Share
## https://sploitus.com/exploit?id=67E4CD12-31A4-5C65-A4CD-304D8F2AB892
# CVE-2025-21333
Hyper-V NT Kernel Integration VSP (`vkrnlintvsp.sys`) Paged Pool heap overflow โ Local Elevation of Privilege (LPE). This directory contains PoC source code for the lab (based on [MrAle98/CVE-2025-21333-POC](https://github.com/MrAle98/CVE-2025-21333-POC)), including local patches.
## 1. Vulnerability Summary
| Item | Content |
|---|---|
| CVE | CVE-2025-21333 |
| Type | Heap-based Buffer Overflow |
| Impact | Local Elevation of Privilege (EoP); Previously marked as exploitable in the wild |
| Component | `vkrnlintvsp.sys` |
| Vulnerable Function | `VkiRootAdjustSecurityDescriptorForVmwp` |
| Pool Tag | `ViRo` |
| Patch | 2025-01-14; Win11 23H2 requires โฅ **22631.4751**๏ผKB5050021) |
### Root Cause
In `VkiRootAdjustSecurityDescriptorForVmwp`:
1. Calculates the allocation length using a `WORD`: `AclSize + sid1 + sid2 + 16`
2. When `AclSize = 0xfff0`, the total becomes `0x10040` โ ** truncated to `0x40`**
3. `ExAllocatePool2(..., 0x40, 'ViRo')`
4. `memmove(pool, dacl, AclSize)` still copies the full **`0xfff0`**
The core inequality: `allocatedBytes(0x40) < accessEnd(0xfff0)`. KD dynamic checks:
- `ExAllocatePool2` โ `@rdx = 0x40`
- `memmove` โ `@r8 = 0xfff0`
### Trigger Path
Windows Sandbox (and Nested Virtualization) must be enabled to allow related syscall calls to reach `vkrnlintvsp.sys`:
```text
PoC โ NtCreateCrossVmEvent
โ VkiRootCalloutCreateEvent
โ VkiRootAdjustSecurityDescriptorForVmwp
```
---
## 2. Reproducible System Versions
| Item | Value |
|---|---|
| Guest OS | Windows 11 23H2 |
| **Guest build** | **`10.0.22631.3447`** (**< 4751, can be reproduced**) |
| `vkrnlintvsp.sys` | `10.0.22621.2506`; SHA256: `015DD1211569B6F85CC0041269F249BA5935A3DA89B615B502DF59EAD5354BB8` |
Patched 23H2 (โฅ `22631.4751`) **cannot be reproduced**. Nested Virtualization + Windows Sandbox must be enabled. ---
## 3. Exploitation Chain (Summary)
1. Spray `WNF_STATE_DATA`
2. Create dual-ACE with `AclSize=0xfff0` to trigger an overflow, expanding adjacent WNF `DataSize`
3. Free two holes, then allocate: `IrRB` (I/O Ring RegBuffers) + `NpAt` (PipeAttribute)
4. Overwrite one item in RegBuffers โ User mode fabricates `IOP_MC_BUFFER_ENTRY`
5. I/O Ring Read/Write โ Arbitrary kernel read/write
6. Token replacement โ `PRIV_ESC_OK` โ Session bound to visible SYSTEM shell
Expected layout: `0x30 IrRB` + `0x80 NpAt` (requires `found1=1 && found2=1`). ---
## 4. Key Points for Local Stability (22631.3447)
Key differences from upstream:
| Topic | Key Points |
|---|---|
| Dual-ACE | A single ACE `AceSize=0xf000` will be changed by `SeCapture` to approximately `0xf008` โ **No overflow**; Dual ACEs are required to maintain `AclSize=0xfff0` |
| Return Code | CrossVm may return `STATUS_INVALID_ACL (0xC0000077)`, continue scanning WNF |
| Timing | `free CCC` โ Submit IoRing โ **`Sleep(5000)`** โ `free DDD` โ pipe spray |
| Sandbox | Kill `WindowsSandboxClient` **after** confirming IrRB/NpAt |
| ntos RVA | `ExAllocatePool2=0xaac7a0`, `PsInitialSystemProcess=0xd1da60` (upstream offset at 3447 results in `system EPROCESS: 0`) |
| Visible Shell | `CreateProcessAsUser` + `TokenSessionId` + `winsta0\Default` โ `VISIBLE_SYSTEM_CMD_OK` |
Heap layout is non-deterministic, elevation of privileges **is not 100%**; Can be retried if failed. ---
## 5. Reference Links
- MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333
- Upstream Analysis: https://medium.com/@ale18109800/cve-2025-21333-windows-heap-based-buffer-overflow-analysis-d1b597ae4bae
- Upstream PoC: https://github.com/MrAle98/CVE-2025-21333-POC
- I/O Ring primitives: https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/