:pager: A tiny code that performs kernel-mode read/write using CVE-2023-38817.# kur
A code simply offers the ability to kernel-mode read / write memory from user-mode using vulnerable signed driver.
It's simply utilizing MmCopyVirtualMemory, which is undocumented yet one of the most common API, in kernel mode so you can read / write any user-mode memory without having to worry about the protection the memory page has. Besides that, it has a function to obtain process handle of given pid as a side arm. Since handle creation is conducted in kernel-mode, standard access checks and callbacks won't kick in i believe.
This project was created for study purposes, and it is not recommended to use it outside of a virtual machine.
# background
I've seen that this specific driver has privilege escalation vulnerability in uc forum.
So I started reversing the driver myself and indeed the driver doesnt have access control over its strong ioctls.
# the vulnerability
This project utilizes the vulnerability that was reported as CVE-2023-38817.
https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/
# How to use
Since I was too lazy to implement properly u have to just include everything and compile.
all functionalities are encapsulated in kur_t class.
https://github.com/pseuxide/kur/blob/cd3da42b8a146af3ca83d5f95970b030bd55585f/kur/kur.h#L5-L14
[4.0K] /data/pocs/ec29e5b4d1dff9ad5136223057452e7298171b38
├── [4.0K] kur
│ ├── [143K] echo_driver_resource.h
│ ├── [ 689] kur.cpp
│ ├── [ 266] kur_error.h
│ ├── [1.5K] kur.h
│ ├── [7.5K] kur.vcxproj
│ ├── [1.8K] kur.vcxproj.filters
│ ├── [ 16] pch.cpp
│ ├── [ 194] pch.h
│ ├── [ 816] utils.cpp
│ ├── [ 458] utils.h
│ ├── [7.2K] vul_driver.cpp
│ └── [1.7K] vul_driver.h
├── [1.4K] kur.sln
├── [1.0K] LICENSE
└── [1.3K] README.md
1 directory, 15 files