Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-16098 PoC — Micro Star MSI Afterburner 安全漏洞

Source
https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE
Associated Vulnerability
Title:Micro Star MSI Afterburner 安全漏洞 (CVE-2019-16098)
Description:The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
Description
This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and also calculated all offsets.
Readme
# NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE
This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and recalculated all offsets for new version of windows. EPROCESS structure is an opaque structure that serves as the process object for a process and the PsInitialSystemProcess global variable points to the process object for the system process. So for calculate the offsetPsInitialSystemProcess address we need Ntoskrnl.exe base address which we calculated dynamically and after that calculated all fields within EPROCESS structure needed to steal system token and escalate priviliges. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.


https://github.com/user-attachments/assets/64295738-987a-4309-811a-c8805d788e05



## Flow of code
* Define required structure needed for RTCORE64 read and write operations.
* Calculated the base address of Ntoskrnl.exe
* Calculated the offset and address of PsInitialSystemProcess
* Calculated the offsets for required fields under EPROCESS Structure (Token, UniqueProcessId, ActiveProcessLinks)
* Use the device object to steal and write the token of System process.
* Elevated with System Context.

## Usage 
* Build and compile the program with visual studio 2019
* Start service before execution of compiled binary.
* Run command to create service (sc create RTCORE64 binPath="Path of Driver File" type=kernel)
* Start the service (sc start RTCORE64
* Run the compiled binary and get NT-AUTHORITY\SYSTEM

## NOTE
* Tested on windows 11 23H2 with releaseID 2009, Build Number 22621.3447 and major version 10.
* New releases and build numbers can have different offsets.
* This code is utilizing the technique of PPLKiller to get based address of Ntoskrnl.exe.

### Disclaimer
Only for educational purposes.

### References
* https://github.com/Barakat/CVE-2019-16098
* https://github.com/RedCursorSecurityConsulting/PPLKiller
File Snapshot

 [4.0K]  /data/pocs/19adecaf97b75cec0ee03bcc31ddc4bdf685e045
├── [1.0K]  LICENSE
├── [2.1K]  README.md
└── [4.0K]  SYSTEM_CONTEXT_RTCORE
    ├── [4.0K]  Driver
    │   └── [ 14K]  RTCore64.sys
    ├── [4.0K]  SYSTEM_CONTEXT_RTCORE
    │   ├── [6.7K]  SYSTEM_CONTEXT_RTCORE.cpp
    │   ├── [6.4K]  SYSTEM_CONTEXT_RTCORE.vcxproj
    │   ├── [ 973]  SYSTEM_CONTEXT_RTCORE.vcxproj.filters
    │   ├── [ 165]  SYSTEM_CONTEXT_RTCORE.vcxproj.user
    │   └── [4.0K]  x64
    │       ├── [4.0K]  Debug
    │       │   ├── [4.0K]  SYSTEM_C.325995fb.tlog
    │       │   │   ├── [ 922]  CL.command.1.tlog
    │       │   │   ├── [ 26K]  CL.read.1.tlog
    │       │   │   ├── [ 808]  CL.write.1.tlog
    │       │   │   ├── [1.5K]  link.command.1.tlog
    │       │   │   ├── [3.5K]  link.read.1.tlog
    │       │   │   ├── [ 804]  link.write.1.tlog
    │       │   │   └── [ 179]  SYSTEM_CONTEXT_RTCORE.lastbuildstate
    │       │   ├── [ 975]  SYSTEM_CONTEXT_RTCORE.Build.CppClean.log
    │       │   ├── [ 320]  SYSTEM_CONTEXT_RTCORE.exe.recipe
    │       │   ├── [668K]  SYSTEM_CONTEXT_RTCORE.ilk
    │       │   ├── [ 154]  SYSTEM_CONTEXT_RTCORE.log
    │       │   ├── [ 80K]  SYSTEM_CONTEXT_RTCORE.obj
    │       │   ├── [   0]  SYSTEM_CONTEXT_RTCORE.vcxproj.FileListAbsolute.txt
    │       │   ├── [251K]  vc143.idb
    │       │   └── [156K]  vc143.pdb
    │       └── [4.0K]  Release
    │           ├── [4.0K]  SYSTEM_C.325995fb.tlog
    │           │   ├── [ 930]  CL.command.1.tlog
    │           │   ├── [ 26K]  CL.read.1.tlog
    │           │   ├── [ 626]  CL.write.1.tlog
    │           │   ├── [1.6K]  link.command.1.tlog
    │           │   ├── [4.0K]  link.read.1.tlog
    │           │   ├── [1.0K]  link.write.1.tlog
    │           │   └── [ 181]  SYSTEM_CONTEXT_RTCORE.lastbuildstate
    │           ├── [1.3K]  SYSTEM_CONTEXT_RTCORE.Build.CppClean.log
    │           ├── [ 322]  SYSTEM_CONTEXT_RTCORE.exe.recipe
    │           ├── [ 66K]  SYSTEM_CONTEXT_RTCORE.iobj
    │           ├── [ 20K]  SYSTEM_CONTEXT_RTCORE.ipdb
    │           ├── [ 357]  SYSTEM_CONTEXT_RTCORE.log
    │           ├── [222K]  SYSTEM_CONTEXT_RTCORE.obj
    │           ├── [   0]  SYSTEM_CONTEXT_RTCORE.vcxproj.FileListAbsolute.txt
    │           └── [140K]  vc143.pdb
    └── [1.4K]  SYSTEM_CONTEXT_RTCORE.sln

8 directories, 38 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →