CVE-2022-22077 PoC — Google Pixel 资源管理错误漏洞

Source

https://github.com/grisuno/CVE-2022-22077

Associated Vulnerability

Title:Google Pixel 资源管理错误漏洞 (CVE-2022-22077)
Description:Google Pixel是美国谷歌（Google）公司的一款智能手机。 Google Pixel存在安全漏洞。目前尚无此漏洞的相关信息，请随时关注CNNVD或厂商公告。

Description

CVE-2022-22077 is a high-severity vulnerability (CVSS score 7.8) affecting the RTCore64.sys driver distributed with MSI Center

Readme

# ✅ CVE-2022-22077 exploitation framework RTCore64.sys:

<img width="1328" height="1328" alt="image" src="https://github.com/user-attachments/assets/55f73f43-8bab-4fdb-84c3-011ca24d51c2" />

This document provides a comprehensive overview of the CVE-2022-22077 exploitation framework, a sophisticated BYOVD (Bring Your Own Vulnerable Driver) attack toolkit that targets the RTCore64.sys driver vulnerability. This framework demonstrates advanced Windows kernel exploitation techniques for educational and security research purposes.

The material covered includes the vulnerability's technical foundation, the framework's architecture, and the integration with the broader LazyOwn RedTeam toolkit. For detailed vulnerability analysis, see Vulnerability Analysis. For specific implementation details of individual components, see Exploitation Framework.

<img width="513" height="883" alt="image" src="https://github.com/user-attachments/assets/36b635a6-86c8-4b93-a6b2-15286897e1a2" />

## 🚨 CVE-2022-22077 — MSI Center / Dragon Center — Arbitrary Memory Read/Write via RTCore64.sys

CVE-2022-22077 is a high-severity vulnerability (CVSS score 7.8) affecting the RTCore64.sys driver distributed with MSI Center and Dragon Center applications. The vulnerability stems from exposed IOCTL interfaces that allow unprivileged users to perform arbitrary physical memory reads and writes, effectively bypassing all Windows kernel security mechanisms.

<img width="1724" height="246" alt="image" src="https://github.com/user-attachments/assets/2f13aaf2-97ee-478c-b9aa-e81a958f3ea0" />

## Key Impact Areas:

- Local privilege escalation to SYSTEM
- EDR/AV bypass capabilities
- Kernel-mode code execution
- Rootkit installation potential

<img width="1276" height="734" alt="image" src="https://github.com/user-attachments/assets/82db2c7f-70b0-436d-b909-43c8ffad7633" />

## Stages

<img width="682" height="859" alt="image" src="https://github.com/user-attachments/assets/a8dc2a4f-d9b0-4837-8b90-6f9d656ba50a" />

### Stage 1: Environment Preparation

- File: install.sh - Sets up mingw-w64 cross-compilation environment
- File: build.sh - Compiles Windows executables from Linux host
- Integration: LazyOwn framework configuration via CVE-2022-22077.yaml

### Stage 2: Automated Deployment

- File: payload.ps1 - PowerShell script handling:
- Privilege validation (SeLoadDriverPrivilege)
- VBS/HVCI compatibility checks
- Driver and exploit download from remote server
- Windows service creation and management

### Stage 3: Kernel Exploitation

- File: exploit.c - Native code implementing:
- RTCore64.sys device communication
- SYSTEM process token extraction
- Current process token replacement
- Privilege escalation validation

<img width="813" height="864" alt="image" src="https://github.com/user-attachments/assets/548542d5-01a3-4325-9581-9c6a689d52ef" />

## Memory Manipulation Architecture

The framework implements kernel memory access through a structured approach using the RTCore64.sys driver vulnerabilities:

<img width="1290" height="833" alt="image" src="https://github.com/user-attachments/assets/8efe4d10-0718-477e-ae90-3875f73deb49" />


🔗 [[ YOUTUBE DEMO ]](https://youtube.com/shorts/V2tqH53LRIw)

🔗 [CVE-2022-22077](https://nvd.nist.gov/vuln/detail/CVE-2022-22077?spm=a2ty_o01.29997173.0.0.1d61c921XdCRdQ) en NVD

🔗 [https://medium.com/@lazyown.redteam/the-rtcore64-chronicles-when-your-gpu-tuner-becomes-a-kernel-assassin-and-why-thats-a-feature-7ba63a285d36](https://medium.com/@lazyown.redteam/the-rtcore64-chronicles-when-your-gpu-tuner-becomes-a-kernel-assassin-and-why-thats-a-feature-7ba63a285d36)

🔗 [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/](https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/)

🔗 [https://github.com/grisuno/beacon](https://github.com/grisuno/beacon)

🔗 [https://github.com/grisuno/LazyOwn/](https://github.com/grisuno/LazyOwn/)




![Python](https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54) ![Shell Script](https://img.shields.io/badge/shell_script-%23121011.svg?style=for-the-badge&logo=gnu-bash&logoColor=white) ![Flask](https://img.shields.io/badge/flask-%23000.svg?style=for-the-badge&logo=flask&logoColor=white) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y2Z73AV)

File Snapshot


 [4.0K]  /data/pocs/c16989a2bbbff5a37a559b31aeef2b27fbb7d803
├── [ 237]  app.py
├── [  97]  build.sh
├── [5.1K]  CODE_OF_CONDUCT.md
├── [7.8K]  CONTRIBUTING.md
├── [ 943]  CVE-2022-22077.yaml
├── [4.0K]  docs
│   └── [7.5K]  index.html
├── [7.8K]  exploit.c
├── [  54]  install.sh
├── [ 34K]  LICENSE
├── [4.0K]  payload.ps1
├── [ 345]  pull_request_template.md
├── [4.4K]  README.md
├── [   1]  requirements.txt
├── [ 14K]  RTCore64.sys
├── [ 619]  SECURITY.md
└── [4.0K]  workflows
    └── [ 902]  github-actions-demo.yml

2 directories, 16 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!