CVE-2017-6008

HIGH

Sophos HitmanPro < 3.7.20 - Local Privilege Escalation via Malformed IOCTL Call

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-6008. PoCs published by cbayet, AntiRootkit1.

AI-analyzed exploit summary The provided text describes a privilege escalation exploit for CVE-2017-6008, targeting a kernel pool buffer overflow in HitmanPro. It references a Quota Process Pointer Overwrite attack and includes links to detailed papers and a Proof of Concept (PoC).

Description

A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to escalate privileges via a malformed IOCTL call.

Exploits (3)

exploitdb WRITEUP
by cbayet · textlocalwindows
https://www.exploit-db.com/exploits/43057

The provided text describes a privilege escalation exploit for CVE-2017-6008, targeting a kernel pool buffer overflow in HitmanPro. It references a Quota Process Pointer Overwrite attack and includes links to detailed papers and a Proof of Concept (PoC).

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: HitmanPro (hitmanpro37.sys driver)
No auth needed
Prerequisites: Access to a vulnerable version of HitmanPro · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 120 stars
by cbayet · poc
https://github.com/cbayet/Exploit-CVE-2017-6008

This repository contains a privilege escalation exploit for CVE-2017-6008, targeting a kernel pool buffer overflow in HitmanPro's driver. It includes separate exploits for Windows 7 and Windows 10, leveraging a Quota Process Pointer Overwrite attack to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: HitmanPro (hitmanpro37.sys driver)
Auth required
Prerequisites: Local access to the target system · HitmanPro software installed · Administrative privileges to load the vulnerable driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by AntiRootkit1 · poc
https://gitlab.com/AntiRootkit1/Exploit-CVE-2017-6008

This repository contains functional exploit code for CVE-2017-6008, a kernel pool buffer overflow in HitmanPro's driver (hitmanpro37.sys) leading to local privilege escalation. The exploit leverages a Quota Process Pointer Overwrite attack and includes variants for Windows 7 and Windows 10, with detailed technical references and pool spraying techniques.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: HitmanPro (hitmanpro37.sys driver)
No auth needed
Prerequisites: Local access to a vulnerable system · HitmanPro software installed · Administrative privileges to load the driver (if not already loaded)
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/
Third Party Advisory x_refsource_misc
https://www.nuitduhack.com/fr/planning/talk_10
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-10/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/cbayet/Exploit-CVE-2017-6008
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43057/

Scores

CVSS v3 7.8
EPSS 0.0190
EPSS Percentile 77.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (1)
sophos/hitmanpro < 3.7.20
Published Sep 13, 2017
Tracked Since Feb 18, 2026