"# CVE-2021-31956"
WIP PoC code for CVE-2021-31956 in preparation for OSEE. Will improve it further after my OSEE exams and free time.
A lot of hardcoded offsets need to be changed if it is different on the target system ( but if it is anything similar to 2020 - 2021 builds then no change should be needed. Not sure 100%) and you can't exit the program because many pool headers are still corrupted as well as the Token field is still pointing to system's token. One of 3 things will happen if you try to exit the program, a BSOD, can't exit, or if the stars aligns exit safely but the system is probably unstable and is a ticking time bomb.
Credits:
https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/ amazing write up that covers many details that NCC and other lacks
https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/ good basic understanding of the vuln and good lessons learned
https://github.com/aazhuliang/CVE-2021-31956-EXP for most of the starting code and a source for me to fall back onto if I am completely stuck
https://github.com/freeide/CVE-2021-31955-POC/tree/main - CVE-2021-31955 PoC that allow the leaking of EPROCESS. Though this is unnecessary due to the nature of the bug and the accessible CreatorProcess field inside WNF struct.
- Apt 69
[4.0K] /data/pocs/b32ec765636951d7df217ef5881f4ecb7b0bba44
├── [4.0K] 31956Custom
│ ├── [7.2K] 31956Custom.vcxproj
│ ├── [1.6K] 31956Custom.vcxproj.filters
│ ├── [ 19K] Header.h
│ ├── [3.7K] Helper.cpp
│ ├── [ 148] Helper.h
│ ├── [ 26K] Main.cpp
│ ├── [ 13] Main.h
│ ├── [ 16] pch.cpp
│ ├── [2.5K] pch.h
│ └── [ 281] Ulog.h
├── [1.4K] 31956Custom.sln
├── [2.7M] poc.gif
└── [1.3K] README.md
1 directory, 13 files