GitHub - Nightmare-Eclipse/MiniPlasma: CVE-2020-17103 was apparently not patched or the patch was reversed, regardless this the PoC for an LPE in cldflt.sys · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Nightmare-Eclipse

MiniPlasma

Public

Notifications<br>You must be signed in to change notification settings

Fork<br>52

Star<br>222

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>6 Commits<br>6 Commits

PoC_AbortHydration_ArbitraryRegKey_EoP

PoC_AbortHydration_ArbitraryRegKey_EoP

packages

packages

LICENSE

LICENSE

PoC_AbortHydration_ArbitraryRegKey_EoP.sln

PoC_AbortHydration_ArbitraryRegKey_EoP.sln

README.md

README.md

View all files

Repository files navigation

MiniPlasma

After re-investigating the technique used in GreenPlasma (specifically SetPolicyVal), it turns out cldflt!HsmOsBlockPlaceholderAccess is still vulnerable to the exact same issue that was reported to Microsoft 6 years ago.<br>I'm not taking full credit for this, James Forshaw from google project zero found the vulnerability and reported it to Microsoft and was supposedly fixed as CVE-2020-17103.

However, a research who's a friend of mine pointed out that the routine might still have a vulnerability, which is something I considered but brushed off because I thought it was impossible for Microsoft to just not patch this or rollback the patch.

After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched. I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes.

To highlight this issue, I weaponized the original PoC to spawn a SYSTEM shell. It seems to work reliably in my machines but success rate may vary since it's a race condition.

I believe all Windows versions are affected by this vulnerability.

About

CVE-2020-17103 was apparently not patched or the patch was reversed, regardless this the PoC for an LPE in cldflt.sys

Resources

Readme

License

MIT license

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

222<br>stars

Watchers

watching

Forks

52<br>forks

Report repository

Releases

1.0.0

Latest

May 16, 2026

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

C#<br>100.0%

You can’t perform that action at this time.