🤬
  • ■ ■ ■ ■
    README.md
    skipped 13 lines
    14 14  
    15 15  This is a Cobalt Strike (CS) Beacon Object File (BOF) and executable which exploits AMD's Ryzen Master Driver (version 17). It only overwrites the beacon process token with the system process token. But, just like <a href="https://github.com/tijme/kernel-mii/blob/master/KernelMii.c">KernelMii</a>, this BOF is mostly just a good foundation for further kernel exploitation via CS. You can utilise it to disable EDR, disable ETW TI, dump LSASS PPL, or do other undetected malicious actions.
    16 16  
    17  -I initially identified this vulnerability (if you can call it a vulnerability, concidering the administrator-to-kernel is <a href="https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria">not</a> concidered a security boundary) during some kernel driver research. I identified four attack vectors in the driver. I later found out that <a href="https://github.com/h0mbre">@h0mbre</a> <a href="https://h0mbre.github.io/RyzenMaster_CVE/">identified</a> two of these vectors back in 2020. Back then, every user on the system could open handles to the symbolic link. AMD 'fixed' it by restricting access to local administrators. But from a threat actor and red teaming perspective, it is still very useful.
     17 +I initially identified this vulnerability (if you can call it a vulnerability, concidering the administrator-to-kernel is <a href="https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria">not</a> concidered a security boundary) during some kernel driver research. I identified four attack vectors in the driver. I later found out that <a href="https://github.com/h0mbre">@h0mbre</a> identified <a href="https://h0mbre.github.io/RyzenMaster_CVE/">two</a> of these vectors back in 2020 (CVE-2020-12928). Back then, every user on the system could open handles to the symbolic link. AMD 'fixed' it by restricting access to local administrators. But from a threat actor and red teaming perspective, it is still very useful.
    18 18  
    19 19  **I developed and tested this exploit on Windows 10 Pro 22H2 19045.2486.** The executable is somewhat stable. Cobalt Strike beacons have a stack limitation of 4096 bytes, so it's less likely to work (during development it always *did* work though). The executable should always work.
    20 20  
    skipped 41 lines
Please wait...
Page is in error, reload to recover