🖥 Introduction for to Windows kernel exploitation

Explore the Windows Kernel with HEVD, a vulnerable driver. Dive into stack overflow exploits and bypass SMEP/KPTI protections using the sysret approach.
A detailed guide for Windows kernel explotation:

— Part 0: Where do I start?
— Part 1: Will this driver ever crash?
— Part 2: Is there a way to bypass kASLR, SMEP and KVA Shadow?
— Part 3: Can we rop our way into triggering our shellcode?
— Part 4: How do we write a shellcode to elevate privileges and gracefully return to userland?

#windows #kernel #driver #hevd #hacksys

🖼️ Manipulating Shim and Office for Code Injection

Office Injector - Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.

Shim Injector - Writes an undocumented shim data structure into the memory of another process that causes apphelp.dll to apply the “Inject Dll” fix on the process without registering a new SDB file on the system, or even writing such file to disk.

DefCon Presentation

🔗 Source:
https://github.com/deepinstinct/ShimMe

#windows #office #rpc #inject #lpe

😈 Evil MSI

New article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM

🔗 Research:
https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c

🔗 Source:
https://github.com/CICADA8-Research/MyMSIAnalyzer

#windows #msi #lpe

🖼️ Windows DWM — Elevation of Privilege

CVE-2024-30051 is an elevation of privilege vulnerability in Windows' DWM Core Library (dwmcore.dll). The flaw arises due to a heap-based buffer overflow in the CCommandBuffer::Initialize method, triggered by a miscalculation during memory allocation.

🖥 Affected versions
— Windows 10: 1507, 1607, 1809, 21H2, 22H2
— Windows 11: 21H2, 22H2, 23H2
— Windows Server: 2016, 2019, 2022

🔗 Source:
https://github.com/fortra/CVE-2024-30051

#windows #eop #dwm #research #poc

💻 Microsoft Office NTLMv2 Disclosure (CVE-2024-38200)

A new vulnerability related to capturing NTLMv2 hashes via Office URI schemes has been discovered. The https:// protocol can be used for attacks such as NTLM relay to a Domain Controller.

Microsoft 365 and Office 2019 versions are vulnerable, as they open remote files without warnings, unlike earlier versions. The exploit involves using a 302 redirect and abusing GPO misconfigurations to capture NTLMv2 hashes over SMB and HTTP.

🔗 Source:
https://github.com/passtheticket/CVE-2024-38200

#windows #office #ntlm #relay

💻 Exploiting Windows Kernel via Kernel Streaming Proxying

An in-depth look at CVE-2024-30090, a vulnerability in Kernel Streaming, allowing privilege escalation via malformed IOCTL requests. By leveraging KS Event mishandling during 32-bit to 64-bit conversions, can exploit the bug pattern to gain arbitrary kernel mode access.

🔗 Research:
Proxying to Kernel - Part I
Proxying to Kernel - Part II

🔗 Source:
https://github.com/Dor00tkit/CVE-2024-30090

#windows #streaming #kernel #cve #poc

🔑 Windows BitLocker — Screwed without a Screwdriver

A newly discovered vulnerability in BitLocker allows attackers to bypass encryption without physical access. By exploiting flaws in Windows Boot Manager and TPM interaction, attackers can intercept or extract the BitLocker recovery key during the boot process. This makes encrypted data vulnerable even without direct physical access.

🔗 Presentation:
https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver

🔗 Research:
https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/#conclusion

#windows #bitlocker #bitpixie #tpm