Windows AppLocker appid.sys Kernel Elevation of Privilege

Repository contains a Windows local privilege escalation PoC for CVE-2024-21338 (appid.sys/AppLocker driver). It is a Visual Studio C++ solution/project (CVE-2024-21338.slnx, .vcxproj) with core exploit logic in three C++ sources: (1) main.cpp orchestrates token/impersonation, gadget discovery, IOCTL triggering, and post-exploitation memory write; (2) CVE-2024-21338.cpp implements prerequisite helpers: enabling privileges, enumerating processes, duplicating SYSTEM token from winlogon.exe, querying kernel module base via NtQuerySystemInformation, and resolving kernel object pointers from handles; (3) gadget_search.cpp provides PE parsing and pattern scanning utilities to map ntoskrnl.exe from disk and locate a KCFG-compatible gadget in the PAGE section. Exploit flow (high level): - Enables token privileges (SeDebug/SeImpersonate/SeAssignPrimaryToken/SeIncreaseQuota). - Duplicates a SYSTEM token from winlogon.exe, impersonates SYSTEM, enumerates svchost.exe processes, and selects one running as LocalService (SID S-1-5-19). It then impersonates LocalService to open the vulnerable device \\.\AppID. - Maps C:\Windows\System32\ntoskrnl.exe in user mode, resolves kernel base of ntoskrnl.exe, and searches for a hardcoded byte-pattern gadget in the PAGE section. It also computes the offset of ETHREAD->PreviousMode by pattern searching ExGetPreviousMode. - Creates a file (test.txt) and uses system handle enumeration to obtain the kernel FILE_OBJECT pointer for the file handle; also resolves the kernel ETHREAD pointer for the current thread. - Sends DeviceIoControl to \\.\AppID with IOCTL 0x22A018 and an APPID_KERNEL_EXPLOIT structure containing: a pointer to a target address (threadObj + PreviousModeOffset + 0x30), a FILE_OBJECT pointer, and a small “shellcode array” that effectively supplies a gadget address and a function pointer (ZwQuerySystemInformation RVA rebased to kernel) to achieve a kernel write primitive. - After PreviousMode is flipped to Kernel, it calls NtWriteVirtualMemory on the current process to write 4 bytes to an arbitrary address provided interactively by the user, demonstrating arbitrary kernel memory modification. No network C2 or remote endpoints are present; the exploit is purely local and interacts with Windows kernel/user APIs and the AppID device interface.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-21338, a local privilege escalation vulnerability in the Windows 11 22H2 Build 22621 appid.sys driver. The main file, 'cve-2024-21338.c', is a C program that demonstrates how to exploit the vulnerability by crafting a malicious SMART_HASH_IMAGE_FILE structure and sending it to the appid.sys driver via DeviceIoControl. The exploit leverages Direct Kernel Object Manipulation (DKOM) to overwrite the current process's token with that of the SYSTEM process, effectively granting SYSTEM privileges. After successful exploitation, the code spawns a SYSTEM shell (cmd.exe). The exploit requires local access and sufficient privileges to interact with device drivers. The repository also includes a README and a GitHub Actions workflow file, but the core exploit logic resides in the C source file.

This repository provides a proof-of-concept (PoC) local privilege escalation exploit for CVE-2024-21338, a vulnerability in Microsoft Windows. The main exploit file, 'CVE-2024-21338.c', demonstrates how to leverage a vulnerable device driver (accessed via the device name '\\?\AppID' and IOCTL 0x22A018) to manipulate kernel memory structures. The exploit locates and manipulates kernel objects such as KTHREAD and EPROCESS, and uses direct system calls (via ntdll.dll) to perform memory operations. The exploit ultimately overwrites process tokens to escalate privileges to SYSTEM and spawns a SYSTEM shell (cmd.exe). The repository also includes 'example-with-windbg.c', which is a variant intended for debugging and manual manipulation with WinDbg, and 'defines.h', which contains necessary structure and function definitions for interacting with Windows kernel APIs. The exploit is not weaponized but serves as a functional PoC for researchers and defenders to understand and test the vulnerability.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2024-21338, a local privilege escalation vulnerability affecting Microsoft Windows 10 and 11 with HVCI enabled. The exploit is implemented in C++ and is structured as a Visual Studio project, with the main logic spread across several files: - `main.cpp` is the entry point, checking for administrator privileges and orchestrating the privilege escalation steps. - `impersonate.cpp` and `impersonate.hpp` handle token manipulation and impersonation, allowing the exploit to escalate from admin to SYSTEM and then to Local Service. - `poc.cpp` and `poc.hpp` contain the core exploit logic, including kernel memory manipulation via a vulnerable IOCTL (0x22A018) in the AppLocker driver. The exploit crafts specific buffers and leverages Windows internals to manipulate the 'PreviousMode' field in the ETHREAD structure, ultimately allowing code execution in kernel mode. - `console.hpp` provides logging and console management utilities. The exploit requires local administrator access and targets the AppLocker driver to achieve kernel-level code execution. It does not contain a weaponized or post-exploitation payload, but demonstrates the ability to escalate privileges by manipulating kernel structures. The only fingerprintable endpoint is the creation of a dummy file at `C:\Users\Public\example.txt` for exploitation purposes. No network or remote attack vectors are present; this is a purely local privilege escalation exploit.

This repository contains a single exploit file (CVE-2024-21338.cpp) targeting CVE-2024-21338, a local privilege escalation vulnerability in the Windows AppLocker driver (appid.sys). The exploit is written in C++ and is intended to be compiled and run on a Windows system where a vulnerable version of appid.sys is present. The code interacts directly with the device object for the driver (\\.\GLOBALROOT\Device\AppId) and leverages kernel memory manipulation to escalate privileges. It locates and duplicates the token of the winlogon.exe process to spawn a SYSTEM-level shell (cmd.exe). The repository structure is minimal, containing only the exploit source code and a .gitignore file. The exploit is operational and provides a working SYSTEM shell if successful, but is not part of a larger framework and does not include detection or auxiliary scripts.

This repository contains a functional local privilege escalation exploit for CVE-2024-21338, targeting Microsoft Windows 10 22H2 (10.0.19045.3930) with the January 2024 update (KB5034122). The exploit is implemented in C++ (main.cpp) and leverages a vulnerability in the AppId device driver (\\.\GLOBALROOT\Device\AppId) to perform arbitrary kernel memory read/write operations. The exploit locates the SYSTEM process's token in kernel memory and overwrites the current process's token, effectively granting SYSTEM privileges. Upon success, it spawns a SYSTEM-level command prompt (cmd.exe). The code demonstrates advanced kernel exploitation techniques, including kernel pointer leakage, token stealing, and direct DeviceIoControl interaction. The repository also includes a minimal README.md. No network endpoints are present; the attack vector is purely local, requiring code execution on the target system.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2024-21338, a local privilege escalation vulnerability affecting Microsoft Windows 10 and 11 with HVCI enabled. The exploit is implemented in C++ and is structured as a Visual Studio project. The main entry point is 'src/main.cpp', which checks for administrator privileges, impersonates SYSTEM and LOCAL SERVICE accounts, and then executes the core exploit logic in 'src/poc.cpp'. The exploit works by crafting and sending a malicious IOCTL (0x22A018) to the AppLocker driver, manipulating kernel memory structures to escalate privileges from Administrator to SYSTEM. The code includes helper classes for token manipulation and impersonation ('impersonate.cpp', 'impersonate.hpp'), as well as detailed logging utilities ('console.hpp'). The exploit requires local access and administrator rights to run, and does not target remote or networked systems. No hardcoded IPs or network endpoints are present; the only fingerprintable endpoint is the use of a dummy file at 'C:\Users\Public\example.txt' for kernel object manipulation. The repository is a standalone PoC and does not belong to any exploit framework.