This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.

A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video here

The patch available here

0. All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
1. To allocate large chunks of memory, the exploit calls fcntl(F_SETPIPE_SZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)