This repository contains an exploit for the BufferOverflowNonPagedPoolNx vulnerability in HackSys Extreme Vulnerable Driver (HEVD).

The exploit targets Windows 10 Version 22H2 (OS Build 19045.3930) and demonstrates a technique to achieve privilege escalation from a low-integrity process to SYSTEM.

Exploit Overview

The exploit leverages the BufferOverflowNonPagedPoolNx vulnerability to create a “ghost chunk” through Aligned Chunk Confusion in the NonPagedPoolNx region. This ghost chunk is then manipulated to achieve arbitrary read and write primitives, which are subsequently used to elevate privileges.

Key techniques:

  1. Creation of a ghost chunk using Aligned Chunk Confusion in NonPagedPoolNx, enabling leakage and manipulation of HEAP_VS_CHUNK_HEADER, POOL_HEADER, and PipeQueueEntry structures via the previous chunk.
  2. Establishment of an arbitrary read primitive by manipulating the PipeQueueEntry structure within the ghost chunk to set up a fake PipeQueueEntrySub.
  3. Establishment of an arbitrary decrement primitive by altering the POOL_HEADER structure within the ghost chunk to set a fake ProcessBilled.
  4. Establishment of an arbitrary write primitive by zeroing the PreviousMode in the current thread’s KTHREAD structure.
  5. Elevation to SYSTEM privileges by modifying the Token in the current process’s EPROCESS structure.
  6. Stabilization of the system and avoidance of BSoD by manipulating the HEAP_VS_CHUNK_HEADER structures of the ghost chunk and its linked chunks to prevent detection of the corrupted chunk.

Tested Environment

This exploit was tested in the following environment:

  • Windows 10 Version 22H2 (OS Build 19045.3930)
  • KVA Shadow: Enabled
  • VBS/HVCI: Disabled
  • Integrity Level: Low

For more information click here.

Published by Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a comment

Your email address will not be published. Required fields are marked *