Installer File TakeOver

Related tags

Miscellaneous InstallerFileTakeOver
Overview

InstallerFileTakeOver

Screenshot

For your notes, this works in every supporting windows installation. Including Windows 11 & Server 2022 with (November 2021 patch.)

As some of you may notice, this also works in server installations. While Group Policy by default doesn't allow standard users to do any msi operation, the administrative install feature seems to be completely bypassing group policy.

This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one.

I've also made sure that the proof of concept is extremely reliable and doesn't require anything, it works in every attempt. This proof of concept overwrites Microsoft Edges' elevation service "DACL" and copies itself to the service location, then executes it to gain elevated privileges. While this technique may not work on every installation, because windows installations such as Server 2016 & 2019 may not have the elevation service. I've deliberately left the code, to take over "file open", so any file specified in the first argument will be taken over, with the condition that the SYSTEM account must have access to it, and the file must not be in use. So you can elevate privileges yourself.

The best workaround available at the time of writing this, is to wait for Microsoft to release a security patch. Due to the complexity of this vulnerability, any attempt to patch the binary directly will break Windows Installer. So you'd better wait and see how/if Microsoft will screw the patch up again.

Final note, while I was working on the CVE-2021-41379 patch bypass. I was successfuly able to produce 2 msi packages, each of them trigger a unique behaviour in Windows Installer Service. One of them is the bypass of CVE-2021-41379 and this one. I've decided to not release the second version until Microsoft patches this one. So be ready!

You might also like...
Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor

Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor. When you call the function again on the same file, it grabs the next line

Mhamed Ajjig 5 Nov 15, 2022
A C program to strip comments from a c file and output the result to a new file.

Strip C-like Comments A C program to strip comments from a c file and output the result to a new file. Features Fast and Without any third-party libra

Max Base 4 Feb 22, 2022
Read file to console, automatically recognize file encoding, include ansi, utf16le, utf16be, utf8. Currently output ansi as gbk for chinese text search.

rgpre A tool for rg --pre. Read file to console, automatically recognize file encoding, include ansi, utf16le, utf16be, utf8. Currently output ansi as

null 3 Mar 18, 2022
Cross-platform C++11 header-only library for memory mapped file IO

mio An easy to use header-only cross-platform C++11 memory mapping library with an MIT license. mio has been created with the goal to be easily includ

null 1.4k Jan 9, 2023
stb single-file public domain libraries for C/C++

stb single-file public domain (or MIT licensed) libraries for C/C++ Noteworthy: image loader: stb_image.h image writer: stb_image_write.h image resize

Sean Barrett 20.8k Jan 8, 2023
PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

null 132 Dec 28, 2022
Kernel file/process/object tool
Kernel file/process/object tool

kt Kernel file/process/object tool killav bypass av dump lsass basic vs2019 + cpp + wdk usage(64-bit only) kdu -map sys.sys kt -F -d c:\windows\notepa

null 62 Nov 30, 2022
Modifies the hosts file in order to block sites hosting Kant's rat

In the Minecraft cheating community, it's not uncommon for clients or client cracks/leaks to be malware. The most famous example of this would be the Autumn client "crack", released by Kant. This application attempts to blacklist known hosts of Kant's malware, in order to prevent someone from accidentally getting themselves ratted.

Gardening_Tool 62 Dec 13, 2022
A simple example that shows how to record a WAV file to an SD Card on the ESP32
A simple example that shows how to record a WAV file to an SD Card on the ESP32

ESP32 SDCard Wave File Example This code shows how to record a WAV file to an SD Card attached to an ESP32 and then play it back. There's an explanato

atomic14 54 Dec 31, 2022
Owner
Abdelhamid Naceri
Abdelhamid Naceri
GitHub
MojoSetup is a standalone installer for Linux

MojoSetup is a standalone installer for Linux, designed to help third-party developers that need to ship software outside of traditional package management infrastructure.

Ryan C. Gordon 38 Dec 10, 2022
Windows 2000 styled installer for Panther based distributions of Microsoft Windows (WIM files).

An advanced installer for Microsoft Windows that mimics the looks of the Windows XP and older installers. Takes any modern (Vista and newer) Windows ISO or WIM file and creates a old styled Windows Setup experience on the go.

null 5 Dec 17, 2022
A noob's rice installer for Linux systems.

Rice Installer A noob's rice installer for Linux systems. Why something like this? As a Linux user who likes to hop a lot, I always have to go through

Ayush Yadav 3 Dec 29, 2022
Simple Software Application Package Installer for CachyOS which helps setting up & installing applications

cachyos-packageinstaller Simple Software Application Package Installer. Requirements C++20 feature required (tested with GCC 11.1.0 and Clang 13(clang

CachyOS 3 Jul 1, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 514 Jan 3, 2023
"Sigma File Manager" is a free, open-source, quickly evolving, modern file manager (explorer / finder) app for Windows, MacOS, and Linux.

"Sigma File Manager" is a free, open-source, quickly evolving, modern file manager (explorer / finder) app for Windows, MacOS, and Linux.

Aleksey Hoffman 1.1k Dec 31, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 349 Dec 1, 2022
Hobbyist Operating System targeting x86_64 systems. Includes userspace, Virtual File System, An InitFS (tarfs), Lua port, easy porting, a decent LibC and LibM, and a shell that supports: piping, file redirection, and more.

SynnixOS Epic Hobby OS targeting x86_64 CPUs, it includes some hacked together functionality for most essential OSs although, with interactivity via Q

RaidTheWeb 42 Oct 28, 2022
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Ulf Frisk 1.7k Jan 2, 2023
this project is a function in c to take the next line of a file or a file descriptor. this is a project of 42 school.

Get Next Line of 42. Make with ❤︎ for Luiz Cezario ?? Index What's this Repo? List of Archives Technologies How to Run Find a Bug? Or somenthing need

Luiz lima cezario 7 Nov 28, 2022