Arbitrary kernel memory access in MSI Afterburner RTCore64.sys/RTCore32.sys

Repository contains a single Windows C++ proof-of-concept (probe.cpp) plus an MIT LICENSE. The code targets CVE-2019-16098, a known vulnerable interface in the RTCore64.sys driver (commonly installed with MSI Afterburner/RivaTuner components). probe.cpp opens the device \\.\RTCore64 with CreateFileW (requires admin), then repeatedly issues DeviceIoControl using IOCTL 0x80002048 (RTCORE64_MEMORY_READ_CODE). It crafts an RTCORE64_MEMORY_READ request structure, sets Address to the address of a local variable (secret = 0xDEADCCCC), and requests a 4-byte read. The driver returns the read value in req.Value, which the program compares to the expected secret and prints status. It also monitors for failure conditions, specifically treating Win32 error 6 as an indication the device handle was closed/stripped. No networking, persistence, or code execution payload is present; it demonstrates an arbitrary read primitive through a vulnerable kernel driver interface and provides continuous monitoring output.

This repository is not a single CVE exploit PoC but a full Windows ransomware toolchain (“VortexCry”) with multiple components in C# and C/C++. Key capabilities observed: - Ransomware encryption/decryption: Shared library (VortexCrypt/共享) implements AES file encryption and RSA-4096 wrapping of the AES key (public key embedded in VortexCrypt/xdll32/Program.cs). The main ransomware (VortexCrypt/xdll32/Program.cs) traverses the filesystem, encrypts files (adds .VXCRY), drops a ransom HTML to C:\encrypted.html, disables recovery features (WinRE), attempts to disable UAC, and launches a GUI decryptor. - Decryptor UI: VortexCrypt/@Vortex_decryptor is a WinForms decryptor. It can (a) fetch a key package over LAN using a user-supplied IP/host on TCP port 3568 (AesRsaEncryptionManager.GetRemoteAesKey), or (b) perform manual key exchange by validating a SHA-256 hash passed as a command-line argument. It then decrypts files and restores critical system files (hal.dll, ntoskrnl.exe, sfc.exe) and an MBR backup if present. - Destructive/lockdown actions: Shared HarmfulSysHacks.cs includes direct MBR write via \\.\PhysicalDrive0 and functions to delete shadow copies/disable system recovery (portions truncated but referenced). Rundl132 project explicitly calls ModifyMasterBootRecord() and TriggerBlueScreen(). The decryptor also contains a “Computer Eradication” button that triggers MBR modification and BSOD. - Process injection and evasion: - C# injector (VortexCrypt/vcry) spawns multiple timeout.exe processes, XOR-deobfuscates embedded shellcode, and injects it into a target process using VirtualAllocEx/WriteProcessMemory/CreateRemoteThread. - C++ injector (vcry/) includes APC injection and process selection (svchost.exe/RuntimeBroker.exe), plus a process hollowing project (vcry_hollow/) implementing suspended process creation, unmapping, relocation, and APC execution. - Kernel driver tooling and DSE bypass: - Taskkill/ is a Windows kernel-mode driver project exposing IOCTLs via device \\.\ProcessTerminator to terminate processes, mark “safe” processes, and set PPL-like protections. - vcry/DSEBypass.cpp uses a kernel write primitive via device \\.\RTCore64 and references CVE-2019-16098 to modify Code Integrity options (g_CiOptions) to facilitate driver loading. - vcry/vcry.cpp drops a driver to C:\Windows\System32\drivers\vcry.sys, creates/starts a service (VortexCryDriver), and then continuously kills security processes (e.g., MsMpEng.exe, HipsDaemon.exe, 360tray.exe) using the driver. Repository structure highlights: - VortexCrypt/xdll32: primary ransomware encryptor/launcher (C#). - VortexCrypt/@Vortex_decryptor: decryptor GUI and key acquisition logic. - VortexCrypt/共享: shared crypto, registry, and “harmful system hacks” utilities. - vcry/: C++ injection + DSE bypass + driver loading + AV-kill loop. - Taskkill/: kernel driver implementing process termination/protection via IOCTLs. - vcry_hollow/: process hollowing implementation. - VortexCrypt/vcryx: drops DLLs to disk and executes via rundll32. No hardcoded external C2 domains/URLs were found in the provided content; the only explicit network observable is the LAN key retrieval port (3568) with a user-supplied host/IP. Numerous high-signal host artifacts are present (C:\encrypted.html, \\.\PhysicalDrive0, \\.\RTCore64, \\.\ProcessTerminator, dropped drivers/DLLs under C:\Windows\System32\drivers and System32).

This repository contains a local privilege escalation exploit for CVE-2019-16098, targeting the RTCore64.sys driver on Windows systems. The exploit is implemented in C++ (exploit.cpp) and works by interacting directly with the vulnerable driver via DeviceIoControl calls to custom IOCTL codes. The exploit leaks kernel addresses, traverses the EPROCESS linked list to locate the SYSTEM and target process tokens, and overwrites the token of a newly spawned cmd.exe process with the SYSTEM token, resulting in a SYSTEM-level shell. The only other file is a README.md, which briefly describes the exploit and links to a detailed blog post. The exploit requires local access and the presence of the vulnerable driver, and does not use any network endpoints. The main fingerprintable endpoints are the device path (\\.\RTCore64) and the path to cmd.exe. The code is operational and demonstrates a working privilege escalation payload.

This repository contains a working local privilege escalation exploit for CVE-2019-16098, targeting the MSI Afterburner RTCore64.sys driver (version 4.6.2.15658) on Windows. The exploit is implemented in C++ (SYSTEM_CONTEXT_RTCORE.cpp) and is designed to be built with Visual Studio 2019. The exploit dynamically locates the base address of ntoskrnl.exe and calculates the necessary offsets for the EPROCESS structure to steal the SYSTEM process token. It communicates with the vulnerable driver via the device object \\.\RTCore64, using custom IOCTL codes to read and write kernel memory. The exploit reads the Windows version from the registry to select the correct offsets for the EPROCESS structure. Upon successful exploitation, it spawns a new shell (cmd.exe) with SYSTEM privileges. The repository includes build files, Visual Studio project files, and logs, but the main exploit logic resides in SYSTEM_CONTEXT_RTCORE.cpp. The exploit is operational and has been tested on Windows 11 23H2 (build 22621.3447), but may require offset adjustments for other Windows versions.

This repository contains a working local privilege escalation exploit for CVE-2019-16098, targeting the RTCore64.sys driver from MSI Afterburner 4.6.2.15658 on Windows 10 x64 Version 1903. The main exploit is implemented in 'CVE-2019-16098.cpp', which interacts directly with the vulnerable driver via the device object '\\.\RTCore64'. The exploit leaks kernel addresses, locates the SYSTEM process, and overwrites the current process token with the SYSTEM token, effectively elevating privileges. It then spawns a new shell (cmd.exe) as SYSTEM. The exploit is operational and requires the vulnerable driver to be loaded and the system to match the hardcoded offsets (Windows 10 x64 1903). The repository includes build files for CMake and a README with usage instructions and output examples. No network or remote attack vectors are present; this is a local privilege escalation exploit.