Share
## https://sploitus.com/exploit?id=2E733323-0682-5CAA-8070-BE3ACAB6F292
# CVE-2026-29923 โ€” pstrip64.sys Local Privilege Escalation

A minimal proof-of-concept for CVE-2026-29923, a vulnerability in the `pstrip64.sys`
kernel driver (EnTech Taiwan PowerStrip โ‰ค 3.90.736) that allows an unprivileged
user-mode process to escalate to `NT AUTHORITY\SYSTEM`.

---

## The Bug

`pstrip64.sys` exposes an IOCTL (`0x80002008`) that accepts a user-supplied physical
address and maps it directly into the calling process's virtual address space by
opening `\Device\PhysicalMemory` and calling `ZwMapViewOfSection` with the current
process handle. There is no privilege check, no address validation beyond what
`HalTranslateBusAddress` enforces, and no access control on the symbolic link
`\\.\PSTRIP64`.

The result is an unrestricted physical memory read/write primitive from an
unprivileged process.

---

## Exploitation

With arbitrary physical read/write available, the exploit follows four steps.

**1. Scan for EPROCESS structures**

Physical RAM is walked in 2 MB chunks. Each chunk is scanned for the kernel pool
tag `Proc` (`0x636F7250`), which marks the pool allocation that contains a process's
`_EPROCESS` structure. Candidate hits are validated with three lightweight heuristics
before the PID is trusted:

- `PriorityClass == 0x2` โ€” all live processes run at Normal priority
- `ProcessLock == 0x0` โ€” the lock field is clear on a stable process
- `ImageFileName[0]` is printable ASCII โ€” garbage memory rarely satisfies this

**2. Locate both token pointers**

Two targets are needed:

- The **physical address** of our own process's `Token` field inside `_EPROCESS`
- The **token value** stored in the System process (`PID 4`) `_EPROCESS`

**3. Overwrite our token**

The 4 KB page containing our `Token` field is mapped and the field is overwritten
with the System token value. From this point the Windows kernel treats our process
as `NT AUTHORITY\SYSTEM`.

**4. Spawn a shell**

`cmd.exe` is launched via `CreateProcessA`. Because child processes inherit the
parent's token, the resulting shell runs as SYSTEM.

---

## MMIO Caveat

The 3 GB โ€“ 4 GB physical address window is reserved for MMIO on x86 systems.
Attempting to map pages in this range causes the driver to return error `74`
(`HalTranslateBusAddress` failure). The scan skips this window and resumes at
`0x100000000` to catch kernel structures that Windows places above the 4 GB mark.

---

## 32-bit Requirement

The driver's map handler writes the returned virtual address into a `DWORD` field
(`LowPart`), truncating the 64-bit VA to 32 bits. A 64-bit build receives a
corrupted pointer and crashes immediately. **Compile as x86.**

---

## Affected Software

| Software | Versions |
|---|---|
| EnTech Taiwan PowerStrip | โ‰ค 3.90.736 |

Driver hash (SHA-256):

```text
ab01485bb7c8bc1a9c86096eeea6d31d8fad557bf4d44072b46373d2203faa6e
```

---

## EPROCESS Offsets

The hardcoded offsets target **Windows 10 22H2 x64**. Other builds require
updated values โ€” use `dt nt!_EPROCESS` in WinDbg to confirm.

| Field | Offset |
|---|---|
| `PriorityClass` | `0x5B7` |
| `ProcessLock` | `0x438` |
| `UniqueProcessId` | `0x440` |
| `ImageFileName` | `0x5A8` |
| `Token` | `0x4B8` |

---

## Building

Open a Visual Studio x86 Developer Command Prompt and run:

```bat
cl /EHsc /O2 exploit.c /Fe:poc.exe
```

Or set the platform target to **x86** in Visual Studio and build in Release mode.
The binary requires no external dependencies beyond the Windows SDK.

---

## Usage

Load `pstrip64.sys` first (requires administrator to load the driver, not to run
the exploit itself once loaded), then:

```bat
poc.exe
```

A new `cmd.exe` window will open running as `NT AUTHORITY\SYSTEM`.

---

## Mitigation

**Block the driver from loading (preferred)**

- Add the driver hash above to your organization's blocklist
- Enable [Microsoft's Vulnerable Driver Blocklist](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules) via WDAC
- Enable Hypervisor-Protected Code Integrity (HVCI)

**Detect exploitation in progress**

- Alert on new kernel-mode service installations for unknown driver binaries
- Monitor for low/medium integrity processes spawning `SYSTEM`-level children
- Flag any process whose token changes to `NT AUTHORITY\SYSTEM` outside of a
  legitimate authentication event

---

## Disclaimer

This code is published for educational and defensive research purposes only.
Use it only on systems you own or have explicit written permission to test.
The author is not responsible for any misuse.

---

## References

- [Microsoft Vulnerable Driver Blocklist](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules)
- [WDAC Overview](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol)
- [Windows EPROCESS Internals](https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm)
- [HalTranslateBusAddress โ€” MSDN](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-haltranslatebusaddress)
- [ZwMapViewOfSection โ€” MSDN](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection)