CVE-2023-36407

This is poc for CVE-2023-36407, Hyper-V Elevation of Privilege Vulnerability.

CVE-2023-36407.mp4

Vulnerability

OOB Read/Write from/to Non-paged Pool via winhvr.sys!WinHvGet/SetVpState

Reproduction Steps

Environment I used: Windows 11 22H2 x64
Patch: kb5031354
control code for WinHvSetVpState: 0x221268
- if poc does not work, analyze Vid.sys to find out control code for WinHvSetVpState and change it

Build

Just build the project(Release/x64), then CVE-2023-36407.exe will be generated.

Reproduction

run CVE-2023-36407.exe in vulnerable Hyper-V Host(Root Partition)
Boom

How it works?

CVE-2023-36407.exe calls DeviceIoControl that invokes winhvr.sys!WinHvSetVpState
In WinHvSetVpState, memcpy copies data from input buffer(user-controlled) to Non-paged Pool memory
- length of data to copy depends on input data's length
The Non-paged Pool Memory is 0x1000 bytes size and there is no size check for input before calling memcpy
- BOF in Non-paged Pool
BSOD occurs because of the corruption

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
.gitattributes		.gitattributes
.gitignore		.gitignore
CVE-2023-36407.sln		CVE-2023-36407.sln
CVE-2023-36407.vcxproj		CVE-2023-36407.vcxproj
CVE-2023-36407.vcxproj.filters		CVE-2023-36407.vcxproj.filters
README.md		README.md
main.c		main.c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2023-36407

Vulnerability

Reproduction Steps

Build

Reproduction

How it works?

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

CVE-2023-36407

Vulnerability

Reproduction Steps

Build

Reproduction

How it works?

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages