kur

A code simply offers the ability to kernel-mode read / write memory from user-mode using vulnerable signed driver. It's simply utilizing MmCopyVirtualMemory, which is undocumented yet one of the most common API, in kernel mode so you can read / write any user-mode memory without having to worry about the protection the memory page has. Besides that, it has a function to obtain process handle of given pid as a side arm. Since handle creation is conducted in kernel-mode, standard access checks and callbacks won't kick in i believe.

This project was created for study purposes, and it is not recommended to use it outside of a virtual machine.

background

I've seen that this specific driver has privilege escalation vulnerability in uc forum. So I started reversing the driver myself and indeed the driver doesnt have access control over its strong ioctls.

the vulnerability

This project utilizes the vulnerability that was reported as CVE-2023-38817. https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/

How to use

Since I was too lazy to implement properly u have to just include everything and compile. all functionalities are encapsulated in kur_t class.

kur/kur/kur.h

Lines 5 to 14 in cd3da42

	class kur_t
	{
	vul_driver vul_driver;
	public:
	auto query_device_handle() const -> HANDLE;
	auto get_process_handle(DWORD pid, ACCESS_MASK access_mask) -> std::optional<HANDLE>;
	auto read(void* address, void* buffer, size_t buffer_size, HANDLE h_target_process) -> BOOL;
	auto write(void* to_address, void* from_address, size_t size, HANDLE h_target_process) -> BOOL;