CVE-2021-36934 PoC — Microsoft Windows 访问控制错误漏洞

Source

https://github.com/WiredPulse/Invoke-HiveNightmare

Associated Vulnerability

Title:Microsoft Windows 访问控制错误漏洞 (CVE-2021-36934)
Description:Microsoft Windows是美国微软（Microsoft）公司的一种桌面操作系统。 Microsoft Windows 存在访问控制错误漏洞，该漏洞源于系统对多个系统文件的访问控制列表过于宽松，因此存在特权提升漏洞。成功利用此漏洞的攻击者可以使用SYSTEM权限运行任意代码。

Description

PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer

Readme

# Invoke-HiveNightmare
PowerShell-based PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer.

# Situation
In specific versions of Windows 10, standard users have read/execute rights to files in [SYSTEMROOT]\System32\Config directory, which is where the Registry hives reside on disk. One can't however, simply navigate to the directory and copy/paste as the hives are loaded and into memory upon system boot and are locked. A standard user can retrieve the hives from Volume Shadow Copies if they exist. 

# Demo
![ Alt text](https://github.com/WiredPulse/Invoke-HiveNightmare/blob/main/PoC.gif) / ! [](name-of-gif-file. gif)

# Disclaimer
The success of this exploit resides on the fact that Volume Shadows Copies exist... without them the code isn't useful. 

# Credits
The vulnerability was discovered by @jonasLyk.

File Snapshot


 [4.0K]  /data/pocs/5452a03c7960cece86cd6300345c91bd9a470438
├── [2.6K]  Invoke-HiveNightmare.ps1
├── [308K]  PoC.gif
└── [ 927]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!