crash.software
Projects
Pull Requests
Issues
Builds
PPLmedic
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY PPLmedic Commits dd2c27b7
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 9 lines
    10 10   <img src="poc.png">
    11 11  </p>
    12 12   
    13  -## Disclaimer 💣
     13 +## 💣 Disclaimer
    14 14   
    15 15  I would qualify this tool as an _advanced Proof-of-Concept_. You should think twice before using it on a real engagement. It is safe to use as long as it is __not interrupted__, which cannot be guaranteed in the presence of an EDR for instance.
    16 16   
    17 17  It modifies important registry keys related to the Windows Update Medic service. At worst, if those registry keys are not restored properly, this service will fail to function properly, but this __will not crash__ the OS.
    18 18   
    19  -## Usage 📝
     19 +## 📝 Usage
    20 20   
    21 21  Prerequisites:
    22 22   
    skipped 42 lines
    65 65  [...]
    66 66  ```
    67 67   
    68  -## Tests 📋
     68 +## 📋 Tests
    69 69   
    70 70  | Windows version | PPL-Windows | PPL-WinTcb | Observation |
    71  -| --- | --- | --- | --- |
    72  -| Windows 10 22H2 Build 19045.2673 | ✔ | ✔ | N/A |
    73  -| Windows 11 22H2 Build 22621.1344 | ⚠ | ❌ | Frequent service crash + Fake cached signature exploit does not seem to work. |
    74  -| Windows Server 2019 Version 1809 Build 17763.4010 | ✔ | ✔ | N/A |
    75  -| Windows Server 2022 Version 21H2 Build 20348.1547 | ✔ | ✔ | N/A |
     71 +| --- | :---: | :---: | --- |
     72 +| __Windows 10__ 22H2 Build 19045.2673 | ✔ | ✔ | N/A |
     73 +| __Windows 11__ 22H2 Build 22621.1344 | ⚠ | ❌ | Frequent service crash + Fake cached signature exploit does not seem to work. |
     74 +| __Windows Server 2019__ Version 1809 Build 17763.4010 | ✔ | ✔ | N/A |
     75 +| __Windows Server 2022__ Version 21H2 Build 20348.1547 | ✔ | ✔ | N/A |
    76 76   
    77  -## Known issues
     77 +## Known issues
    78 78   
    79 79  You get the following error because the exploit __timed out__ while trying to create a remote `TaskHandler` COM object. This is usually the sign that the target service `WaaSMedicSvc` crashed. This can be confirmed with the next message: `[!] Service WaaSMedicSvc is no longer running`. __You should try to run the tool again.__
    80 80   
    skipped 46 lines
    127 127  [...]
    128 128  ```
    129 129   
    130  -## Build instructions
     130 +## Build instructions
    131 131   
    132 132  This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
    133 133   
    skipped 1 lines
    135 135  2. Select `Release / x64` (`x86` is not supported!).
    136 136  3. `Build > Build Solution`.
    137 137   
    138  -## Credits
     138 +## Credits
    139 139   
    140 140  - [@tiraniddo](https://infosec.exchange/@tiraniddo) - Injecting Code into Windows Protected Processes using COM - Part 1
    141 141  [https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html](https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html)
    skipped 1 lines
Please wait...
Page is in error, reload to recover