Enable build support by adding .buildspec.yml
PoC_HTTPKerberosPac_EoP | Loading last commit info... | |
PoC_HTTPKerberosPac_EoP.sln | ||
README.md |
README.md
CVE-2022-41057 _ Windows 11 HTTP.SYS Kerberos PAC EoP
Proof of Concept:
I’ve provided a PoC as a C# project. You need to get and build a copy of my NtApiDotNet
library to build the project (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools). Note that there's a bug in the loopback library of Windows 10 which means the POC will get an access token with a session ID of 0 which would mean the token can't be impersonated. This doesn't happen if U2U is used instead, therefore to verify that this is a working exploit it's best to run on Windows 11.
- Compile the C# project, put a copy of
NtApiDotNet.dll
in the project's directory before building. Make sure you compile it for 64-bit otherwise the server authentication doesn't work correctly. - Run the POC on a domain joined machine passing the password for the current domain user. This isn't completely necessary as you could use U2U but this for demo purposes only.
- The POC should print out the groups for the token.
Expected Result
The authentication fails.
Observed Result
The authentication succeeds and the token has the Domain Administrator's group.