Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 03)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:

https://exploitreversing.com/wp-content/uploads/2026/04/exploit_reversing_09.pdf

Key features of this edition:

[+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
[+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip – elevation of privilege of a regular user to SYSTEM.
[+] PPL Bypass Edition: Exploit cldflt.sys WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump function – elevation of regular user to SYSTEM AND full LSASS credential extraction (NT hashes, Kerberos tickets, DPAPI keys).
[+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.

This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

I would like to thank Ilfak Guilfanov (@ilfak on X) and Hex-Rays SA (@HexRaysSA on X) for their constant and uninterrupted support, which has been vital in helping me produce this series.

The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.

Enjoy the reading and have an excellent day.

Alexandre Borges
(April 28, 2026)

PS: The videos demonstrating the exploits are below: