Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-22077 PoC — Google Pixel 资源管理错误漏洞

Source
https://github.com/grisuno/CVE-2022-22077
Associated Vulnerability
Title:Google Pixel 资源管理错误漏洞 (CVE-2022-22077)
Description:Memory corruption in graphics due to use-after-free in graphics dispatcher logic in Snapdragon Mobile
Description
CVE-2022-22077 is a high-severity vulnerability (CVSS score 7.8) affecting the RTCore64.sys driver distributed with MSI Center
Readme
# ✅ CVE-2022-22077 exploitation framework RTCore64.sys:

<img width="1328" height="1328" alt="image" src="https://github.com/user-attachments/assets/55f73f43-8bab-4fdb-84c3-011ca24d51c2" />

This document provides a comprehensive overview of the CVE-2022-22077 exploitation framework, a sophisticated BYOVD (Bring Your Own Vulnerable Driver) attack toolkit that targets the RTCore64.sys driver vulnerability. This framework demonstrates advanced Windows kernel exploitation techniques for educational and security research purposes.

The material covered includes the vulnerability's technical foundation, the framework's architecture, and the integration with the broader LazyOwn RedTeam toolkit. For detailed vulnerability analysis, see Vulnerability Analysis. For specific implementation details of individual components, see Exploitation Framework.

<img width="513" height="883" alt="image" src="https://github.com/user-attachments/assets/36b635a6-86c8-4b93-a6b2-15286897e1a2" />

## 🚨 CVE-2022-22077 — MSI Center / Dragon Center — Arbitrary Memory Read/Write via RTCore64.sys

CVE-2022-22077 is a high-severity vulnerability (CVSS score 7.8) affecting the RTCore64.sys driver distributed with MSI Center and Dragon Center applications. The vulnerability stems from exposed IOCTL interfaces that allow unprivileged users to perform arbitrary physical memory reads and writes, effectively bypassing all Windows kernel security mechanisms.

<img width="1724" height="246" alt="image" src="https://github.com/user-attachments/assets/2f13aaf2-97ee-478c-b9aa-e81a958f3ea0" />

## Key Impact Areas:

- Local privilege escalation to SYSTEM
- EDR/AV bypass capabilities
- Kernel-mode code execution
- Rootkit installation potential

<img width="1276" height="734" alt="image" src="https://github.com/user-attachments/assets/82db2c7f-70b0-436d-b909-43c8ffad7633" />

## Stages

<img width="682" height="859" alt="image" src="https://github.com/user-attachments/assets/a8dc2a4f-d9b0-4837-8b90-6f9d656ba50a" />

### Stage 1: Environment Preparation

- File: install.sh - Sets up mingw-w64 cross-compilation environment
- File: build.sh - Compiles Windows executables from Linux host
- Integration: LazyOwn framework configuration via CVE-2022-22077.yaml

### Stage 2: Automated Deployment

- File: payload.ps1 - PowerShell script handling:
- Privilege validation (SeLoadDriverPrivilege)
- VBS/HVCI compatibility checks
- Driver and exploit download from remote server
- Windows service creation and management

### Stage 3: Kernel Exploitation

- File: exploit.c - Native code implementing:
- RTCore64.sys device communication
- SYSTEM process token extraction
- Current process token replacement
- Privilege escalation validation

<img width="813" height="864" alt="image" src="https://github.com/user-attachments/assets/548542d5-01a3-4325-9581-9c6a689d52ef" />

## Memory Manipulation Architecture

The framework implements kernel memory access through a structured approach using the RTCore64.sys driver vulnerabilities:

<img width="1290" height="833" alt="image" src="https://github.com/user-attachments/assets/8efe4d10-0718-477e-ae90-3875f73deb49" />


🔗 [[ YOUTUBE DEMO ]](https://youtube.com/shorts/V2tqH53LRIw)

🔗 [CVE-2022-22077](https://nvd.nist.gov/vuln/detail/CVE-2022-22077?spm=a2ty_o01.29997173.0.0.1d61c921XdCRdQ) en NVD

🔗 [https://medium.com/@lazyown.redteam/the-rtcore64-chronicles-when-your-gpu-tuner-becomes-a-kernel-assassin-and-why-thats-a-feature-7ba63a285d36](https://medium.com/@lazyown.redteam/the-rtcore64-chronicles-when-your-gpu-tuner-becomes-a-kernel-assassin-and-why-thats-a-feature-7ba63a285d36)

🔗 [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/](https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/)

🔗 [https://github.com/grisuno/beacon](https://github.com/grisuno/beacon)

🔗 [https://github.com/grisuno/LazyOwn/](https://github.com/grisuno/LazyOwn/)




![Python](https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54) ![Shell Script](https://img.shields.io/badge/shell_script-%23121011.svg?style=for-the-badge&logo=gnu-bash&logoColor=white) ![Flask](https://img.shields.io/badge/flask-%23000.svg?style=for-the-badge&logo=flask&logoColor=white) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y2Z73AV)
File Snapshot

 [4.0K]  /data/pocs/c16989a2bbbff5a37a559b31aeef2b27fbb7d803
├── [ 237]  app.py
├── [  97]  build.sh
├── [5.1K]  CODE_OF_CONDUCT.md
├── [7.8K]  CONTRIBUTING.md
├── [ 943]  CVE-2022-22077.yaml
├── [4.0K]  docs
│   └── [7.5K]  index.html
├── [7.8K]  exploit.c
├── [  54]  install.sh
├── [ 34K]  LICENSE
├── [4.0K]  payload.ps1
├── [ 345]  pull_request_template.md
├── [4.4K]  README.md
├── [   1]  requirements.txt
├── [ 14K]  RTCore64.sys
├── [ 619]  SECURITY.md
└── [4.0K]  workflows
    └── [ 902]  github-actions-demo.yml

2 directories, 16 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →