Windows Kernel TOCTOU Race Condition Elevation of Privilege

This repository is a compact Visual Studio C++ proof-of-concept for CVE-2024-30088, adapted specifically for non-interactive execution environments such as WinRM. The repo contains a solution file, one main source file (poc/main.cpp), one helper header (poc/ex.h), and standard Visual Studio project metadata. README.md explains that the original exploit was modified to avoid interactive cmd.exe usage, replacing visible console creation with hidden execution and adding synchronous waiting and verbose logging. The exploit is a local privilege escalation PoC targeting Microsoft Windows. In main.cpp, it opens the current process token, uses helper logic from ex.h to recover the kernel pointer associated with that token via NtQuerySystemInformation(SystemExtendedHandleInformation), and then repeatedly calls NtQueryInformationToken while a racing thread corrupts fields in the token security attributes structure. The goal is to win a race condition and subsequently obtain a powerful handle to winlogon.exe, a SYSTEM process. Once successful, the code uses CreateProcessFromHandle in ex.h to create a new process with the privileged process handle set as the parent process attribute, effectively launching a child process as SYSTEM. The final stage is operational rather than generic: it hardcodes execution of PowerShell with the command to start C:\temp\shellz.exe. The process is created with EXTENDED_STARTUPINFO_PRESENT | CREATE_NO_WINDOW, making it suitable for WinRM or other headless sessions. This is not a scanner or detector; it is a real exploit PoC with a built-in payload launcher. There are no network endpoints or remote C2 indicators in the code. The main fingerprintable artifacts are local Windows paths, native API usage, and the explicit targeting of winlogon.exe as the privileged parent process.

This repository contains a local privilege escalation proof-of-concept (POC) exploit for Microsoft Windows, targeting a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) in token handling. The main exploit logic is implemented in 'main.cpp', with supporting functions in 'ex.h'. The exploit works by racing the system's token information retrieval and manipulation, ultimately obtaining a handle to the SYSTEM process (winlogon.exe) and spawning a SYSTEM-level command prompt (cmd.exe). The Visual Studio project files (.sln, .vcxproj, etc.) are present to facilitate building the exploit. The exploit requires local code execution and does not target any network endpoints. Its primary capability is privilege escalation from a regular user to SYSTEM on Windows platforms.

This repository contains a Python proof-of-concept (PoC) exploit for CVE-2024-30088, a local privilege escalation vulnerability affecting the Microsoft Windows kernel. The main file, CVE-2024-30088.py, uses the ctypes library to interact with low-level Windows APIs, mimicking the behavior of a typical C/C++ kernel exploit. The exploit attempts to obtain a handle to the winlogon.exe process, manipulates kernel memory via a race condition, and ultimately spawns a SYSTEM-level command prompt (cmd.exe). The README.md provides context, explaining that this is a technical exercise and warning that the Python implementation may be unstable compared to the original C++ exploit. The exploit is local-only, requiring code execution on the target system, and does not involve any network endpoints. The structure is straightforward: one Python exploit file and a README. The exploit demonstrates advanced process and memory manipulation techniques in Python, but is primarily for educational and demonstration purposes.

This repository implements a kernel exploit for Xbox SystemOS (CVE-2024-30088), targeting Xbox One and Xbox Series consoles running specific kernel versions. The exploit chain is initiated via the Game Script UWP application, with payloads delivered either through a full-trust file explorer or a USB keyboard simulator. The main exploit code (in C) leverages a race condition and a CPU side channel to achieve kernel code execution, ultimately elevating privileges to SYSTEM. Post-exploitation, the code can spawn a reverse shell (cmd.exe) or inject an SSH server into a privileged process, providing the attacker with full control over the console. The exploit requires the attacker to listen on TCP port 7070 for incoming connections from the compromised console. The repository is well-structured, with clear separation between the exploit logic, post-exploitation payloads, and supporting artifacts. It is operational and provides a working SYSTEM shell or arbitrary code execution on vulnerable Xbox consoles.

This repository contains a working local privilege escalation exploit for CVE-2024-30088, a race condition in the Windows kernel's AuthzBasepCopyoutInternalSecurityAttributes function. The exploit is implemented in C++ and consists of two main code files: 'poc/main.cpp' (the exploit logic) and 'poc/ex.h' (helper functions for process and handle manipulation). The exploit works by racing the kernel's copying of security attribute structures, allowing an attacker to achieve an arbitrary write in kernel memory. The exploit then targets the winlogon.exe process to obtain a SYSTEM token and spawns a SYSTEM-level command prompt (cmd.exe). The repository includes Visual Studio project files for building the exploit. No network endpoints are involved; the attack vector is purely local. The exploit is operational and demonstrates a full privilege escalation chain on unpatched Windows systems.

This repository is a proof-of-concept (PoC) exploit for CVE-2024-30088, a local privilege escalation vulnerability in Microsoft Windows 10 x64. The vulnerability exists in the NtQueryInformationToken function, specifically due to improper locking in the AuthzBasepCopyoutInternalSecurityAttributes function, which can be exploited via a race condition. The exploit is implemented in C++ and consists of two main code files: 'poc/main.cpp' (the main exploit logic) and 'poc/ex.h' (helper functions and structures). The exploit works by racing the kernel to manipulate token security attributes, ultimately obtaining a handle to the SYSTEM process (winlogon.exe) and using it to spawn a SYSTEM-level command prompt (cmd.exe). The exploit requires local code execution and patience, as the race condition may take several attempts to win. The repository includes Visual Studio project files for building the PoC. No network or remote attack vectors are present; this is a purely local privilege escalation exploit.