This repository contains a Rust proof-of-concept exploit targeting the AMD Radeon™ Graphics Kernel Driver (pdfwkrnl.sys), specifically the vulnerability CVE-2023-20598.
The vulnerable driver exposes an IOCTL that allows an arbitrary kernel memory copy, which can be abused to achieve arbitrary read/write in kernel mode and ultimately local privilege escalation to SYSTEM.
This project was created purely for learning purposes, as part of my study of Windows kernel exploitation and vulnerable driver development.
It does not introduce new techniques and is not intended to be advanced or novel — it simply documents my learning process.
- Driver: pdfwkrnl.sys (AMD Radeon™ Graphics Kernel Driver)
- CVE: CVE-2023-20598
- Impact: Local Privilege Escalation
- Primitive: Arbitrary kernel read/write via IOCTL
The driver fails to properly validate user-controlled pointers passed to a memory move operation, allowing controlled kernel memory access from user mode.
The exploit follows a classic Windows kernel token stealing approach:
- Open a handle to
\\.\PdFwKrnl - Abuse the vulnerable IOCTL to gain arbitrary read/write
- Resolve the kernel base address
- Locate
PsInitialSystemProcess - Traverse the
_EPROCESSlist to find the current process - Replace the current process token with the SYSTEM token
- Spawn an elevated
cmd.exe - Restore the original token after execution
Hardcoded _EPROCESS offsets are used and are Windows version dependent.
This code is provided for educational purposes only.
Do not use this on systems you do not own or have permission to test.
The author takes no responsibility for misuse.