"# CVE-2021-31956"

WIP PoC code for CVE-2021-31956 in preparation for OSEE. Will improve it further after my OSEE exams and free time. A lot of hardcoded offsets need to be changed if it is different on the target system ( but if it is anything similar to 2020 - 2021 builds then no change should be needed. Not sure 100%) and you can't exit the program because many pool headers are still corrupted as well as the Token field is still pointing to system's token. One of 3 things will happen if you try to exit the program, a BSOD, can't exit, or if the stars aligns exit safely but the system is probably unstable and is a ticking time bomb.

Credits:

https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/ amazing write up that covers many details that NCC and other lacks

https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/ good basic understanding of the vuln and good lessons learned

https://github.com/aazhuliang/CVE-2021-31956-EXP for most of the starting code and a source for me to fall back onto if I am completely stuck

https://github.com/freeide/CVE-2021-31955-POC/tree/main - CVE-2021-31955 PoC that allow the leaking of EPROCESS. Though this is unnecessary due to the nature of the bug and the accessible CreatorProcess field inside WNF struct.

• Apt 69