Windows Common Log File System Driver Elevation of Privilege

Repository purpose: Proof-of-concept exploit for CVE-2022-24521 (Windows CLFS) implementing a local privilege escalation via crafted BLF (Base Log File) metadata corruption. Structure (11 files): - README.md: minimal build notes (VS2022 v143, C++14) and CVE reference. - Two PoC implementations: - win10_poc/: poc.cpp plus helpers (BlfFileIO.h, ParseBLF.h, CRC32_tool.h). poc.cpp also includes kernel_utils.h and token_operations.h, but those headers are not present in the provided file list (suggesting missing files or incomplete snapshot). - win11_poc/: win11_poc.cpp plus helpers (BlfFileIO.h, ParseBLF.h, CRC32_tool.h, kernel_utils.h). win11_poc.cpp includes pipe_arbitrary_rw.h (not present), implying an additional arbitrary kernel R/W primitive implementation is expected. Core exploit flow (both Win10/Win11 variants): 1) CLFS log setup: deletes any existing container file (MyMiniLog_container_41.clfs), deletes the log name (log:MyMiniLog), then creates/opens the log and adds a 1MB container via CreateLogFile/AddLogContainer. 2) BLF parsing and patching: reads MyMiniLog.blf, locates the first General metadata block (try_find_first_general_block_offset), parses internal offsets/positions (parse_global_variable_positions), then rewrites key fields in the BLF to relocate/copy symbol table data and to set crafted values: - Overwrites SignaturesOffset and symbol table offsets (cbOffset/cbSymName) to move metadata to a controlled location (new_sym_offset=0x2100). - Sets containerContext_cidQueue to 0xFFFFFFFF and containerContext_ullAlignment to a fake vtable pointer (0x50000). - Copies a chunk of metadata from the original symbol table region to the new offset. 3) Integrity repair: recalculates and rewrites CRC32 checksum for the modified block (CRC32_tool.h uses block_offset=0x800 and TotalSectorCount*512 sizing). 4) Memory shaping / gadget setup: - Allocates fixed-address userland memory regions (notably 0x60000, 0x50000, 0xFFFFFFF0) and writes a fake vtable/object layout. - Resolves kernel addresses for SeSetAccessStateGenericMapping (ntoskrnl) and ClfsEarlierLsn (CLFS.SYS) by loading user copies and adding deltas to real kernel module bases obtained via NtQuerySystemInformation. - Uses these as call targets/gadgets in the forged structure. 5) Trigger: re-opens the log (CreateLogFile("log:MyMiniLog", ...)) without adding a container, causing CLFS to parse the crafted BLF/container metadata and hit the vulnerable code path. 6) Privilege escalation: - Win10 PoC: calls ExecuteTokenReplacement(g_PreviousModeAddress) after triggering, implying a write-what-where to flip PreviousMode and then replace token (details depend on missing token_operations.h). - Win11 PoC: uses GetTokenAddresses() to locate current and SYSTEM EPROCESS token fields (build-dependent offset 0x4B8 for >=19041 else 0x358). It then (a) targets a pipe-related kernel address (pipeCtx.attributeValueSizeAddr) to read kernel memory (PKR_ReadKernelMemory), (b) re-triggers with a target of currentTokenPtr to write the SYSTEM token pointer into the current process token field, and finally spawns a new cmd via system("start cmd"). Notable observables / hardcoded values: - CLFS artifacts: log name "log:MyMiniLog", BLF "MyMiniLog.blf", container "MyMiniLog_container_41.clfs". - Fixed virtual addresses used for exploitation: 0x50000 (fake vtable), 0x60000 (fake object), 0xFFFFFFF0 and writes around 0xFFFFFFFF/0x100000007. - Kernel module paths: C:\Windows\System32\drivers\CLFS.SYS and ntoskrnl.exe loaded in userland for symbol offset calculations. Overall: This is operational LPE exploit code (not just detection). It performs on-disk BLF corruption + checksum fix, sets up fake in-memory structures, triggers CLFS parsing, and escalates privileges via token theft/replacement. Some components referenced by includes (token_operations.h, pipe_arbitrary_rw.h, types.h) are not present in the provided content, so full end-to-end compilation may require additional files.