I currently got 2 Windows LPE's for Sale
Please only PM when serious. Price ~260k /per
Garant only
First:
Windows Medium to SYSTEM Race Condition LPE
# Vulnerable OS
Windows 8 / 10 / 11 (24H2 isn't supported)
Windows Server 2012R2 / 2016 / 2019 / 2022
# Bug class
Race condition
# Exploitation vector
LPE
# Privileges required
Medium IL
# Privileges gained
SYSTEM
# Time of execution
<10s
# Reliability
90-95%
# User interaction
None
# Delivery
Demo video, source code, documentation
# Limitations
1) In case of failure, the system will BSOD
2) Doesn't work on CPUs with only 1 core
# Notes
Bypasses Windows Defender
It has been tested and works on current builds from Windows 8 to Windows 11 23H2,
and on server builds the same way. The vulnerability is also present on the 24H2
build, but so far there are problems with exploitation, since Microsoft has
removed the leakage of token addresses in this build. Accordingly, it’s necessary
to find a leak of the kernel address and exploit using this leak. The exploit
intercepts control in the kernel and transmits it to a controlled address, as well
as the first function parameters and registers. There’s a 5% chance that the
system will fall into the blue screen. If it fails, you can run the exploit again,
but you need to wait for a certain timeout so that HeapSpray works correctly when
you restart it. 5 minutes is enough. Each subsequent launch on the same machine
without a reboot increases the chances of falling into the blue screen. Among antiviruses,
problems were only with Kaspersky, but only at the stage of executing the payload
(executing commands from SYSTEM). Here it’s necessary to look for an antivirus
bypass separately, since the problem isn’t in the exploit itself, but in the payload. I
tried using the kernel debugger to elevate privileges to SYSTEM and execute commands -
the effect is the same. The other antiviruses were Defender, Eset, BitDefender,
Symantec, DrWeb. There were no problems with them.
The exploit was tested with a payload in the form of creating a hidden user in the
administrators group and dumping System\Security\Sam registry keys. After successful
exploitation, the OS continues to work normally and doesn’t crash.
=========================================================================
Second:
Windows Medium to SYSTEM Logic LPE
# Vulnerable OS
Windows 8 / 10 / 11 (including 24H2)
Windows Server 2019
# Bug class
Logic
# Exploitation vector
LPE
# Privileges required
Medium IL
# Privileges gained
SYSTEM
# Time of execution
<20s
# Reliability
80%
# User interaction
None
# Delivery
Demo video, source code, documentation
# Limitations
1) No BSOD in case of a failure, unlimited amounts of attempts can be performed
2) Doesn't work on CPUs with only 1 core
# Notes
1) Other Server editions can be supported if another exploitation method would be found
2) Bypasses Windows Defender
It has been tested and works on current desktop builds from Windows 8 to Windows 11 24H2.
Of the server builds, it only works on Server 2019. The exploit includes 2 vulnerabilities
for deleting system files from a Medium IL user. The option of running the msi service is
used as a method of exploitation on desktop versions. It’s available on the Internet, and
the articles describe how it works. This method has been known for a long time,
Microsoft replied to the author that they wouldn’t patch it, as they didn’t consider it
a vulnerability. Actually, it’s still relevant in the 24H2 build. As part of the exploit,
there’s an improved version, more stable and untethered from antiviruses. Server 2019 has
its own way of exploitation, which isn’t available on the Internet. The vulnerabilities
themselves are present on other server builds of the OS, if you find a way to exploit them,
you can upgrade to other server builds. Since the vulnerability is logical and uses
desynchronization, it doesn’t always work from the first time. The exploit restarts itself
until it works. There will be no fatal errors or system crash. I've tried using KES, Defender,
Eset, BitDefender, Symantech, and DrWeb antiviruses, but it's been a long time. I tried
using the latest databases only on Defender.
The exploit was tested with a load in the form of creating a hidden user in the
administrators group and dumping System\Security\Sam registry keys. After successful
operation, the OS continues to work normally and doesn’t crash.
Please only PM when serious. Price ~260k /per
Garant only
First:
Windows Medium to SYSTEM Race Condition LPE
# Vulnerable OS
Windows 8 / 10 / 11 (24H2 isn't supported)
Windows Server 2012R2 / 2016 / 2019 / 2022
# Bug class
Race condition
# Exploitation vector
LPE
# Privileges required
Medium IL
# Privileges gained
SYSTEM
# Time of execution
<10s
# Reliability
90-95%
# User interaction
None
# Delivery
Demo video, source code, documentation
# Limitations
1) In case of failure, the system will BSOD
2) Doesn't work on CPUs with only 1 core
# Notes
Bypasses Windows Defender
It has been tested and works on current builds from Windows 8 to Windows 11 23H2,
and on server builds the same way. The vulnerability is also present on the 24H2
build, but so far there are problems with exploitation, since Microsoft has
removed the leakage of token addresses in this build. Accordingly, it’s necessary
to find a leak of the kernel address and exploit using this leak. The exploit
intercepts control in the kernel and transmits it to a controlled address, as well
as the first function parameters and registers. There’s a 5% chance that the
system will fall into the blue screen. If it fails, you can run the exploit again,
but you need to wait for a certain timeout so that HeapSpray works correctly when
you restart it. 5 minutes is enough. Each subsequent launch on the same machine
without a reboot increases the chances of falling into the blue screen. Among antiviruses,
problems were only with Kaspersky, but only at the stage of executing the payload
(executing commands from SYSTEM). Here it’s necessary to look for an antivirus
bypass separately, since the problem isn’t in the exploit itself, but in the payload. I
tried using the kernel debugger to elevate privileges to SYSTEM and execute commands -
the effect is the same. The other antiviruses were Defender, Eset, BitDefender,
Symantec, DrWeb. There were no problems with them.
The exploit was tested with a payload in the form of creating a hidden user in the
administrators group and dumping System\Security\Sam registry keys. After successful
exploitation, the OS continues to work normally and doesn’t crash.
=========================================================================
Second:
Windows Medium to SYSTEM Logic LPE
# Vulnerable OS
Windows 8 / 10 / 11 (including 24H2)
Windows Server 2019
# Bug class
Logic
# Exploitation vector
LPE
# Privileges required
Medium IL
# Privileges gained
SYSTEM
# Time of execution
<20s
# Reliability
80%
# User interaction
None
# Delivery
Demo video, source code, documentation
# Limitations
1) No BSOD in case of a failure, unlimited amounts of attempts can be performed
2) Doesn't work on CPUs with only 1 core
# Notes
1) Other Server editions can be supported if another exploitation method would be found
2) Bypasses Windows Defender
It has been tested and works on current desktop builds from Windows 8 to Windows 11 24H2.
Of the server builds, it only works on Server 2019. The exploit includes 2 vulnerabilities
for deleting system files from a Medium IL user. The option of running the msi service is
used as a method of exploitation on desktop versions. It’s available on the Internet, and
the articles describe how it works. This method has been known for a long time,
Microsoft replied to the author that they wouldn’t patch it, as they didn’t consider it
a vulnerability. Actually, it’s still relevant in the 24H2 build. As part of the exploit,
there’s an improved version, more stable and untethered from antiviruses. Server 2019 has
its own way of exploitation, which isn’t available on the Internet. The vulnerabilities
themselves are present on other server builds of the OS, if you find a way to exploit them,
you can upgrade to other server builds. Since the vulnerability is logical and uses
desynchronization, it doesn’t always work from the first time. The exploit restarts itself
until it works. There will be no fatal errors or system crash. I've tried using KES, Defender,
Eset, BitDefender, Symantech, and DrWeb antiviruses, but it's been a long time. I tried
using the latest databases only on Defender.
The exploit was tested with a load in the form of creating a hidden user in the
administrators group and dumping System\Security\Sam registry keys. After successful
operation, the OS continues to work normally and doesn’t crash.
Последнее редактирование модератором:
