Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-21674 PoC — Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

Source
https://github.com/hd3s5aa/CVE-2023-21674
Associated Vulnerability
Title:Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability (CVE-2023-21674)
Description:Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
Readme

First in-the-wild 0-day of 2023 🔥
CVE-2023-21674 is a vulnerability in Windows Advanced Local Procedure Call (ALPC) that could lead to a browser sandbox escape and allow attackers to gain SYSTEM privileges discovered by Avast

-------------------------------------------------------------------------------------------------------------------------

```md
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff98061bbf8820, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8021a7120a4, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : AV.Type
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 1562

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 1654

    Key  : Analysis.Init.CPU.mSec
    Value: 421

    Key  : Analysis.Init.Elapsed.mSec
    Value: 13937

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 76

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Timestamp
    Value: 2022-05-06T12:50:00Z

    Key  : WER.OS.Version
    Value: 10.0.22621.1


FILE_IN_CAB:  MEMORY - Copy.DMP

DUMP_FILE_ATTRIBUTES: 0x1000

BUGCHECK_CODE:  50

BUGCHECK_P1: ffff98061bbf8820

BUGCHECK_P2: 0

BUGCHECK_P3: fffff8021a7120a4

BUGCHECK_P4: 2

READ_ADDRESS:  ffff98061bbf8820 Special pool

MM_INTERNAL_CODE:  2

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  CVE-2023-21674-POC.exe

TRAP_FRAME:  ffff838564a3f660 -- (.trap 0xffff838564a3f660)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9805f9a9c600 rbx=0000000000000000 rcx=ffff98061bbf8600
rdx=ffff9805f0492f24 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8021a7120a4 rsp=ffff838564a3f7f0 rbp=0000000000000000
 r8=0000000000000000  r9=ffff838564a3f920 r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!SeCreateClientSecurity+0x54:
fffff802`1a7120a4 4c8bb120020000  mov     r14,qword ptr [rcx+220h] ds:ffff9806`1bbf8820=????????????????
Resetting default scope

STACK_TEXT:  
ffff8385`64a3f438 fffff802`1a480701     : 00000000`00000050 ffff9806`1bbf8820 00000000`00000000 ffff8385`64a3f660 : nt!KeBugCheckEx
ffff8385`64a3f440 fffff802`1a24fe4c     : 00000000`00000000 00000000`00000000 ffff8385`64a3f5f9 00000000`00000000 : nt!MiSystemFault+0x2337d1
ffff8385`64a3f540 fffff802`1a437ddd     : ffff8385`64a3f6c0 fffff802`1a27419e 00000000`00000000 ffff9805`dd22f000 : nt!MmAccessFault+0x29c
ffff8385`64a3f660 fffff802`1a7120a4     : 00000000`00001301 ffffb989`a4084ce0 00000000`00000000 00000000`000009e8 : nt!KiPageFault+0x35d
ffff8385`64a3f7f0 fffff802`1a711dba     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!SeCreateClientSecurity+0x54
ffff8385`64a3f890 fffff802`1a711b9e     : ffff9805`fbffee20 ffff8385`64a3fb20 ffff9805`fbffee20 00000000`00000000 : nt!AlpcpImpersonateMessage+0x11a
ffff8385`64a3f9c0 fffff802`1a43b968     : 00000000`000000d4 ffff9805`fbffee20 00000000`00000000 00000000`00001210 : nt!NtAlpcImpersonateClientOfPort+0x15e
ffff8385`64a3faa0 00007fff`bc8cfe24     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
000000da`8352f238 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`bc8cfe24


SYMBOL_NAME:  nt!SeCreateClientSecurity+54

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  54

FAILURE_BUCKET_ID:  AV_VRFK_R_(null)_nt!SeCreateClientSecurity

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {9ec8eba5-8500-2db9-9fec-a2667249961f}

Followup:     MachineOwner
---------
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →