CVE-2021-31728 PoC — MalwareFox Anti-Malware 安全漏洞

Source

https://github.com/irql/CVE-2021-31728

Associated Vulnerability

Title:MalwareFox Anti-Malware 安全漏洞 (CVE-2021-31728)
Description:Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges.

Description

vulnerability in zam64.sys, zam32.sys allowing ring 0 code execution. CVE-2021-31727 and CVE-2021-31728 public reference.

Readme

### CVE-2021-31727 and CVE-2021-31728
###### [Public Reference for CVE-2021-31727](CVE-2021-31727.md)
Exposes unrestricted disk read/write capabilities.
###### [Public Reference for CVE-2021-31728](CVE-2021-31728.md)
Exposes arbitrary ring 0 code execution directly.

![](poc.gif)
### Credit
[Lima X](https://github.com/Lima-X) helped with SystemBigPoolInformation idea.

File Snapshot


 [4.0K]  /data/pocs/081ef4674e3de684fe69f51681b702cf0b9357b9
├── [ 800]  CVE-2021-31727.md
├── [2.2K]  CVE-2021-31728.md
├── [4.0K]  disk_rw
│   ├── [2.6K]  disk_rw.vcxproj
│   ├── [ 205]  disk_rw.vcxproj.filters
│   └── [4.4K]  main.c
├── [4.0K]  kernel_exec
│   ├── [2.7K]  kernel_exec.vcxproj
│   ├── [ 205]  kernel_exec.vcxproj.filters
│   └── [ 27K]  main.c
├── [ 58K]  poc.gif
├── [ 371]  README.md
└── [1.2K]  zampoc.sln

2 directories, 11 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!