CVE-2022-41057 _ Windows 11 HTTP.SYS Kerberos PAC EoP

Proof of Concept:

I’ve provided a PoC as a C# project. You need to get and build a copy of my NtApiDotNet library to build the project (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools). Note that there's a bug in the loopback library of Windows 10 which means the POC will get an access token with a session ID of 0 which would mean the token can't be impersonated. This doesn't happen if U2U is used instead, therefore to verify that this is a working exploit it's best to run on Windows 11.

1. Compile the C# project, put a copy of NtApiDotNet.dll in the project's directory before building. Make sure you compile it for 64-bit otherwise the server authentication doesn't work correctly.
2. Run the POC on a domain joined machine passing the password for the current domain user. This isn't completely necessary as you could use U2U but this for demo purposes only.
3. The POC should print out the groups for the token.

Expected Result

The authentication fails.

Observed Result

The authentication succeeds and the token has the Domain Administrator's group.