Haider303/facebook-media-driver-exploit

# facebook-media — Windows Kernel LPE Proof-of-concept Local Privilege Escalation exploit targeting a vulnerable kernel driver. Chains arbitrary physical memory read/write primitives into a SYSTEM token steal. ## What It Does The driver at `\\.\facebook-media` exposes three IOCTLs with no address validation: | IOCTL | Primitive | |---|---| | `0x222000` | Read kernel virtual memory | | `0x222018` | Read physical memory | | `0x22201C` | Write physical memory | These are chained to overwrite the current process token with the SYSTEM token, achieving `NT AUTHORITY\SYSTEM`. ## Requirements - Windows 10/11 x64 - Administrator privileges - `facebook-media.sys` loaded - Visual Studio 2022 Build Tools ## Compilation Open **x64 Native Tools Command Prompt for VS 2022** from the Start Menu. Verify you have the right compiler: cl Should say `for x64` — if it says `x86` you have the wrong prompt. Navigate to the project folder and compile: cl /EHsc exploit.c /Fe:exploit.exe psapi.lib advapi32.lib ## Usage Run as Administrator: exploit.exe No input required. A `cmd.exe` window will open as `NT AUTHORITY\SYSTEM`. ## EPROCESS Offsets Hardcoded for Windows 10/11 x64. If running a different build verify with WinDbg: dt nt!_EPROCESS Token dt nt!_EPROCESS ActiveProcessLinks dt nt!_EPROCESS UniqueProcessId dt nt!_KPROCESS DirectoryTableBase ## Disclaimer For educational and research purposes only. The author is not responsible for misuse. Only test on systems you own or have written permission to test.

标签：客户端加密