cbcvebase.
CVE-2011-2005
published 2011-10-12

CVE-2011-2005: afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel…

PriorityP278high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
31.76%
98.1th percentile
afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenameafd.sys
otherIOCTL 0x000120bb (AFDJoinLeaf)
otherNtQueryIntervalProfile called with input 0x1337 to trigger shellcode
otherZwDeviceIoControlFile / NtDeviceIoControlFile with IOCTL 0x000120bb, inputbuffer 0x1004, inputbuffer_size 0x108, outputbuffer HalDispatchTable+0x4+1, outputbuffer_size 0x0
bytes
irpstuff: 41414141 42424242 00000000 44444444 01000000 e800 34 f000 45*231
  • Monitor for NtQueryIntervalProfile calls with input value 0x1337 immediately following a DeviceIoControl to afd.sys; this is the trigger step to execute the kernel shellcode after HalDispatchTable overwrite.
  • Alert on WSASocket creating a TCP socket that is immediately connected to 127.0.0.1:4455 (a closed port) to obtain a CONNECTING-state socket handle for use in the malicious DeviceIoControl call.
  • FIN6 threat actor has weaponized CVE-2011-2005 for local privilege escalation to kernel-level privileges; correlate afd.sys exploitation indicators with FIN6 TTPs such as Cobalt Strike, Mimikatz, and FrameworkPOS activity.
  • The exploit targets 32-bit Windows XP SP3 and Windows Server 2003 SP2 exclusively; flag execution of exploit code on these OS versions with the specific hal.dll offsets HaliQuerySystemInformation (XP: +0x16bba, 2K3: +0x1fa1e) and HalpSetSystemInformation (XP: +0x19436, 2K3: +0x21c60).
  • ·The standalone Python exploit (EDB-18176) requires the attacker to specify the target OS (-O XP or -O 2K3) as the hal.dll offsets differ between Windows XP SP3 and Windows Server 2003 SP2; incorrect targeting will fail or crash the system.
  • ·The exploit is limited to 32-bit (x86) systems only; the Metasploit module explicitly rejects WOW64 and 64-bit targets.
  • ·The exploit requires a local (non-SYSTEM) session; the Metasploit module aborts if the session is already running as SYSTEM.
  • ·Post-exploitation token restoration is critical for system stability; skipping the restore step after shellcode execution risks system instability or BSOD.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.