Skip to content

Instantly share code, notes, and snippets.

@smx-smx
smx-smx / XZ Backdoor Analysis
Last active October 12, 2024 07:23
[WIP] XZ Backdoor Analysis and symbol mapping
XZ Backdoor symbol deobfuscation. Updated as i make progress
void RemapSelfInternal(PVOID ImageBase, PVOID TempBase, ULONG SizeOfImage, HANDLE hSection)
{
if (UnmapViewOfFile(ImageBase))
{
PVOID BaseAddress = ImageBase;
SIZE_T ViewSize = SizeOfImage;
// for x64 only, because we not pass address of ZwMapViewOfSection
if (0 <= ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress,
0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE) && ImageBase == BaseAddress)
BOOL UnhookNT()
{
BOOL fOk = FALSE;
if (HMODULE hmod = GetModuleHandleW(L"ntdll"))
{
if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod))
{
PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode;
#include "stdafx.h"
_NT_BEGIN
NTSTATUS CreatePlaceHolder(PCWSTR lpFileName, ULONG SizeOfImage)
{
struct SEF : IMAGE_DOS_HEADER, IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER
{
} y {};
@monoxgas
monoxgas / urbandoor.cs
Created April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;
// TcbElevation - Authors: @splinter_code and @decoder_it
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
void EnableTcbPrivilege(BOOL enforceCheck);
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active November 7, 2024 18:47
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@monoxgas
monoxgas / main.cpp
Created February 12, 2020 22:19
Adaptive DLL Hijacking - Patching LoadLibrary Return
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info
@olamotte
olamotte / Binary SD to human readable DACL
Created January 12, 2020 16:45
Windows Registry conversion from binary Security Descriptor to SDDL DACL
#Example: Which users can access the SMB Session information on a Windows 10 computer (NetCease status)
#Retrieve the binary value
$acl=Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity -Name SrvsvcSessionInfo
#Use WMI helper to obtain a converter
$converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
#Do the conversion to SDDL
$outsddl = $converter.BinarySDToSDDL($acl.SrvsvcSessionInfo)
@masthoon
masthoon / rpc_dump_rs5.txt
Created January 15, 2019 06:49
RPC interfaces RS5
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64
Interfaces :
Endpoints :