Exploit does not elevate privileges on Windows build 19042.746

[0xShkk]

Hi,

thank you for your work!

The exploit does not elevate privileges on Windows build 19042.746
I tried to inject into explorer.exe for the last step and that does work for spawning the cmd, also all the steps before the injection do work. Injecting into winlogon.exe did not work as the privileges are not sufficient I guess.
But once the cmd got spawned it has the context of the executing user and not system.

What could be done to debug this or add functionality for Windows build 19042.746 ?

Many thanks

[ly4k]

Hello. I haven't tested it on this build. It's most likely because the structure has a different size on this build. I will look into it.

When injecting into explorer, you will inject into your own user context. If it fails to inject into winlogon, it's most likely because the exploit didn't work. Did the DoS PoC work?

[Shad0wB1ackCat]

I had the same problem with version 1903.
After debugging, I suspect this is the reason:
CreatePalette function called "PALMEMOBJ: : bCreatePalette", inside this function, the 1607 version Allocate a PPALETTE type Object From KernelPool, Repeating this process will take up the address of the freed device context mentioned in the topic.
But in the 1903 version, PPALETTE object is through MmCommitSessionMappedView mapping a piece of memory, rather than the redistribution of memory in the kernel pool. Will this result in no reuse of the device context that has been freed?
This is just my guess, if it is wrong, please forgiveand correct, thank you.