Share
## https://sploitus.com/exploit?id=BC112C5A-7015-5759-8CC8-383B5E92D95C
[]()
[]()
[]()
[]()
[]()
[]()
[]()
---
> 🚨 **EXPLOIT PoC — FOR SECURITY RESEARCH, VULNERABILITY ANALYSIS AND DEFENSIVE PURPOSES ONLY**
>
> 🚨 **PoC DE EXPLOIT — SOLO PARA INVESTIGACIÓN DE SEGURIDAD, ANÁLISIS DE VULNERABILIDADES Y FINES DEFENSIVOS**
---
## 🌐 Idiomas / Languages
- [🇪🇸 Español](#-documentación-en-español)
- [🇬🇧 English](#-english-documentation)
---
# 🇪🇸 Documentación en Español
## Descripción
**CVE-2025-60709** es una vulnerabilidad de **escalación de privilegios locales (LPE)** en el controlador **CLFS.sys** (Common Log File System) de Windows. Permite a un atacante con ejecución de código local escalar desde usuario estándar hasta **NT AUTHORITY\SYSTEM** mediante un buffer overflow en el parsing de contenedores CLFS, obteniendo una primitiva de escritura arbitraria en memoria del kernel.
Este repositorio contiene dos implementaciones:
- **CVE-2025-60709.c** — Implementación original en C (acceso directo a APIs nativas de Windows)
- **CVE-2025-60709.go** — Port en Go **(versión de demostración/educativa — NO explota vulnerabilidades reales)**
---
## 🎯 Detalles de la Vulnerabilidad
| Campo | Detalle |
|-------|---------|
| **CVE ID** | CVE-2025-60709 |
| **Tipo** | Local Privilege Escalation (LPE) |
| **Componente** | CLFS.sys (Common Log File System driver) |
| **Sistema objetivo** | Windows 11 24H2 (build 26100.3485+) |
| **Arquitectura** | x64 únicamente |
| **Vector** | Buffer overflow en parsing de contenedor CLFS |
| **Impacto** | Escalación a NT AUTHORITY\SYSTEM |
| **Prerequisitos** | Ejecución local de código (usuario estándar) |
---
## 🏗️ Estructura del Repositorio
```
CVE-2025-60709/
├── CVE-2025-60709.c (5.3 KB, 157 líneas) — Exploit C original
├── CVE-2025-60709.go (9.2 KB, 285 líneas) — Port Go (demo educativa)
└── README.txt (4.2 KB, 132 líneas) — Documentación original
```
---
## 🔬 Análisis Técnico Detallado
### Flujo de Explotación Completo
```
┌─────────────────────────────────────────────────────────────┐
│ CVE-2025-60709 LPE │
└─────────────────────────────────────────────────────────────┘
[1] EVASIÓN DE DEFENSAS
├─ KillETW() → Parchea EtwEventWrite en ntdll con RET (0xC3)
└─ KillAMSI() → Parchea AmsiScanBuffer en amsi.dll con RET (0xC3)
[2] HEAP GROOMING (preparación de memoria)
└─ GroomLookaside()
├─ Crea 4096 archivos: C:\Windows\Temp\groom_00000.blf
├─ Llama CreateLogFile() + AddLogContainer() por cada uno
└─ Agota lookaside lists → garantiza layout de heap predecible
[3] PRIMITIVA DE ESCRITURA ARBITRARIA — ClfsArbWrite(Address, Value)
├─ Construye buffer CLFS malformado (0x102010 bytes)
│ ├─ Firma válida CLFS en +0x00: 0x0201
│ ├─ Sector size shift en +0x14: 2
│ ├─ First client region en +0x28: 0x100
│ ├─ cbRecord OVERSIZED en +0x100: 0xFF00 (64 KB > datos reales)
│ ├─ Marcador shadow zone en +0x9A8: 0x13371337
│ └─ CClfsContainerContext falso en offset (0xFF00 + 0x100):
│ ├─ pContainer = TargetAddress - 0x10
│ └─ cbContainer = Value (dato a escribir)
├─ Calcula checksum CLFS correcto (driver lo valida)
├─ Escribe contenedor malformado → C:\Windows\Temp\evil.blf
├─ Crea log apuntando a evil.blf
├─ Llama ClfsReadRestartArea() → dispara parsing kernel
└─ Driver desborda buffer → escribe Value en Address ✓
[4] ROBO DE TOKEN SYSTEM
├─ Lee EPROCESS del proceso SYSTEM via PsInitialSystemProcess
└─ Extrae token en EPROCESS + EPROCESS_TOKEN (offset 0x4c0)
[5] ESCALACIÓN DE PRIVILEGIOS
└─ ClfsArbWrite(CurrentEprocess + 0x4c0, SystemToken)
└─ Sobreescribe token del proceso actual con token SYSTEM ✓
[6] EJECUCIÓN DE PAYLOAD C2
├─ VirtualAlloc(PAGE_EXECUTE_READWRITE)
├─ Copia shellcode beacon de 1789 bytes
├─ CreateThread() → ejecución como NT AUTHORITY\SYSTEM
└─ Beacon C2: IPv6 + DoH → fallback Gmail drafts
└─ sRDI + sleep obfuscation + ETW/AMSI ya parcheados
[7] PERSISTENCIA
└─ Sleep(INFINITE) → proceso mantiene token SYSTEM
```
---
### Offsets EPROCESS (Windows 11 24H2 build 26100.3485+)
| Campo | Offset | Descripción |
|-------|--------|-------------|
| `EPROCESS_TOKEN` | `0x4C0` | Token de seguridad del proceso |
| `EPROCESS_PID` | `0x440` | Process ID (PID) |
| `EPROCESS_LINKS` | `0x448` | Lista enlazada de procesos activos |
| `EPROCESS_NAME` | `0x5A8` | Nombre del proceso (ImageFileName) |
> ⚠️ **Estos offsets varían entre builds de Windows.** Requieren actualización para otras versiones.
---
### Mecanismo del Buffer Overflow en CLFS
```
Contenedor CLFS legítimo:
[Header 0x100 bytes][Record: cbRecord bytes de datos reales]
Contenedor malformado (evil.blf):
[Header válido][cbRecord=0xFF00 → kernel lee 65,280 bytes]
↓
Kernel overflow → llega a CClfsContainerContext falso
↓
pContainer = TargetKernelAddress - 0x10
cbContainer = ValueToWrite
↓
Driver usa estructura falsa → escribe ValueToWrite en TargetKernelAddress
```
---
### Funciones Clave — `CVE-2025-60709.c`
| Función | Propósito |
|---------|-----------|
| `GetKernelBase()` | `ZwQuerySystemInformation(SystemModuleInformation)` → base de ntoskrnl.exe |
| `KillETW()` | VirtualProtect + sobreescribe `EtwEventWrite` en ntdll.dll con `0xC3` (RET) |
| `KillAMSI()` | Carga amsi.dll + sobreescribe `AmsiScanBuffer` con `0xC3` (RET) |
| `GroomLookaside()` | Crea 4096 logs CLFS para exhaust de lookaside lists → heap determinista |
| `ClfsArbWrite()` | **Núcleo del exploit** — primitiva de escritura arbitraria en kernel |
| `main()` | Orquesta ataque: ETW→AMSI→groom→token theft→arb write→beacon |
---
### Diferencias C vs Go
| Aspecto | Versión C | Versión Go |
|---------|-----------|-----------|
| Tipo | Exploit funcional (según documentación) | Demo educativa únicamente |
| APIs | Acceso directo (ntdll, clfsw32, advapi32) | `syscall.NewLazyDLL()` wrappers |
| Checksum CLFS | Algoritmo completo | Placeholder simplificado |
| Direcciones kernel | Reales | Hardcoded placeholder (`0x123456`) |
| Payload C2 | Shellcode 1789 bytes | Bytes NOP (`0x90`) de prueba |
| Resultado esperado | Escalación a SYSTEM | Mensaje `"Arb write failed (yeah)"` |
---
### Compilación
**Versión C** (requiere Visual Studio Build Tools + Windows SDK):
```bat
cl /O1 /MT /link ntdll.lib advapi32.lib clfsw32.lib CVE-2025-60709.c
```
**Versión Go** (requiere Go 1.19+ en Windows x64):
```bat
go build -ldflags="-s -w" -o CVE-2025-60709.exe CVE-2025-60709.go
```
---
## 🛡️ Mitigaciones y Detección
### Mitigaciones de Windows
| Mitigación | Efectividad |
|-----------|-------------|
| **HVCI** (Hypervisor-protected Code Integrity) | Alta — previene escritura en memoria kernel |
| **kCFI** (Kernel Control Flow Integrity) | Alta — dificulta ROP/JOP chains |
| **CFG** (Control Flow Guard) | Media — dificulta ejecución de shellcode |
| **Windows Defender** | Media — detecta técnicas conocidas |
| **Actualización Windows** | Alta — parche oficial elimina la vulnerabilidad |
### Regla YARA
```yara
rule CVE_2025_60709_CLFS_LPE {
meta:
description = "Detects CVE-2025-60709 CLFS LPE exploit"
author = "KONDORDEVSECURITYCORP"
date = "2026-03"
cve = "CVE-2025-60709"
severity = "critical"
strings:
$clfs_sig = { 01 02 00 00 }
$magic = { 37 13 37 13 }
$evil_file = "evil.blf" ascii wide
$groom_file = "groom_" ascii wide
$etw_func = "EtwEventWrite" ascii wide
$amsi_func = "AmsiScanBuffer" ascii wide
$token_off = { C0 04 00 00 } // EPROCESS_TOKEN = 0x4C0
condition:
3 of them
}
```
### IOCs — Artefactos del Sistema
| Tipo | Valor |
|------|-------|
| Archivo malformado | `C:\Windows\Temp\evil.blf` |
| Log malformado | `\\.\C:\Windows\Temp\evil_log` |
| Archivos grooming | `C:\Windows\Temp\groom_00000.blf` … `groom_04095.blf` |
| Proceso | Alta prioridad (`REALTIME_PRIORITY_CLASS`) anómala |
### Detección Comportamental
```
ARCHIVO: Creación masiva de *.blf en C:\Windows\Temp\ (> 100 en segundos)
ARCHIVO: Creación de C:\Windows\Temp\evil.blf
PROCESO: Proceso en modo REALTIME_PRIORITY + llamadas a ClfsReadRestartArea
MEMORIA: Escritura en PAGE_EXECUTE_READWRITE + CreateThread inmediato
API: VirtualProtect sobre EtwEventWrite o AmsiScanBuffer
KERNEL: Acceso a PsInitialSystemProcess desde user-mode
```
### Verificación Rápida
```powershell
# Verificar archivos de grooming
Get-ChildItem C:\Windows\Temp -Filter "groom_*.blf" | Measure-Object
# Verificar archivo exploit
Test-Path C:\Windows\Temp\evil.blf
# Verificar integridad de ntdll (ETW patch)
Get-AuthenticodeSignature (Get-Process -Name notepad | Select -First 1).Path
```
---
# 🇬🇧 English Documentation
## Description
**CVE-2025-60709** is a **Local Privilege Escalation (LPE)** vulnerability in the Windows **CLFS.sys** (Common Log File System) driver. It allows an attacker with local code execution to escalate from a standard user to **NT AUTHORITY\SYSTEM** through a buffer overflow in CLFS container parsing, obtaining an arbitrary write primitive to kernel memory.
This repository contains two implementations:
- **CVE-2025-60709.c** — Original C implementation (direct access to native Windows APIs)
- **CVE-2025-60709.go** — Go port **(demonstration/educational version — does NOT exploit real vulnerabilities)**
---
## 🎯 Vulnerability Details
| Field | Detail |
|-------|--------|
| **CVE ID** | CVE-2025-60709 |
| **Type** | Local Privilege Escalation (LPE) |
| **Component** | CLFS.sys (Common Log File System driver) |
| **Target OS** | Windows 11 24H2 (build 26100.3485+) |
| **Architecture** | x64 only |
| **Vector** | Buffer overflow in CLFS container parsing |
| **Impact** | Escalation to NT AUTHORITY\SYSTEM |
| **Prerequisites** | Local code execution (standard user) |
---
## 🔬 Technical Analysis
### Exploitation Flow
```
[1] DEFENSE EVASION
├─ KillETW() → Patch EtwEventWrite in ntdll with RET (0xC3)
└─ KillAMSI() → Patch AmsiScanBuffer in amsi.dll with RET (0xC3)
[2] HEAP GROOMING
└─ GroomLookaside()
├─ Creates 4096 files: C:\Windows\Temp\groom_00000.blf
├─ Calls CreateLogFile() + AddLogContainer() for each
└─ Exhausts lookaside lists → guarantees predictable heap layout
[3] ARBITRARY WRITE PRIMITIVE — ClfsArbWrite(Address, Value)
├─ Constructs malformed CLFS buffer (0x102010 bytes)
│ ├─ Valid CLFS signature at +0x00: 0x0201
│ ├─ Oversized cbRecord at +0x100: 0xFF00 (65,280 bytes)
│ ├─ Shadow zone marker at +0x9A8: 0x13371337
│ └─ Fake CClfsContainerContext at offset (0xFF00 + 0x100):
│ ├─ pContainer = TargetAddress - 0x10
│ └─ cbContainer = Value (data to write)
├─ Computes valid CLFS checksum (driver validates)
├─ Writes malformed container → C:\Windows\Temp\evil.blf
├─ Creates log pointing to evil.blf
├─ Calls ClfsReadRestartArea() → triggers kernel parsing
└─ Driver overflows buffer → writes Value to Address ✓
[4] SYSTEM TOKEN THEFT
├─ Reads SYSTEM process EPROCESS via PsInitialSystemProcess
└─ Extracts token at EPROCESS + 0x4C0
[5] PRIVILEGE ESCALATION
└─ ClfsArbWrite(CurrentEprocess + 0x4C0, SystemToken)
└─ Overwrites current process token with SYSTEM token ✓
[6] C2 PAYLOAD EXECUTION
├─ VirtualAlloc(PAGE_EXECUTE_READWRITE)
├─ Copy 1789-byte shellcode beacon
├─ CreateThread() → runs as NT AUTHORITY\SYSTEM
└─ Beacon: IPv6 + DoH C2 → Gmail drafts fallback
└─ sRDI + sleep obfuscation + ETW/AMSI already patched
[7] PERSISTENCE
└─ Sleep(INFINITE) → process keeps SYSTEM token
```
---
### EPROCESS Offsets (Windows 11 24H2 build 26100.3485+)
| Field | Offset | Description |
|-------|--------|-------------|
| `EPROCESS_TOKEN` | `0x4C0` | Process security token |
| `EPROCESS_PID` | `0x440` | Process ID |
| `EPROCESS_LINKS` | `0x448` | Active process linked list |
| `EPROCESS_NAME` | `0x5A8` | Process name (ImageFileName) |
> ⚠️ **These offsets vary between Windows builds.** Must be updated for other versions.
---
### CLFS Buffer Overflow Mechanism
```
Legitimate CLFS container:
[0x100 byte Header][Record: cbRecord bytes of real data]
Malformed container (evil.blf):
[Valid Header][cbRecord=0xFF00 → kernel reads 65,280 bytes]
↓
Kernel overflows → reaches fake CClfsContainerContext
↓
pContainer = TargetKernelAddress - 0x10
cbContainer = ValueToWrite
↓
Driver uses fake structure → writes ValueToWrite to TargetKernelAddress
```
---
### Key Functions — `CVE-2025-60709.c`
| Function | Purpose |
|----------|---------|
| `GetKernelBase()` | `ZwQuerySystemInformation(SystemModuleInformation)` → ntoskrnl.exe base |
| `KillETW()` | VirtualProtect + overwrite `EtwEventWrite` in ntdll.dll with `0xC3` (RET) |
| `KillAMSI()` | Load amsi.dll + overwrite `AmsiScanBuffer` with `0xC3` (RET) |
| `GroomLookaside()` | Create 4096 CLFS logs to exhaust lookaside lists → deterministic heap |
| `ClfsArbWrite()` | **Exploit core** — arbitrary kernel memory write primitive |
| `main()` | Orchestrates: ETW→AMSI→groom→token theft→arb write→beacon |
---
### C vs Go Differences
| Aspect | C Version | Go Version |
|--------|-----------|-----------|
| Type | Functional exploit (per docs) | Educational demo only |
| APIs | Direct (ntdll, clfsw32, advapi32) | `syscall.NewLazyDLL()` wrappers |
| CLFS checksum | Full algorithm | Simplified placeholder |
| Kernel addresses | Real | Hardcoded placeholder (`0x123456`) |
| C2 payload | 1789-byte shellcode | NOP bytes (`0x90`) |
| Expected result | SYSTEM escalation | Message `"Arb write failed (yeah)"` |
---
### Build Instructions
**C version** (requires Visual Studio Build Tools + Windows SDK):
```bat
cl /O1 /MT /link ntdll.lib advapi32.lib clfsw32.lib CVE-2025-60709.c
```
**Go version** (requires Go 1.19+ on Windows x64):
```bat
go build -ldflags="-s -w" -o CVE-2025-60709.exe CVE-2025-60709.go
```
---
## 🛡️ Mitigations and Detection
### Windows Mitigations
| Mitigation | Effectiveness |
|-----------|--------------|
| **HVCI** (Hypervisor-protected Code Integrity) | High — prevents kernel memory writes |
| **kCFI** (Kernel Control Flow Integrity) | High — blocks ROP/JOP chains |
| **CFG** (Control Flow Guard) | Medium — hinders shellcode execution |
| **Windows Defender** | Medium — detects known techniques |
| **Windows Update** | High — official patch eliminates the vulnerability |
### YARA Rule
```yara
rule CVE_2025_60709_CLFS_LPE {
meta:
description = "Detects CVE-2025-60709 CLFS LPE exploit"
author = "KONDORDEVSECURITYCORP"
date = "2026-03"
cve = "CVE-2025-60709"
severity = "critical"
strings:
$evil_file = "evil.blf" ascii wide
$groom_file = "groom_" ascii wide
$etw_func = "EtwEventWrite" ascii wide
$amsi_func = "AmsiScanBuffer" ascii wide
$magic = { 37 13 37 13 }
$token_off = { C0 04 00 00 }
condition:
3 of them
}
```
### IOCs — System Artifacts
| Type | Value |
|------|-------|
| Malformed file | `C:\Windows\Temp\evil.blf` |
| Malformed log | `\\.\C:\Windows\Temp\evil_log` |
| Grooming files | `C:\Windows\Temp\groom_00000.blf` … `groom_04095.blf` |
| Process | Anomalous `REALTIME_PRIORITY_CLASS` priority |
### Behavioral Detection
```
FILE: Mass creation of *.blf in C:\Windows\Temp\ (> 100 in seconds)
FILE: Creation of C:\Windows\Temp\evil.blf
PROCESS: REALTIME_PRIORITY process + ClfsReadRestartArea calls
MEMORY: Write to PAGE_EXECUTE_READWRITE + immediate CreateThread
API: VirtualProtect over EtwEventWrite or AmsiScanBuffer
KERNEL: PsInitialSystemProcess access from user-mode
```
### Quick Verification
```powershell
# Check grooming files
Get-ChildItem C:\Windows\Temp -Filter "groom_*.blf" | Measure-Object
# Check exploit file
Test-Path C:\Windows\Temp\evil.blf
```
---
## 📚 Referencias Técnicas / Technical References
- [Common Log File System (CLFS) Architecture — Microsoft Docs](https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-the-common-log-file-system)
- [EPROCESS Structure Analysis — Windows Internals]()
- [Lookaside List Heap Grooming Techniques]()
- [Windows Kernel Exploitation — Token Stealing]()
- [HVCI and Virtualization Based Security — Microsoft]()
---
## ⚠️ Legal Notice / Aviso Legal
> **EN:** This exploit PoC is published for **security research, vulnerability analysis, threat intelligence, and defensive purposes ONLY**. Using this code against systems without explicit written authorization is illegal and may violate the CFAA, Computer Misuse Act, and equivalent laws. Authors assume no liability for misuse.
>
> **ES:** Este PoC de exploit se publica **únicamente para investigación de seguridad, análisis de vulnerabilidades, inteligencia de amenazas y fines defensivos**. Usar este código contra sistemas sin autorización escrita explícita es ilegal y puede violar el CFAA, Computer Misuse Act y legislación equivalente. Los autores no asumen responsabilidad por el uso indebido.
---
[](https://github.com/KONDORDEVSECURITYCORP)
[](https://t.me/+N4xfmhhuGxo3MmQx)