来源

关联漏洞

介绍

"# CVE-2021-31956" 

WIP PoC code for CVE-2021-31956 in preparation for OSEE. Will improve it further after my OSEE exams and free time.
A lot of hardcoded offsets need to be changed if it is different on the target system ( but if it is anything similar to 2020 - 2021 builds then no change should be needed. Not sure 100%) and you can't exit the program because many pool headers are still corrupted as well as the Token field is still pointing to system's token. One of 3 things will happen if you try to exit the program, a BSOD, can't exit, or if the stars aligns exit safely but the system is probably unstable and is a ticking time bomb.


Credits:


https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/ amazing write up that covers many details that NCC and other lacks

https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/ good basic understanding of the vuln and good lessons learned

https://github.com/aazhuliang/CVE-2021-31956-EXP for most of the starting code and a source for me to fall back onto if I am completely stuck

https://github.com/freeide/CVE-2021-31955-POC/tree/main - CVE-2021-31955 PoC that allow the leaking of EPROCESS. Though this is unnecessary due to the nature of the bug and the accessible CreatorProcess field inside WNF struct.
- Apt 69


![](poc.gif)

文件快照

 [4.0K]  /data/pocs/b32ec765636951d7df217ef5881f4ecb7b0bba44
├── [4.0K]  31956Custom
│   ├── [7.2K]  31956Custom.vcxproj
│   ├── [1.6K]  31956Custom.vcxproj.filters
│   ├── [ 19K]  Header.h
│   ├── [3.7K]  Helper.cpp
│   ├── [ 148]  Helper.h
│   ├── [ 26K]  Main.cpp
│   ├── [  13]  Main.h
│   ├── [  16]  pch.cpp
│   ├── [2.5K]  pch.h
│   └── [ 281]  Ulog.h
├── [1.4K]  31956Custom.sln
├── [2.7M]  poc.gif
└── [1.3K]  README.md

1 directory, 13 files

备注