## https://sploitus.com/exploit?id=9DB0EA6C-B868-5DC6-9A63-5DE2B120A57E
# KTM_POCS
This repo contains reports for [CVE 2024-43570](https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-43570) and [CVE 2024-43535](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43535), two vulnerabilities I found in the Windows Kernel Transaction Manager driver tm.sys.
This repo also contains exploit code I used for the demos in the OffensiveCon25 Presentation: [Hunting for Overlooked Cookies in Windows 11 KTM and Baking Exploits for Them](https://youtu.be/goEb7eKj660?si=DR9TcnJZPicCIhGK) by Cedric Halbronn and Jael Koh.
Slides for the presentation are available [here](https://docs.google.com/presentation/d/1M_ziQt6rZA01ghsv0qo7lhqyOLIZYNnV-qjHWun6A1g/edit?usp=sharing).
*Exploit code was tested on a Windows 11 Pro 23H2 226321.4169 (September Patch Tuesday Update) Virtual Machine*
## Timeline
24 Apr 2024 - 26 Apr 2024: tm.sys research attempt #1
18 May 2024 - 20 May 2024: tm.sys research attempt #2
14 Jun 2024 - 7 Jul 2024: tm.sys research attempt #3
24 Jun 2024: Reported CVE 2024-43570 to MSRC
7 Jul 2024 : Reported CVE 2024-43535 to MSRC
18 Jul 2024: US$2000 bounty awarded for CVE 2024-43570
5 Oct 2024 : US$2000 bounty awarded for CVE 2024-43535
8 Oct 2024: Fix for CVE-2024-43570 and CVE-2024-43535