gossithedog / hivenightmare Goto Github PK
View Code? Open in Web Editor NEWExploit allowing you to read registry hives as non-admin on Windows 10 and 11
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11
is that possible to replicate the vulnrability via powershell / cmd only ?
the exe is being flaged anywhere
On at least Windows 10 20H2 (19042.1110), Get-WmiObject Win32_ShadowStorage
returns $null when shadow copies are not configured and none exist.
This lead to $fixed = $false
, when in fact the issue is fixed.
Recommend updating to the following:
#check shadow
if ($vulnerable -eq $true) {
$checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
if ((0 -eq $checkShadow) -or ($null -eq $checkShadow)) {
$shadowSucces = $true
Write-Host "Successfully deleted old volume shadow copies."
}
else {
$shadowSucces = $false
write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
}
}
Line 40 in 0428053
To start, I know this 'exploit' (for lack of a better term) is very new and still being explored. I'm not expecting anyone to solve my issues, but wanted to get information out there in case others are running into the same issue and if any of us (myself included) can solve it, it may help others.
When running this I'm getting an error that it could not open the SAM:
C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>.\HiveNightmare.exe
Could not open SAM :( Is System Protection not enabled or vulnerability fixed? Note currently hardcoded to look for first 4 VSS snapshots only - list snapshots with vssadmin list shadows
C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>
Currently running Windows [Version 10.0.19043.1055] and can see that the user permissions read for the SAM database. This is a domain joined computer in my lab with no other changes made. The image is the latest VM for developers.
C:\Windows\system32>icacls c:\Windows\system32\config\SAM
c:\Windows\system32\config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>
I did try the command suggested in the error and it looks like it can't find any shadow copies.
C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
No items found that satisfy the query.
C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>
On my non-domain joined hosts it does not show that the users can read the SAM database, so I'm not sure if this requires domain joining or if it's just me.
If I find a solution, I'll update this. If anyone else has any thoughts/ideas I would welcome them.
This loop over the snapshots opens each one to get its filetime to find the earliest one. The handle to the youngest file is returned. However, the loop never calls CloseHandle
on the files it passes by. These will be closed at main exit but it is still correct to dispose of them properly.
for (int i = 1; i <= maxSearch; i++) {
wchar_t fullPath[MAX_PATH];
swprintf_s(fullPath, MAX_PATH, L"%s%d\\%s", base, i, path);
hfile = CreateFile(fullPath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hfile != INVALID_HANDLE_VALUE) {
if (GetFileTime(hfile, &creationTime, &lastAccessTime, &lastWriteTime)) {
if (CompareFileTime(&youngest, &lastWriteTime) < 0) {
retHandle = hfile;
youngest = lastWriteTime;
wcout << "Newer file found: " << fullPath << endl;
}
+ else {
+ CloseHandle(hfile);
+ }
}
}
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.