A modification to fortra's CVE-2023-28252 exploit, compiled to exe# CVE-2023-28252-Compiled-exe
A modification of Fortra's excellent CVE-2023-2852 Privesc Exploit. Works on Windows 11 21H2 clfs.sys version 10.0.22000.1574 - also works on Windows 10 21H2, Windows 10 22H2, Windows 11 22H2 and Windows server 2022.
This version retains the original functionality, but gives the option to provide a binary to execute as an argument, useful if you don't have visual studio to hand.
## Description
For a (very) detailed explanation of the vulnerability, please see https://github.com/fortra/CVE-2023-28252/tree/master?tab=readme-ov-file
## Usage
- Build the project with visual studio if you prefer
- Use the pre compiled exploit.exe if you prefer
- Run with: `exploit.exe <Token Offset> <Flag> <Program to execute>`
- Example: `exploit.exe 1208 1 calc.exe`
## Example
[CVE-2023-28252.webm](https://github.com/duck-sec/CVE-2023-28252-Compiled-exe/assets/129839654/27f286d7-e0e3-47ab-864a-e040f8749708)
## Credits
This exploit builds on the oiringal POC by [Fortra](https://github.com/fortra/CVE-2023-28252/tree/master?tab=readme-ov-file). Please read their excellent documentation!
## Disclaimer
This code is provided for educational and ethical security testing purposes only. It should be used responsibly and only in environments where explicit authorization has been granted. Unauthorized or malicious use is strictly prohibited. By using this code, you agree to adhere to all applicable laws, regulations, and ethical standards applicable in your jurisdiction. The creators and contributors disclaim any liability for any damages or consequences arising from the misuse or unauthorized use of this code.
[4.0K] /data/pocs/2ab2149f65752652a545eb4e60fd2dce6295df1f
├── [4.0K] clfs_eop
│ ├── [ 42K] clfs_eop.cpp
│ ├── [2.3K] clfs_eop.h
│ ├── [7.3K] clfs_eop.vcxproj
│ ├── [1.2K] clfs_eop.vcxproj.filters
│ ├── [ 165] clfs_eop.vcxproj.user
│ ├── [ 918] crc32.h
│ ├── [164K] ntos.h
│ ├── [879K] ntoskrnl.lib
│ └── [4.0K] x64
│ ├── [4.0K] Debug
│ │ ├── [1.5K] clfs_eop.log
│ │ ├── [4.0K] clfs_eop.tlog
│ │ │ ├── [ 2] CL.command.1.tlog
│ │ │ ├── [ 167] clfs_eop.lastbuildstate
│ │ │ └── [ 0] unsuccessfulbuild
│ │ ├── [ 40K] vc143.idb
│ │ └── [230K] vc143.pdb
│ └── [4.0K] Release
│ ├── [ 297] clfs_eop.exe.recipe
│ ├── [ 950] clfs_eop.log
│ ├── [621K] clfs_eop.obj
│ ├── [4.0K] clfs_eop.tlog
│ │ ├── [ 736] CL.command.1.tlog
│ │ ├── [ 169] clfs_eop.lastbuildstate
│ │ ├── [ 41K] CL.read.1.tlog
│ │ ├── [ 424] CL.write.1.tlog
│ │ ├── [1.4K] link.command.1.tlog
│ │ ├── [4.7K] link.read.1.tlog
│ │ └── [ 418] link.write.1.tlog
│ └── [444K] vc142.pdb
├── [1.4K] clfs_eop.sln
├── [358K] exploit.exe
├── [ 11K] LICENSE
├── [1.6K] README.md
└── [4.0K] x64
└── [4.0K] Release
├── [358K] clfs_eop.exe
├── [5.6M] clfs_eop.pdb
└── [358K] exploit.exe
8 directories, 32 files