Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege

Repository is a standalone Windows local kernel exploit for CVE-2025-21333, not tied to a common exploitation framework. Structure is small and focused: README.md documents the exploit approach and references an earlier PoC; exp/build.bat compiles the project with MSVC; exp/main.cpp contains the main exploitation flow; exp/helper.c and exp/helper.h implement NT API loading, heap spraying helpers, WNF manipulation, pipe/IoRing primitives, and kernel read/write support; exp/hexdump.c and exp/hexdump.h provide debugging output. The exploit targets Windows kernel heap corruption. Based on the code and README, it improves on an earlier public PoC by using Microsoft Defender Application Guard / IsolatedAppLauncher APIs to obtain a sandbox/container GUID instead of opening a Windows Sandbox process. The main flow in exp/main.cpp loads NT functions from ntdll.dll, obtains the container GUID, raises process/thread priority, sprays large numbers of WNF state objects into paged pool, frees selected WNF objects to create holes, crafts oversized ACL-backed object data to overflow into adjacent allocations, and then pivots into pipe attribute and IoRing object corruption. The helper code shows the intended post-corruption capabilities: arbitrary kernel read via fake/corrupted pipe_attribute structures and arbitrary kernel read/write via forged IoRing-related IOP_MC_BUFFER_ENTRY state. Hardcoded kernel offsets in helper.h (for NPFS and nt offsets such as PsInitialSystemProcess and PoolQuotaCookie) indicate the exploit is tuned to specific Windows kernel builds and is not broadly portable without adjustment. Named pipes \\.\pipe\IoRingExploitInput and \\.\pipe\IoRingExploitOutput are explicit local endpoints used during exploitation. Overall, this is an operational local privilege-escalation style exploit with real exploitation primitives rather than a mere detector or crash PoC.

This repository contains a working proof-of-concept (POC) exploit for CVE-2025-21333, a heap-based buffer overflow vulnerability in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). The exploit is implemented in C++ (main file: CVE-2025-21333.cpp) and is designed to be compiled and run on a vulnerable Windows system. The exploit leverages advanced manipulation of Windows kernel objects, including the Windows Notification Facility (WNF), named pipes, and process tokens, to achieve local privilege escalation from a low-privileged user or VM context to SYSTEM on the Hyper-V host. The README provides detailed background, affected systems, and usage instructions, including how to verify vulnerable binaries and run the exploit. The exploit uses named pipes (\\.\pipe\IoRingExploitOutput and \\.\pipe\IoRingExploitInput) for communication and targets specific system files (vkrnlintvsp.sys and ntoskrnl.exe) for fingerprinting and exploitation. The codebase includes supporting header files (Hexdump.hpp, wnf.h) and Visual Studio project files for building the exploit. This is a mature, operational exploit that provides a SYSTEM shell if successful.

This repository contains a functional proof-of-concept (POC) exploit for CVE-2025-21333, a heap-based buffer overflow in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). The exploit is implemented in C++ and is structured as a Visual Studio project, with the main logic in 'CVE-2025-21333.cpp' and supporting headers ('Hexdump.hpp', 'wnf.h'). The exploit leverages advanced Windows kernel features, including the Windows Notification Facility (WNF), IO rings, and named pipes, to manipulate kernel memory and escalate privileges from a VM context to SYSTEM on the Hyper-V host. The README provides detailed background, affected systems, and usage instructions, including example output showing successful SYSTEM shell access. The exploit targets unpatched Windows 10/11 and Server 2022/2025 Hyper-V hosts and requires local access from a VM. Notable fingerprintable endpoints include named pipes (\\.\pipe\IoRingExploitOutput, \\.\pipe\IoRingExploitInput) and references to key system files (vkrnlintvsp.sys, ntoskrnl.exe) for version/hash checking. The code is operational and demonstrates a full privilege escalation chain, making it a high-impact exploit for vulnerable environments.

This repository is a Proof-of-Concept (POC) exploit for CVE-2025-21333, a heap-based buffer overflow vulnerability in the Windows driver vkrnlintvsp.sys. The exploit is implemented in C++ and is structured as a Visual Studio project, with the main logic in 'CVE-2025-21333-POC.cpp' and supporting headers. The exploit works by manipulating kernel memory structures (specifically, an array of pointers to _IOP_MC_BUFFER_ENTRY) to achieve arbitrary kernel read/write via I/O Ring syscalls. It then leverages this primitive to steal the SYSTEM token and spawn a SYSTEM shell, providing local privilege escalation on Windows 11 23H2 (and possibly 24H2) with the vulnerable driver and Windows Sandbox enabled. The README provides detailed technical background, requirements, hashes of tested binaries, and step-by-step usage instructions. The exploit is not weaponized and is intended for research and demonstration purposes. Notable fingerprintable endpoints include the vulnerable driver path, kernel binary, and named pipes used for exploit communication.