Green_plasma_ctf

Green_plasma_ctf is a public security research project that publishes a working proof of concept for a Windows privilege escalation chain the author calls GreenPlasma. The goal of the exploit, demonstrated on Windows 10 builds, is to take an account with no administrator rights and end up running code as NT AUTHORITY SYSTEM, the highest-privilege user on Windows. The README is framed as research building on an earlier skeleton by another researcher that intentionally left out the final code path, and on prior work by several named authors who are credited at the top of the file.

The bug being exploited is tracked as CVE-2022-37962, a flaw in the Windows CTF protocol, which is the inter-process channel that powers the Microsoft Text Services Framework. The PoC abuses an NT object manager symbolic link to redirect a CTF-related object that the winlogon process opens, so that winlogon ends up mapping a memory section the unprivileged process controls. The README documents the phases plainly: load NT API addresses from ntdll, look up known EPROCESS offsets, create and map a named section, replace the CTF session symlink with one that points to that section, plant a callback pointer and shellcode in the mapped memory, then call SwitchDesktop so winlogon executes the callback.

The author notes the current status: the symlink primitive is confirmed on Windows 10 and 11, but the token-stealing shellcode only runs cleanly on Windows 10 build 1903. On Windows 11 24H2, the callback fires but the shellcode itself does not succeed, and research continues.

The repository contains three C source files: greenPLASMA_Final.c, the main exploit; GreenPlasma_Brute.c, a helper that cycles through plausible EPROCESS offset combinations and reports any that produce a SYSTEM process; and GreenPlasma_legacy.cpp, the older PoC kept for reference. The README also lists MinGW and Visual Studio compile commands, expected output, and a short troubleshooting section.