// CVE-2026-50656_RoguePlanet_Checker.cpp // Safe check PoC for RoguePlanet (TOCTOU / improper link resolution in MsMpEng) // Compile: cl.exe /O2 /EHsc CVE-2026-50656_RoguePlanet_Checker.cpp // Or: g++ -O2 -static -o rogue_check.exe CVE-2026-50656_RoguePlanet_Checker.cpp -luser32 #include #include #include #include #include #include #pragma comment(lib, "user32.lib") #define MAX_ATTEMPTS 50 #define TEMP_DIR "C:\\Temp\\RogueCheck_" #define FAKE_QUARANTINE "RoguePlanet_Check.tmp" BOOL IsDefenderRunning() { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapshot == INVALID_HANDLE_VALUE) return FALSE; PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) }; BOOL found = FALSE; if (Process32First(hSnapshot, &pe32)) { do { if (_stricmp(pe32.szExeFile, "MsMpEng.exe") == 0) { found = TRUE; break; } } while (Process32Next(hSnapshot, &pe32)); } CloseHandle(hSnapshot); return found; } BOOL CreateTestSymlink(const char* target, const char* link) { // Create a junction or symlink for TOCTOU simulation (safe test) if (!CreateSymbolicLinkA(link, target, SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE | SYMBOLIC_LINK_FLAG_DIRECTORY)) { if (GetLastError() != ERROR_PRIVILEGE_NOT_HELD) { printf("[!] Failed to create symlink: %lu\n", GetLastError()); return FALSE; } } return TRUE; } int main() { printf("=== CVE-2026-50656 (RoguePlanet) Safe Vulnerability Checker ===\n"); printf("Author: Ashraf Zaryouh \"0xBlackash\"\n"); printf("This is a SAFE detector. No privilege escalation or harmful actions.\n\n"); if (!IsDefenderRunning()) { printf("[!] Microsoft Defender (MsMpEng.exe) is not running.\n"); printf(" Enable Real-Time Protection for accurate testing.\n"); return 1; } printf("[+] Defender detected. Starting controlled race condition checks...\n"); char baseDir[MAX_PATH]; sprintf_s(baseDir, MAX_PATH, "%s%u", TEMP_DIR, GetCurrentProcessId()); CreateDirectoryA(baseDir, NULL); int vulnerableAttempts = 0; for (int i = 0; i < MAX_ATTEMPTS; i++) { char linkPath[MAX_PATH]; char targetPath[MAX_PATH]; sprintf_s(linkPath, MAX_PATH, "%s\\check_%d", baseDir, i); sprintf_s(targetPath, MAX_PATH, "%s\\%s", baseDir, FAKE_QUARANTINE); // Simulate file operations that trigger Defender scanning path HANDLE hFile = CreateFileA(targetPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { const char* eicar = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"; DWORD written; WriteFile(hFile, eicar, (DWORD)strlen(eicar), &written, NULL); CloseHandle(hFile); } // Attempt symlink/junction for link following test if (CreateTestSymlink(targetPath, linkPath)) { // Trigger scan simulation (non-destructive) Sleep(10); // Small window for race simulation vulnerableAttempts++; } // Cleanup DeleteFileA(targetPath); RemoveDirectoryA(linkPath); } printf("\n[+] Test completed after %d attempts.\n", MAX_ATTEMPTS); if (vulnerableAttempts > MAX_ATTEMPTS / 2) { printf("[!] HIGH LIKELIHOOD OF VULNERABILITY: System appears susceptible to RoguePlanet TOCTOU.\n"); printf(" Recommendation: Monitor for Defender updates and restrict unprivileged symlink creation if possible.\n"); printf(" CVSS: 7.8 - Local EoP via improper link resolution before file access.\n"); } else { printf("[+] System shows lower susceptibility or mitigations may be active.\n"); printf(" Still apply official Microsoft patch when released.\n"); } printf("\nCleanup complete. Test files removed.\n"); RemoveDirectoryA(baseDir); return 0; }