wack0 / cve-2022-21894 Goto Github PK

Hi,
is there source code available for the payload provided in the 19041 iso with the hvloader exploit? (the one that prints a message to the screen)
I came across this one but obviously the offsets are going to be all different.

Please take a look .
#4 (comment)

When using my own bitlocker VHD for the poc I recieve error status 0xC0210000/STATUS_FVE_LOCKED_VOLUME at boot. The reason is: 'The operating system couldn't be loaded because the BitLocker key required to unlock the volume wasn't loaded correcty'. I used 'manage-bde -on E:' on the vhd so that it is encrypted but there are no key protectors like with your vhd. The patch with your fve tool also seems successful. How can this be fixed? I'm using win 11 to prepare the vhd.

Hi, I'm trying this on a VM running Win 10 19045 using an older version of bootmgfw from 2020 as recommended in #1.

(Almost) similar to that post, I had:

• Mounted ESP
• Replaced ESP:\EFI\Microsoft\Boot\bootmgfw.efi with said older version
• Copied minram, maxram, system32 directories to ESP root
• Copied bootmgr, BCD, efisys_noprompt.bin to ESP root
• Copied bootmgr to ESP:\EFI\Microsoft\Boot\bootmgr.efi
• bcdedit /import ESP:\BCD (I could not delete the boot directory BCD because it was "opened by another process")
• Unmounted ESP, shutdown -r -t 0

However, I still got 0xC00004B4 from trying to launch \minram\bootmgr.efi. Do you have any ideas? I cannot seem to find any reference to this error code when decompiling bootmgfw, is this not thrown by it?

Issue Summary

I've been testing your poc using qemu with a vdi file created from VBox Win10 19041 machine. When it got to the execution of "\maxram\hvloader.efi", in the function HvlpSLATPresent, my cpu is checked against Second Level Address Translation:

and it failed:

which make the caller quit without continuing loading up the dll payload mcupdate_*.dll and further is Windows OS:

My guess is my cpu just not suitable for this POC. I'm using "Intel64 Family 6 Model 165 Stepping 3 GenuineIntel ~2904 Mhz" for the host machine. You have any idea?

Question

If the problem is really my cpu, is there any other efi file that loads a DLL which I could code my payload (like hvloader.efi loading mcupdate.dll)?

How can I utilize this proof-of-concept (PoC)?
The PoC, named "poc_amd64_19041.iso," serves the purpose of creating a bootable USB drive.
That is working . it is printing Baton drop text.

However, I encounter a limitation: the content of the ISO file is read-only, making it impossible to modify.

When attempting to compile the provided source code, it results in the generation of a ".dll" file rather than the intended ".iso" file.

Please guide me.
thanks****

Hello,

I apologize if this is a foolish question to ask, but it is not very clear to me how the PoCs provided in this repo can be installed. Is there a script available for this? Why exactly are there 3 different PoCs? This is not explained in the 'Included files' readme section.

For the poc_amd64_19041 I tried the following on latest Win10:

1. Replace BCD file on ESP with the one provided in the ISO
2. Replace bootmgr.efi on ESP with the one provided in the ISO
3. Replace mcupdate_*.dll in system32 with the ones provided in the ISO
4. Place maxram and minram directories in the root directory of the ESP

This causes an error and prevents successful boot (File: \minram\bootmgr.efi; Status: 0xc00004b4). The meaning of this status seems to be STATUS_FILE_NOT_SUPPORTED.
Regards