Inside of Windows: How a Double-Fetch Vulnerability Leads to SYSTEM Access

24H2 NT Kernel Exploit [POC]

📌Target: NT kernel in Windows 11 24H2 Insider Preview.

📌Vulnerabilities: Multiple kernel vulnerabilities in ntoskrnl.exe.

Exploit Technique:

📌Uses process token swap to gain NT AUTHORITY\SYSTEM privileges.

📌Walks the PsActiveProcessHead list to find a privileged process and its token.

📌Replaces the token of the exploit process with the privileged token.

📌Spawns a new command prompt with SYSTEM privileges.

Bypassing KASLR:

📌Uses side-channel attacks to locate the kernel base address.

📌Highlights weaknesses in the new KASLR implementation.

Components:

📌teb_nt_poc.c: The main exploit code.

📌prefetch_asm.asm and prefetch_leak.h: Used for side-channel attacks to bypass kernel ASLR.

📌find_nt_offsets.h and find_nt_offsets.c: Finds non-exported globals in NT using Capstone.

📌ntos.h: Contains miscellaneous non-public structs and functions related to NT.

CVE-2024-21345 [POC]

📌Vulnerability: Proof-of-Concept (PoC) for CVE-2024-21345.

📌Target: Specific vulnerability in a software component

Exploit Details:

📌The vulnerability involves a double-fetch issue in NtQueryInformationThread, leading to an arbitrary write.

📌Exploitation can result in high integrity and confidentiality impacts, with availability also rated as high.

CVE-2024-26218 [POC]

📌Vulnerability: Proof-of-Concept (PoC) for CVE-2024-26218.

📌Target: Specific vulnerability in a software component.

Exploit Details:

📌The vulnerability allows attackers to elevate their privileges to SYSTEM level, which can lead to full control over the affected system.