gossithedog / hivenightmare Goto Github PK

is that possible to replicate the vulnrability via powershell / cmd only ?

the exe is being flaged anywhere

On at least Windows 10 20H2 (19042.1110), Get-WmiObject Win32_ShadowStorage returns $null when shadow copies are not configured and none exist.

This lead to $fixed = $false, when in fact the issue is fixed.

Recommend updating to the following:

#check shadow
if ($vulnerable -eq $true) {
    $checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
    if ((0 -eq $checkShadow) -or ($null -eq $checkShadow)) {
        $shadowSucces = $true
        Write-Host "Successfully deleted old volume shadow copies."
    }
    else {
        $shadowSucces = $false
        write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
    }
}

To start, I know this 'exploit' (for lack of a better term) is very new and still being explored. I'm not expecting anyone to solve my issues, but wanted to get information out there in case others are running into the same issue and if any of us (myself included) can solve it, it may help others.

When running this I'm getting an error that it could not open the SAM:

C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>.\HiveNightmare.exe
Could not open SAM :( Is System Protection not enabled or vulnerability fixed?  Note currently hardcoded to look for first 4 VSS snapshots only - list snapshots with vssadmin list shadows
C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>

Currently running Windows [Version 10.0.19043.1055] and can see that the user permissions read for the SAM database. This is a domain joined computer in my lab with no other changes made. The image is the latest VM for developers.

C:\Windows\system32>icacls c:\Windows\system32\config\SAM
c:\Windows\system32\config\SAM BUILTIN\Administrators:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

I did try the command suggested in the error and it looks like it can't find any shadow copies.

C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>

On my non-domain joined hosts it does not show that the users can read the SAM database, so I'm not sure if this requires domain joining or if it's just me.

If I find a solution, I'll update this. If anyone else has any thoughts/ideas I would welcome them.

This loop over the snapshots opens each one to get its filetime to find the earliest one. The handle to the youngest file is returned. However, the loop never calls CloseHandle on the files it passes by. These will be closed at main exit but it is still correct to dispose of them properly.

    for (int i = 1; i <= maxSearch; i++) {
        wchar_t fullPath[MAX_PATH];
        swprintf_s(fullPath, MAX_PATH, L"%s%d\\%s", base, i, path);

        hfile = CreateFile(fullPath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
        if (hfile != INVALID_HANDLE_VALUE) {
            if (GetFileTime(hfile, &creationTime, &lastAccessTime, &lastWriteTime)) {
                if (CompareFileTime(&youngest, &lastWriteTime) < 0) {
                    retHandle = hfile;
                    youngest = lastWriteTime;
                    wcout << "Newer file found: " << fullPath << endl;
                }
+                else {
+                   CloseHandle(hfile);
+                }
            }
        }
    }