Unrelated to CVE-2024-30078

[FarmPoet]

The code in the repo is unrelated to CVE-2024-30078.

The CVE-2024-30078 vulnerability is in Dot11Translate80211ToEthernetNdisPacket() of the native wifi windows driver (nwifi.sys) and a very specific frame needs to be constructed to even get to the vulnerable code path (which this code does not).

I haven't tried to verify the repo owner claim that it crashes the wifi tab in the taskbar but either way its unrelated to the above mentioned cve.

[Ntlx14]

Thanks for the update. Do you know of any poc code or have any more details related to it?

[FarmPoet]

Thanks for the update. Do you know of any poc code or have any more details related to it?

Currently I'm not aware of any public PoCs. The ones I've seen are either unrelated or fake.

I've reversed the driver just enough to figure out what check the patch was doing and how to reach that code path since the information provided by MSFT was really thin. I might flesh out a post about it on X if no one else does it in the meantime.

Since the bug was reported by Kunlun Lab, I expect they'll eventually come up with a blog post or conference talk on it.

[Ntlx14]

Thanks for the update. Do you know of any poc code or have any more details related to it?

Currently I'm not aware of any public PoCs. The ones I've seen are either unrelated or fake.

I've reversed the driver just enough to figure out what check the patch was doing and how to reach that code path since the information provided by MSFT was really thin. I might flesh out a post about it on X if no one else does it in the meantime.

Since the bug was reported by Kunlun Lab, I expect they'll eventually come up with a blog post or conference talk on it.

Thanks for the reply. Would you mind sharing your finding?

[blkph0x]

Thanks for the info ill update this repo and also dig into what you have said

[FarmPoet]

Thanks for the update. Do you know of any poc code or have any more details related to it?

Currently I'm not aware of any public PoCs. The ones I've seen are either unrelated or fake. I've reversed the driver just enough to figure out what check the patch was doing and how to reach that code path since the information provided by MSFT was really thin. I might flesh out a post about it on X if no one else does it in the meantime. Since the bug was reported by Kunlun Lab, I expect they'll eventually come up with a blog post or conference talk on it.

Thanks for the reply. Would you mind sharing your finding?

I just posted a quick thread with the info I'm willing to put in public: https://x.com/f4rmpoet/status/1804918333231243704 Hope it helps.

[blkph0x]

I was thinking of using a virtual environment, however because this is in the native wireless driver (kernel-mode), a virtual machine will not have this loaded as there wont be wireless hardware available. I has the idea of adding a usb wireless card and doing a pass through to the VM, but will this load as a usb driver and then the wireless driver in windows? I know a physical machine will be a bit more easeri - but dont have that option.

Hey mate, that's how I'm doing it with VMware and a USB wifi dongle and attach it to the VM direct the driver will load and you can debug the function remote. just need debugging tools on your main windows and then copy over kdnet run kdnet and get a key and enter that into windbg kernel debug reboot the vm and your in just keep in mind we have new info now I think the easiest way to debug this or build an RCE script is setting up a rouge AP type ssid no security join the network and then send the required frames. this is how the driver seems to work when connecting to a real open AP during the connection phase the Dot11Translate80211ToEthernetNdisPacket() function is hit multiple to gain the connection. from there its pretty random and i have been unable to get windows to see any frames from my attacking pc past this point but was also trying to send the frames just based on mac and was not really on the network..

[FarmPoet]

@blkph0x, your DMs are closed on X. Drop me a message so we can exchange some ideas.

[blkph0x]

@blkph0x, your DMs are closed on X. Drop me a message so we can exchange some ideas.

Sent a DM on X