Windows Kernel Elevation of Privilege Race Condition

This repository is a comprehensive exploit suite targeting CVE-2025-62215, a race condition and double-free vulnerability in the Windows kernel. The suite is composed of several components: - AutoGenerator.js and GetOffsets.js: WinDbg JavaScript scripts that dynamically extract kernel structure offsets (EPROCESS fields) from the target system and generate a custom shellcode.asm file. AutoGenerator.js also compiles this assembly into shellcode.bin using NASM. - shellcode.asm: Assembly payload that performs token stealing by traversing the kernel's process list, locating the SYSTEM process, and copying its token to the current process, enabling privilege escalation. - exploit.cpp: The main exploit engine, written in C++. It loads the generated shellcode.bin, allocates executable memory, and performs a kernel heap spray using pipe objects. It then opens a handle to the vulnerable device (\\.\VulnerableDevice) and triggers the race condition/double-free via IOCTL 0xDEADBEEF in multiple threads. Upon successful exploitation, it checks for SYSTEM privileges and spawns a SYSTEM-level command shell (cmd.exe). - exploit_.css: A parody/fake exploit file that mimics the structure of the real exploit but does not perform any actual exploitation. The exploit is operational, requiring a vulnerable driver and specific system configuration. It is not weaponized for mass deployment but provides a working local privilege escalation chain for research and educational purposes. The main attack vector is local, requiring code execution on the target system. Key fingerprintable endpoints include the device name (\\.\VulnerableDevice) and file paths (C:\exploit\shellcode.asm, C:\exploit\shellcode.bin).

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-62215, a local privilege escalation vulnerability in the Windows kernel (Windows 10/11, x64). The vulnerability is a race condition leading to a double-free, which can be exploited to escalate privileges to SYSTEM. The repository contains three main C++ files: - poc.cpp: The primary PoC exploit, which creates multiple threads to rapidly open and close kernel object handles, attempting to trigger the race condition and double-free. It includes heap spraying, privilege checks, and a test mode for safer execution. - poc2.cpp: An advanced exploitation module that implements more sophisticated heap grooming and kernel object manipulation strategies. It simulates interaction with a vulnerable device object (\\.\VulnerableDevice%d) and uses multithreading to increase the likelihood of triggering the vulnerability. - testLocal.cpp: A utility to gather system information and check for potential vulnerability to CVE-2025-62215, including OS version, architecture, and privilege level. The exploit is local-only and requires administrator privileges to run. It does not target any network endpoints. The code is well-structured, with clear separation between exploitation logic and system information gathering. The PoC is intended for educational and authorized security testing purposes only.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-62215, a Windows kernel privilege escalation vulnerability affecting Windows 10, 11, and Server editions. The vulnerability is due to a race condition and double-free bug in kernel resource management, allowing local authenticated users to escalate privileges to SYSTEM. The repository contains three main C++ code files: - `exploit.cpp`: The primary PoC exploit, which uses multi-threading to trigger the race condition and double-free, heap spraying to shape memory, and attempts to escalate privileges. It provides command-line options for test mode and verbose output. - `advanced_exploit.cpp`: An advanced exploitation module that implements more sophisticated heap grooming and kernel object manipulation strategies, including the creation of multiple device handles (e.g., `\\.\VulnerableDevice%d`) to simulate or target the vulnerable kernel path. - `system_info.cpp`: A utility to gather system information and check for potential vulnerability to CVE-2025-62215. Supporting files include detailed documentation (`README.md`, `TECHNICAL_DETAILS.md`, `QUICKSTART.md`) and a restrictive license for educational use only. The exploit is designed for local execution and does not target network services. It requires a vulnerable Windows system and may cause system instability or crashes (BSOD) during testing. The code is well-documented and structured for research and educational purposes, with clear warnings against unauthorized or malicious use.