CVE-2021-36934 PoC — Windows Elevation of Privilege Vulnerability

Title:Windows Elevation of Privilege Vulnerability (CVE-2021-36934)
Description:<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>

CVE-2021–36934

The derived hash is used for forgery such as PTH and bills. There is no detailed analysis here. 

In addition, given that access rights to most system files can be obtained, there should be more than this one method of exploitation, including Microsoft officials, which have also characterized it as a privilege escalation vulnerability.

A simple script is used to export files from volume shadows, and only provides ideas. In view of the fact that there is no administrator authority, it is easier to write by yourself, and it is easier to avoid killing than mimikatz, and the effect should be better. Everyone has different opinions.


All versions after Windows 10 version 1809

 [4.0K]  /data/pocs/29620f7a72944b801bbc1dbfbbc623062ef33623
├── [ 700]  README.md
└── [3.0K]  script.cs

0 directories, 2 files