Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/samueltulach/nullmap
Using CVE-2023-21768 to manual map kernel mode driver
https://github.com/samueltulach/nullmap
cve-2023-21768 driver exploit kernel manual-mapper mapper windows
Last synced: 6 days ago
JSON representation
Using CVE-2023-21768 to manual map kernel mode driver
- Host: GitHub
- URL: https://github.com/samueltulach/nullmap
- Owner: SamuelTulach
- Created: 2023-03-10T19:08:28.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-03-10T20:16:53.000Z (almost 2 years ago)
- Last Synced: 2024-12-10T07:51:49.922Z (15 days ago)
- Topics: cve-2023-21768, driver, exploit, kernel, manual-mapper, mapper, windows
- Language: C
- Homepage:
- Size: 20.5 KB
- Stars: 176
- Watchers: 3
- Forks: 35
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# nullmap
A very simple driver manual mapper based on my older [voidmap](https://github.com/SamuelTulach/voidmap) and [CVE-2023-21768 POC](https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768) by [chompie](https://twitter.com/chompie1337) and [b33f](https://twitter.com/FuzzySec). Because the underlying IoRing post-exploitation memory r/w primitive is not handling many consequent reads and writes very well, I've decided to overwrite CR4 to disable SMEP/SMAP to execute the driver mapped in usermode. Tested on Windows 11 22H2 (22621.525).Usage:
```
nullmap.exe
```Possible problems:
- Manual mapped driver will be in a pool allocated by ExAllocatePool. If you want to use this for anything more serious you should consider finding a better way of memory allocation so it can't be dumped so easily.
- There is no easy way to read the original cr4 value which means that I had to hardcode the value that was there on my system. While it should be the same for most modern CPUs, you should still double-check that the value is correct.
- I've hard-coded offset to NtGdiGetEmbUFI since there is no easy way to sigscan it, which means that you will have to update this offset for your specific Windows build.
- It was written in one afternoon, it might not be the cleanest code base.Video:
[![video](https://img.youtube.com/vi/qdAZ8mTsTrc/0.jpg)](https://www.youtube.com/watch?v=qdAZ8mTsTrc)