← All tools

HEVD-BufferOverflowNonPagedPoolNx-Win10-22H2

https://github.com/ommadawn46/HEVD-BufferOverflowNonPagedPoolNx-Win10-22H2

Free

Categories

Exploitation

Description

HEVD Exploit: BufferOverflowNonPagedPoolNx on Windows 10 22H2 - Escalating from Low Integrity to SYSTEM via Aligned Chunk Confusion

Keywords

exploit hevd kernel windows c++

Screenshots

Example Usage

flowchart TD
    classDef primitiveStyle fill:#fcf8e3,stroke:#8a6d3b,stroke-width:2px,font-weight:bold,color:#000
    classDef vulnStyle      fill:#ffdddd,stroke:#ff0000,stroke-width:2px,font-weight:bold,color:#000
    classDef coreLeakStyle  fill:#e3f0ff,stroke:#1e90ff,stroke-width:2px,font-weight:bold,color:#000
    classDef goalStyle      fill:#d4edda,stroke:#28a745,stroke-width:2px,font-weight:bold,color:#000

    start(["Run Exploit"]) ==> phase0
    phase0 ==> phase1
    phase1 ==> phase2
    phase2 ==> phase3
    phase3 ==> phase4
    phase4 ==> phase5
    phase5 ==> finish(["Spawn SYSTEM Shell"])

    subgraph phase0["Phase 0: Initialization"]
        direction LR
        init["Initialize Windows API Wrappers"] --> rva["Resolve Required Kernel RVAs"]
    end

    subgraph phase1["Phase 1: Arbitrary Read"]
        direction LR
        heap["Spray Heap (Named Pipes)"] --> vuln["Trigger HEVD Buffer Overflow"] --> cache["Set CacheAligned Flag"] --> ghost["Create Ghost Chunk"] --> read["Establish Arbitrary Read Primitive"]
    end

    subgraph phase2["Phase 2: KASLR Bypass"]
        direction LR
        leak1["Leak NP_DATA_QUEUE_ENTRY.Flink"] --> traverse["Walk Kernel Object Ch