926K]  FolderOrFileDeleteToSystem.obj
│   │           ├── [284K]  FolderOrFileDeleteToSystem.res
│   │           ├── [516K]  vc142.pdb
│   │           └── [986K]  Win-Ops-Master.obj
│   ├── [4.0K]  Release
│   │   ├── [592K]  FolderContentsDeleteToFolderDelete.iobj
│   │   ├── [225K]  FolderContentsDeleteToFolderDelete.ipdb
│   │   ├── [5.1M]  FolderContentsDeleteToFolderDelete.pdb
│   │   ├── [476K]  FolderOrFileDeleteToSystem.exe
│   │   ├── [658K]  FolderOrFileDeleteToSystem.iobj
│   │   ├── [218K]  FolderOrFileDeleteToSystem.ipdb
│   │   ├── [5.3M]  FolderOrFileDeleteToSystem.pdb
│   │   ├── [ 76K]  SystemCmdLauncher.dll
│   │   ├── [139K]  SystemCmdLauncher.iobj
│   │   ├── [ 11K]  SystemCmdLauncher.ipdb
│   │   └── [4.2M]  SystemCmdLauncher.pdb
│   ├── [4.0K]  SystemCmdLauncher
│   │   ├── [1.3K]  dllmain.cpp
│   │   ├── [ 154]  framework.h
│   │   ├── [ 191]  pch.cpp
│   │   ├── [ 576]  pch.h
│   │   ├── [4.0K]  Release
│   │   │   ├── [230K]  dllmain.obj
│   │   │   ├── [199K]  pch.obj
│   │   │   ├── [4.0K]  SystemCm.317cecb7.tlog
│   │   │   │   ├── [1.9K]  CL.command.1.tlog
│   │   │   │   ├── [ 28K]  CL.read.1.tlog
│   │   │   │   ├── [1.0K]  CL.write.1.tlog
│   │   │   │   ├── [1.5K]  link.command.1.tlog
│   │   │   │   ├── [4.2K]  link.read.1.tlog
│   │   │   │   ├── [ 586]  link.write.1.tlog
│   │   │   │   ├── [ 172]  SystemCmdLauncher.lastbuildstate
│   │   │   │   └── [ 456]  SystemCmdLauncher.write.1u.tlog
│   │   │   ├── [ 311]  SystemCmdLauncher.dll.recipe
│   │   │   ├── [ 354]  SystemCmdLauncher.log
│   │   │   ├── [7.3M]  SystemCmdLauncher.pch
│   │   │   └── [548K]  vc142.pdb
│   │   ├── [8.6K]  SystemCmdLauncher.vcxproj
│   │   ├── [1.3K]  SystemCmdLauncher.vcxproj.filters
│   │   └── [4.0K]  x64
│   │       ├── [4.0K]  Debug
│   │       │   ├── [ 41K]  dllmain.obj
│   │       │   ├── [117K]  pch.obj
│   │       │   ├── [4.0K]  SystemCm.317cecb7.tlog
│   │       │   │   ├── [1.9K]  CL.command.1.tlog
│   │       │   │   ├── [ 28K]  CL.read.1.tlog
│   │       │   │   ├── [1.5K]  CL.write.1.tlog
│   │       │   │   ├── [1.5K]  link.command.1.tlog
│   │       │   │   ├── [3.8K]  link.read.1.tlog
│   │       │   │   ├── [ 816]  link.write.1.tlog
│   │       │   │   └── [ 175]  SystemCmdLauncher.lastbuildstate
│   │       │   ├── [ 320]  SystemCmdLauncher.dll.recipe
│   │       │   ├── [ 139]  SystemCmdLauncher.log
│   │       │   ├── [7.5M]  SystemCmdLauncher.pch
│   │       │   ├── [331K]  vc142.idb
│   │       │   └── [556K]  vc142.pdb
│   │       └── [4.0K]  Release
│   │           ├── [227K]  dllmain.obj
│   │           ├── [202K]  pch.obj
│   │           ├── [4.0K]  SystemCm.317cecb7.tlog
│   │           │   ├── [3.8K]  CL.command.1.tlog
│   │           │   ├── [ 28K]  CL.read.1.tlog
│   │           │   ├── [1.1K]  CL.write.1.tlog
│   │           │   ├── [3.1K]  link.command.1.tlog
│   │           │   ├── [4.5K]  link.read.1.tlog
│   │           │   ├── [1.3K]  link.write.1.tlog
│   │           │   ├── [ 170]  SystemCmdLauncher.lastbuildstate
│   │           │   └── [ 978]  SystemCmdLauncher.write.1u.tlog
│   │           ├── [ 315]  SystemCmdLauncher.dll.recipe
│   │           ├── [ 108]  SystemCmdLauncher.log
│   │           ├── [7.4M]  SystemCmdLauncher.pch
│   │           └── [556K]  vc142.pdb
│   └── [4.0K]  x64
│       ├── [4.0K]  Debug
│       │   ├── [1.9M]  FolderContentsDeleteToFolderDelete.exe
│       │   ├── [6.1M]  FolderContentsDeleteToFolderDelete.ilk
│       │   ├── [8.8M]  FolderContentsDeleteToFolderDelete.pdb
│       │   ├── [3.2M]  FolderOrFileDeleteToSystem.exe
│       │   ├── [6.1M]  FolderOrFileDeleteToSystem.ilk
│       │   ├── [8.8M]  FolderOrFileDeleteToSystem.pdb
│       │   ├── [1.1M]  SystemCmdLauncher.dll
│       │   ├── [3.0M]  SystemCmdLauncher.ilk
│       │   └── [6.1M]  SystemCmdLauncher.pdb
│       └── [4.0K]  Release
│           ├── [242K]  FolderContentsDeleteToFolderDelete.exe
│           ├── [681K]  FolderContentsDeleteToFolderDelete.iobj
│           ├── [455K]  FolderContentsDeleteToFolderDelete.ipdb
│           ├── [5.6M]  FolderContentsDeleteToFolderDelete.pdb
│           ├── [546K]  FolderOrFileDeleteToSystem.exe
│           ├── [765K]  FolderOrFileDeleteToSystem.iobj
│           ├── [448K]  FolderOrFileDeleteToSystem.ipdb
│           ├── [5.8M]  FolderOrFileDeleteToSystem.pdb
│           ├── [ 92K]  SystemCmdLauncher.dll
│           ├── [141K]  SystemCmdLauncher.iobj
│           ├── [ 18K]  SystemCmdLauncher.ipdb
│           └── [4.5M]  SystemCmdLauncher.pdb
├── [1.0K]  LICENSE
├── [5.1M]  POC_AFD.gif
├── [ 24M]  POC_WDOS.gif
└── [1.6K]  README.md

33 directories, 202 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.