Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In this case the exploit will permit us, by altering the EPROCESS structure of the current process, to activate an additional privilege, usually …
In this short post I will show you how to combine Forshaw's Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation with Forshaw's Diaghub Collector exploit. The LUAFV exploit has been fixed recently and rumors are stating that the "core" part of the Diaghub collector exploit (the possibility for a standard user to…
In this last period there has been much talk about kerberos delegations abuse, especially the "Resource Based Constrained Delegation". So I started writing this post for my friends @DonkeysTeam but then decided to publish it for a "wider" (just kidding) audience. I won't explain in depth these mechanisms, there are so many articles and blogs…
Named pipes are nothing new, it's a an old technology you will find in many operating systems (Unix, Windows,...) to permit asynchronous or synchronous inter-process communication (IPC) on the same computer or on different computers across the network. With named pipes you can send/receive and share data between processes using the memory. They are…
I apologize for my presumption, but thought it was a cool title 😉 Some days ago, I was reflecting on the SeRestorePrivilege and wondering if a user with this privilege could alter a Service Access, for example: grant to everyone the right to stop/start the service, during a "restore" task. (don't expect some cool bypass or exploit…
Creating symbolics links on Windows systems is a feature which has been added starting from Windows Vista. Unlike Unix, where every user can create symbolic links, in Windows, to perform this operation you need a special privilege: SeCreateSymbolicLinkPrivilege. This privilege, if granted, is only available in a high integrity level process. The reason of this security…
Recently I downloaded the new Windows server 2019 and upgraded my Win10 box to 1809. Obviously, the first thing I did was to test the juicy/rotten exploit and surprisingly it did not work on both OS (tried aslo with other CLSID's) Remember what MS said about this "vulnerability"? Fear the Rotten/Juicy potato attack? So I'm not…
As promised, this is the official response from Microsoft when I asked them how to protect against the DCOM/NTLM reflection abuse: "The team has responded that with the current model there are no hardening recommendations we can offer. They are taking this report as something to pursue for next-version hardening but I don't have an…
Today me and my partner in crime Giuseppe, are releasing our small research with Windows impersonate privileges. The result is a tool named "Juicy Potato", which is a kind of sequel of the potato researches we have been inspired for months (RottenPotatoNG and its variants). All the information and results have been published here My personal…
"Backup Operators" group is an historical Windows built in group. It was designed to allow its members to perform backup and restore operations by granting the SeBackupPrivilege and the SeRestorePrivilege. What does this mean? Well, for some operations like backup and restore, the DACL (Discretionary Access Control Lists) are ignored; this to permit then backup/restore…
