Share
## https://sploitus.com/exploit?id=67E4CD12-31A4-5C65-A4CD-304D8F2AB892
# CVE-2025-21333

Hyper-V NT Kernel Integration VSP (`vkrnlintvsp.sys`) Paged Pool heap overflow โ†’ Local Elevation of Privilege (LPE). This directory contains PoC source code for the lab (based on [MrAle98/CVE-2025-21333-POC](https://github.com/MrAle98/CVE-2025-21333-POC)), including local patches.

## 1. Vulnerability Summary

| Item | Content |
|---|---|
| CVE | CVE-2025-21333 |
| Type | Heap-based Buffer Overflow |
| Impact | Local Elevation of Privilege (EoP); Previously marked as exploitable in the wild |
| Component | `vkrnlintvsp.sys` |
| Vulnerable Function | `VkiRootAdjustSecurityDescriptorForVmwp` |
| Pool Tag | `ViRo` |
| Patch | 2025-01-14; Win11 23H2 requires โ‰ฅ **22631.4751**๏ผˆKB5050021) |

### Root Cause

In `VkiRootAdjustSecurityDescriptorForVmwp`:

1. Calculates the allocation length using a `WORD`: `AclSize + sid1 + sid2 + 16`
2. When `AclSize = 0xfff0`, the total becomes `0x10040` โ†’ ** truncated to `0x40`**
3. `ExAllocatePool2(..., 0x40, 'ViRo')`
4. `memmove(pool, dacl, AclSize)` still copies the full **`0xfff0`**

The core inequality: `allocatedBytes(0x40) < accessEnd(0xfff0)`. KD dynamic checks:

- `ExAllocatePool2` โ†’ `@rdx = 0x40`
- `memmove` โ†’ `@r8 = 0xfff0`

### Trigger Path

Windows Sandbox (and Nested Virtualization) must be enabled to allow related syscall calls to reach `vkrnlintvsp.sys`:

```text
PoC โ†’ NtCreateCrossVmEvent
    โ†’ VkiRootCalloutCreateEvent
    โ†’ VkiRootAdjustSecurityDescriptorForVmwp
```

---

## 2. Reproducible System Versions

| Item | Value |
|---|---|
| Guest OS | Windows 11 23H2 |
| **Guest build** | **`10.0.22631.3447`** (**< 4751, can be reproduced**) |
| `vkrnlintvsp.sys` | `10.0.22621.2506`; SHA256: `015DD1211569B6F85CC0041269F249BA5935A3DA89B615B502DF59EAD5354BB8` |

Patched 23H2 (โ‰ฅ `22631.4751`) **cannot be reproduced**. Nested Virtualization + Windows Sandbox must be enabled. ---

## 3. Exploitation Chain (Summary)

1. Spray `WNF_STATE_DATA`
2. Create dual-ACE with `AclSize=0xfff0` to trigger an overflow, expanding adjacent WNF `DataSize`
3. Free two holes, then allocate: `IrRB` (I/O Ring RegBuffers) + `NpAt` (PipeAttribute)
4. Overwrite one item in RegBuffers โ†’ User mode fabricates `IOP_MC_BUFFER_ENTRY`
5. I/O Ring Read/Write โ†’ Arbitrary kernel read/write
6. Token replacement โ†’ `PRIV_ESC_OK` โ†’ Session bound to visible SYSTEM shell

Expected layout: `0x30 IrRB` + `0x80 NpAt` (requires `found1=1 && found2=1`). ---

## 4. Key Points for Local Stability (22631.3447)

Key differences from upstream:

| Topic | Key Points |
|---|---|
| Dual-ACE | A single ACE `AceSize=0xf000` will be changed by `SeCapture` to approximately `0xf008` โ†’ **No overflow**; Dual ACEs are required to maintain `AclSize=0xfff0` |
| Return Code | CrossVm may return `STATUS_INVALID_ACL (0xC0000077)`, continue scanning WNF |
| Timing | `free CCC` โ†’ Submit IoRing โ†’ **`Sleep(5000)`** โ†’ `free DDD` โ†’ pipe spray |
| Sandbox | Kill `WindowsSandboxClient` **after** confirming IrRB/NpAt |
| ntos RVA | `ExAllocatePool2=0xaac7a0`, `PsInitialSystemProcess=0xd1da60` (upstream offset at 3447 results in `system EPROCESS: 0`) |
| Visible Shell | `CreateProcessAsUser` + `TokenSessionId` + `winsta0\Default` โ†’ `VISIBLE_SYSTEM_CMD_OK` |

Heap layout is non-deterministic, elevation of privileges **is not 100%**; Can be retried if failed. ---

## 5. Reference Links

- MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333
- Upstream Analysis: https://medium.com/@ale18109800/cve-2025-21333-windows-heap-based-buffer-overflow-analysis-d1b597ae4bae
- Upstream PoC: https://github.com/MrAle98/CVE-2025-21333-POC
- I/O Ring primitives: https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/