来源

关联漏洞

描述

CVE-2022-22077 is a high-severity vulnerability (CVSS score 7.8) affecting the RTCore64.sys driver distributed with MSI Center

介绍

# ✅ CVE-2022-22077 exploitation framework RTCore64.sys:

<img width="1328" height="1328" alt="image" src="https://github.com/user-attachments/assets/55f73f43-8bab-4fdb-84c3-011ca24d51c2" />

This document provides a comprehensive overview of the CVE-2022-22077 exploitation framework, a sophisticated BYOVD (Bring Your Own Vulnerable Driver) attack toolkit that targets the RTCore64.sys driver vulnerability. This framework demonstrates advanced Windows kernel exploitation techniques for educational and security research purposes.

The material covered includes the vulnerability's technical foundation, the framework's architecture, and the integration with the broader LazyOwn RedTeam toolkit. For detailed vulnerability analysis, see Vulnerability Analysis. For specific implementation details of individual components, see Exploitation Framework.

<img width="513" height="883" alt="image" src="https://github.com/user-attachments/assets/36b635a6-86c8-4b93-a6b2-15286897e1a2" />

## 🚨 CVE-2022-22077 — MSI Center / Dragon Center — Arbitrary Memory Read/Write via RTCore64.sys

CVE-2022-22077 is a high-severity vulnerability (CVSS score 7.8) affecting the RTCore64.sys driver distributed with MSI Center and Dragon Center applications. The vulnerability stems from exposed IOCTL interfaces that allow unprivileged users to perform arbitrary physical memory reads and writes, effectively bypassing all Windows kernel security mechanisms.

<img width="1724" height="246" alt="image" src="https://github.com/user-attachments/assets/2f13aaf2-97ee-478c-b9aa-e81a958f3ea0" />

## Key Impact Areas:

- Local privilege escalation to SYSTEM
- EDR/AV bypass capabilities
- Kernel-mode code execution
- Rootkit installation potential

<img width="1276" height="734" alt="image" src="https://github.com/user-attachments/assets/82db2c7f-70b0-436d-b909-43c8ffad7633" />

## Stages

<img width="682" height="859" alt="image" src="https://github.com/user-attachments/assets/a8dc2a4f-d9b0-4837-8b90-6f9d656ba50a" />

### Stage 1: Environment Preparation

- File: install.sh - Sets up mingw-w64 cross-compilation environment
- File: build.sh - Compiles Windows executables from Linux host
- Integration: LazyOwn framework configuration via CVE-2022-22077.yaml

### Stage 2: Automated Deployment

- File: payload.ps1 - PowerShell script handling:
- Privilege validation (SeLoadDriverPrivilege)
- VBS/HVCI compatibility checks
- Driver and exploit download from remote server
- Windows service creation and management

### Stage 3: Kernel Exploitation

- File: exploit.c - Native code implementing:
- RTCore64.sys device communication
- SYSTEM process token extraction
- Current process token replacement
- Privilege escalation validation

<img width="813" height="864" alt="image" src="https://github.com/user-attachments/assets/548542d5-01a3-4325-9581-9c6a689d52ef" />

## Memory Manipulation Architecture

The framework implements kernel memory access through a structured approach using the RTCore64.sys driver vulnerabilities:

<img width="1290" height="833" alt="image" src="https://github.com/user-attachments/assets/8efe4d10-0718-477e-ae90-3875f73deb49" />


🔗 [[ YOUTUBE DEMO ]](https://youtube.com/shorts/V2tqH53LRIw)

🔗 [CVE-2022-22077](https://nvd.nist.gov/vuln/detail/CVE-2022-22077?spm=a2ty_o01.29997173.0.0.1d61c921XdCRdQ) en NVD

🔗 [https://medium.com/@lazyown.redteam/the-rtcore64-chronicles-when-your-gpu-tuner-becomes-a-kernel-assassin-and-why-thats-a-feature-7ba63a285d36](https://medium.com/@lazyown.redteam/the-rtcore64-chronicles-when-your-gpu-tuner-becomes-a-kernel-assassin-and-why-thats-a-feature-7ba63a285d36)

🔗 [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/](https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/)

🔗 [https://github.com/grisuno/beacon](https://github.com/grisuno/beacon)

🔗 [https://github.com/grisuno/LazyOwn/](https://github.com/grisuno/LazyOwn/)




![Python](https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54) ![Shell Script](https://img.shields.io/badge/shell_script-%23121011.svg?style=for-the-badge&logo=gnu-bash&logoColor=white) ![Flask](https://img.shields.io/badge/flask-%23000.svg?style=for-the-badge&logo=flask&logoColor=white) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y2Z73AV)

文件快照

 [4.0K]  /data/pocs/c16989a2bbbff5a37a559b31aeef2b27fbb7d803
├── [ 237]  app.py
├── [  97]  build.sh
├── [5.1K]  CODE_OF_CONDUCT.md
├── [7.8K]  CONTRIBUTING.md
├── [ 943]  CVE-2022-22077.yaml
├── [4.0K]  docs
│   └── [7.5K]  index.html
├── [7.8K]  exploit.c
├── [  54]  install.sh
├── [ 34K]  LICENSE
├── [4.0K]  payload.ps1
├── [ 345]  pull_request_template.md
├── [4.4K]  README.md
├── [   1]  requirements.txt
├── [ 14K]  RTCore64.sys
├── [ 619]  SECURITY.md
└── [4.0K]  workflows
    └── [ 902]  github-actions-demo.yml

2 directories, 16 files

备注