Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-25949 PoC — KINGSOFT Internet Security 缓冲区错误漏洞

Source
https://github.com/tandasat/CVE-2022-25949
Associated Vulnerability
Title:KINGSOFT Internet Security 缓冲区错误漏洞 (CVE-2022-25949)
Description:The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Version 2010.06.23.247 fails to properly handle crafted inputs, leading to stack-based buffer overflow.
Description
A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77.
Readme
# CVE-2022-25949

A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77.

## 2009..?

I reported the issue in January 2014 and was notified of the CVE 8+ years later. I decided to upload this because it is amusing enough to find my old code and that it took that long.

Thus, this must not be a new vulnerability despite the new CVE -- a quick search showed multiple reports for the same-looking vulnerability already.

## Timeline

- Jan 12, 2014: I submit the issue to IPA
- Jan 15, 2014: IPA acknowledges the submission
- Mar 10, 2022: IPA notifies me for publication (I ignored it. I thought it was spam)
- Mar 15, 2022: An [advisary](https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000021.html) published

I sill thank IPA for doing their parts and making my day.

## Notes

The vulnerable file appears to be [ffdedbaeccbcf0b697675b24ca313cbb8e1c9ba1bd2f0a0b58a2d6a04a038479](https://www.virustotal.com/gui/file/ffdedbaeccbcf0b697675b24ca313cbb8e1c9ba1bd2f0a0b58a2d6a04a038479/details)

```
//
// Exploit for Kingsoft Antivirus KWatch Driver (KWatch3.sys)
// Target File Version: 2009.3.17.77
// Affected Product: Kingsoft Internet Security 9 Plus
//

/*
------------------------------------------------------------------------------
Shellcode is located at 7E7E7E7E.
The device was opened as 00000020.
Shellcode was executed.
The SYSTEM shell was launched.
This process will be suspended for ever.

------------------------------------------------------------------------------
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\user\Desktop>whoami
nt authority\system
------------------------------------------------------------------------------
*/
```
File Snapshot

 [4.0K]  /data/pocs/2e444ab0948985ec5685e7fdf026be913d06124b
├── [1.0K]  LICENSE
├── [1.7K]  README.md
└── [4.0K]  src
    ├── [4.0K]  exploit_kwatch3
    │   ├── [6.5K]  exploit_kwatch3.cpp
    │   ├── [4.1K]  exploit_kwatch3.vcxproj
    │   └── [ 967]  exploit_kwatch3.vcxproj.filters
    └── [1019]  exploit_kwatch3.sln

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →