Windows Common Log File System Driver Use-After-Free Privilege Escalation

This repository is a Windows local privilege escalation and crash PoC set for CVE-2025-29824, targeting the Windows CLFS subsystem. It contains 6 files total: a short README, three main C++ PoCs, and one small test client. The code is not part of a larger exploit framework. Repository structure and purpose: - README.md identifies the target builds: Windows 10 21H2 19044.5608 x64 and Windows 11 23H2 22631.5126 x64. It labels the included PoCs as crash (蓝屏poc) and LPE (win10_poc, win11_poc). - test_client/test_client.cpp is a minimal trigger harness. It opens a CLFS log object via \\.\LOG:\??\C:\ProgramData\Exploit.blf and sends IOCTL 0x80077028 to validate or exercise the vulnerable path. This is best understood as a trigger/test utility rather than the full exploit. - win10_poc/main.cpp is the main Windows 10 LPE exploit. From the visible code, it resolves the kernel base with EnumDeviceDrivers, loads ntoskrnl.exe locally to compute the runtime address of RtlSetAllBits, leaks the current process token kernel object address using NtQuerySystemInformation(SystemHandleInformation), derives a target privilege field offset, allocates fixed-address memory regions, prepares crafted spray payloads, creates 1500 pipes for pool spraying, opens up to 5000 CLFS handles, and races a close thread against a trigger thread using high-priority pinned threads. It checks whether token privileges changed and, on success, launches a SYSTEM shell. - win11_poc/win11_poc.cpp is a Windows 11 adaptation of the same exploit strategy. It includes similar token-address discovery, CLFS handle pool creation, pipe spraying, and race orchestration. Unlike the Windows 10 version, it explicitly contains embedded x64 shellcode that runs cmd.exe and references an InjectToWinlogon() post-exploitation step, indicating code injection into winlogon after successful privilege gain. - 蓝屏poc/poc.cpp is a crash-oriented PoC. It creates a large CLFS handle pool, then uses two threads: one closes handles to create a UAF window and the other repeatedly issues asynchronous DeviceIoControl calls with IOCTL 0x80076856. The comments describe reclaiming a freed 0x120-byte kernel pool chunk with pipe-based spraying. This variant appears intended to trigger instability/BSOD rather than complete privilege escalation. Main exploit capabilities: - Local kernel exploitation against CLFS through a race/use-after-free condition. - Mass handle creation against a CLFS log path to increase race reliability. - Pool spraying using named pipes to reclaim freed kernel allocations with attacker-controlled data. - Kernel information gathering: token object kernel address leakage and kernel base discovery. - Privilege manipulation by targeting token privilege-related fields. - Post-exploitation shell execution: cmd.exe launch and, on Windows 11, likely injection into winlogon.exe. Notable implementation details: - The exploit is highly build-specific and tuned for x64 Windows targets. - It uses thread affinity and THREAD_PRIORITY_TIME_CRITICAL to improve race timing. - It relies on CLFS device namespace access rather than network communication; there are no remote C2 or internet endpoints. - The included shellcode and post-exploitation routines make this more than a pure PoC, but it is still a standalone exploit rather than a reusable framework module.

This repository contains a working exploit for CVE-2025-29824, a critical privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. The exploit is implemented in C++ (exploit.cpp) and is designed to run on Windows systems vulnerable to this flaw (Windows 7 through Server 2025, pre-April 2025 patch). The exploit works by leaking the kernel base address, allocating shellcode, performing a heap spray with CLFS log files, and triggering a use-after-free (UAF) condition via a race condition in CLFS. Upon successful exploitation, custom shellcode is executed in kernel context, and a SYSTEM-level command prompt (cmd.exe) is spawned, granting the attacker full administrative privileges. The README provides detailed context, including attack chain, threat actor attribution, and mitigation advice. No network endpoints are present; the attack vector is local privilege escalation. The repository includes Visual Studio project files for building the exploit, but the main logic resides in exploit.cpp.

This repository contains a proof-of-concept (PoC) local privilege escalation exploit for CVE-2025-29824, a use-after-free vulnerability in the Windows Common Log File System (CLFS) kernel driver. The exploit is implemented in C++ (exploit.cpp) and is designed to be built with Visual Studio 2022. The repository includes a Visual Studio solution and project file for ease of compilation. The exploit works by leaking the kernel base address to bypass ASLR, performing a heap spray with 1000 CLFS log files, and triggering a race condition via WaitForInputIdle to induce the UAF. Custom shellcode is then executed to traverse kernel EPROCESS structures and steal the SYSTEM token, granting SYSTEM privileges to the attacker. The exploit is intended for academic and educational use in a controlled, air-gapped VM environment running a vulnerable version of Windows 10 21H2. No network endpoints or remote attack vectors are present; the exploit is purely local. The only fingerprintable endpoint is the use of the 'log:test' file path for CLFS log creation during heap spraying. The README provides detailed build and usage instructions, as well as troubleshooting and resource links.