Share
## https://sploitus.com/exploit?id=5B293725-04E5-5505-927A-3ED285489BFA
# CVE-2023-36407

This is poc for CVE-2023-36407, Hyper-V Elevation of Privilege Vulnerability.

https://github.com/pwndorei/CVE-2023-36407/assets/96749184/a8ef87d3-e0d0-40e5-9b23-35ab057a9c78

## Vulnerability

- OOB Read/Write from/to Non-paged Pool via `winhvr.sys!WinHvGet/SetVpState`

# Reproduction Steps

- Environment I used: Windows 11 22H2 x64
- Patch: kb5031354
- control code for `WinHvSetVpState`: 0x221268
    - if poc does not work, analyze `Vid.sys` to find out control code for `WinHvSetVpState` and change it

## Build

Just build the project(Release/x64), then `CVE-2023-36407.exe` will be generated.

## Reproduction

1. run `CVE-2023-36407.exe` in vulnerable Hyper-V Host(Root Partition)
2. **Boom**

### How it works?

1. `CVE-2023-36407.exe` calls `DeviceIoControl` that invokes `winhvr.sys!WinHvSetVpState`
2. In `WinHvSetVpState`, `memcpy` copies data from input buffer(user-controlled) to Non-paged Pool memory
    - length of data to copy depends on input data's length
3. The Non-paged Pool Memory is 0x1000 bytes size and there is no size check for input before calling `memcpy`
    - BOF in Non-paged Pool
4. BSOD occurs because of the corruption