Old Bug, Harder Rules : Exploiting CVE-2023-36802 Without the Usual Shortcuts

Introduction

There are already good writeups on CVE-2023-36802, a type confusion bug in Microsoft’s Streaming Service Proxy driver mskssrv.sys. Most of them were written before recent mitigations closed off the usual paths. This one was written after.

The bug was known. The patch was out. The writeups existed. My mentor Dang Nguyen (@MochiNishimiya) gave it to me anyway.

The constraint was simple: exploit it without relying on NtQuery* APIs¹ for kernel address leaks or PreviousMode²³ for arbitrary read/write. Build the exploit the way you’d have to build it today, under the mitigations that exist now, not the ones that existed when the bug was first disclosed.