STRLCPY/PPLmedic

Update README
Clément Labro committed with GitHub 1 year ago

219daaa4

1 parent dd2c27b7

Total 1 files

■ ■ ■ ■ ■ ■

README.md

1	1		# PPLmedic
2	2
	3	+	<p align="center">
	4	+	<img src="poc.png">
	5	+	</p>
	6	+
3	7		This tool implements a Userland exploit chain for injecting arbitrary code into a PPL with the signer type `Windows` and elevating to the signer type `WinTcb`. These techniques were originally discussed by James Forshaw (a.k.a. [@tiraniddo](https://infosec.exchange/@tiraniddo)) in his blog post [Injecting Code into Windows Protected Processes using COM - Part 1](https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html).
4	8
5	9		To learn more about this tool, you should read its companion blog post here:
6	10
7		-	- TODO: [Bypassing PPL in Userland (again)]()
8		-
9		-	<p align="center">
10		-	<img src="poc.png">
11		-	</p>
	11	+	- [Bypassing PPL in Userland (again)](https://blog.scrt.ch/2023/03/14/bypassing-ppl-in-userland-again/)
12	12
13	13		## 💣 Disclaimer
14	14
		skipped 7 lines
22	22
23	23		- __Privileges:__ Administrator or SYSTEM with `SeDebugPrivilege`
24	24		- __Platform:__ Windows 10/11 or Windows Server 2019/2022
	25	+	- __Architecture:__ Only __x86_64__ is supported
25	26
26	27		```bat
27	28		REM Use the option -p to elevate from PPL-Windows to PPL-WinTcb
		skipped 6 lines
34	35		C:\WINDOWS\system32>tasklist \| findstr lsass
35	36		lsass.exe 756 Services 0 20,028 K
36	37
37		-	C:\WINDOWS\system32>C:\Temp\PPLmedic.exe dump 756 c:\Temp\lsass.dmp -p
	38	+	C:\WINDOWS\system32>C:\Temp\PPLmedic.exe dump 756 c:\Temp\lsass.dmp
38	39		[...]
39	40		[+] Payload DLL successfully loaded after 272 attempts!
40	41		[*] Deleting 272 temporary directories created by the service...
		skipped 35 lines
76	77
77	78		## 🚧 Known issues
78	79
	80	+	### Error: "Unexpected error or timeout"
	81	+
79	82		You get the following error because the exploit __timed out__ while trying to create a remote `TaskHandler` COM object. This is usually the sign that the target service `WaaSMedicSvc` crashed. This can be confirmed with the next message: `[!] Service WaaSMedicSvc is no longer running`. __You should try to run the tool again.__
80	83
81	84		```console
		skipped 7 lines
89	92		[...]
90	93		```
91	94
	95	+	### Error: "Reached the maximum number of attempts"
	96	+
92	97		You get the following error because the exploit failed to write a valid object directory in __less than 1000 attempts__. This limit serves as a failsafe to prevent the target service from consuming too much resources. __You should try to run the tool again.__
93	98
94	99		```console
		skipped 6 lines
101	106		[...]
102	107		```
103	108
	109	+	### Error: "Failed to write LdrpKnownDllDirectoryHandle value"
	110	+
104	111		You get the following error because an unexpected error occurred when calling `LaunchDetectionOnly` or `LaunchRemediationOnly`. This should be quite rare though. __You should try to run the tool again.__
105	112
106	113		```console
		skipped 5 lines
112	119		[-] Failed to write LdrpKnownDllDirectoryHandle value (thread exit code: 0x800706ba).
113	120		[...]
114	121		```
	122	+
	123	+	### Error: "Failed to cache sign ..."
115	124
116	125		You get the following error because the exploit __failed to cache sign__ the payload DLL. The oplock set on the catalog file was probably never triggered because it was already opened by the Kernel. You can try to rerun the tool at a later time (for Windows 11, refer to the "Tests" section).
117	126
		skipped 17 lines
135	144		2. Select `Release / x64` (`x86` is not supported!).
136	145		3. `Build > Build Solution`.
137	146
138		-	## �� Credits
	147	+	## �� Credits
139	148
140	149		- [@tiraniddo](https://infosec.exchange/@tiraniddo) - Injecting Code into Windows Protected Processes using COM - Part 1
141	150		[https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html](https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html)
		skipped 1 lines

Update README