Mirrors/za233-neaccontroller
1
0
Fork 0
mirror of https://github.com/za233/NeacController.git synced 2026-06-08 10:15:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial Upload

Browse Source
This commit is contained in:
za233
2025-04-02 19:26:11 +08:00
parent 169c909115
commit 9ce40e7cac
26 changed files with 1219 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+42
View File
@@ -0,0 +1,42 @@
## NeacController
### 0x0 Background
> **Neac**: NetEases self-developed anti-cheat solution, designed to protect its PC games, including but not limited to Overwatch, Naraka: Bladepoint, and FragPunk.
A vulnerability in NetEase (Hangzhou) Network Co., Ltd NeacSafe64 Driver (versions prior to v1.0.0.8) allows a local attacker to escalate privileges via crafted IOCTL commands to the NeacSafe64.sys component, potentially enabling SYSTEM privilege acquisition and arbitrary shellcode execution in kernel space.
### 0x1 Escalation of Privileges
The NeacSafe64 driver exposes two message handlers (Opcode 14 and 70, **msghandler15**/**msghandler71**) that implement **arbitrary kernel-space read/write** primitives. These operations enable NeacController to perform privileged memory manipulation, ultimately achieving SYSTEM privilege escalation through combined exploitation of these capabilities.
![image-20250402191202338](img/image-20250402191202338.png)
### 0x2 Code Execution
The NeacSafe64 driver allocates **NonPagedPool** memory and stores its pointer in a global variable, subsequently utilizing function pointers to invoke system APIs. This implementation allows attackers to:
- Inject shellcode into the allocated pool memory.![image-20250402191231920](img/image-20250402191231920.png)
- Hijack control flow by overwriting the function pointer.
![image-20250402191347751](img/image-20250402191347751.png)
- Trigger execution through specific Message Handler operations.
![image-20250402191422969](img/image-20250402191422969.png)
ultimately achieving arbitrary kernel-mode code execution (KMCE) via controlled pointer redirection.
### 0x3 Usage
Deploying the NeacSafe64 driver via NeacSafe64.inf and executing NeacController.exe, and it will spawn a privileged cmd process.
The demonstration payload currently uses a single `ret` instruction as shellcode, resulting in no observable system behavior. For effective vulnerability validation:
![image-20250402192523943](img/image-20250402192523943.png)
1. Replace the placeholder shellcode with `0xCC` (INT3 breakpoint opcode)
2. Execution will then trigger either:
- Debugger break-in via `STATUS_BREAKPOINT` exception
- System crash (BSOD) if unhandled in kernel context